• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Help Can I replace the bootloader (fastboot)? I think mine's got malware!

LozHensel

LozHensel

Newbie
After my trials and tribulations reported in this thread and this thread I think I may have found the cause of the problem and it's not pretty!

This article suggests there is a new breed of malware that, if I'm reading it right, can infect the bootloader itself! I don't think I've got one of the three mentioned there specifically (though I might have) but I think I've got something similar


Just to reiterate my specs, if they're relevant, I have an iNew L4 running Android 5.1 on Giff Gaff (which always detects as O2 for some reason) in the UK. it's not a phone supported by CyanogenMod... well... anything really, so compiling CyanogenMod or Android Open Source Project (AOSP), or Ubuntu Touch or something like that is by no means a certainty! The Manufacturers unhelpfully do not have a pubicly downloadable rom either.

So can I somehow flash fastboot (I'm expecting it'll be a scary dd command to a usb port...)? If I compile CyanogenMod or something will it compile fastboot for the device or just for the desktop? Is it even possible?
 
You can't get malware that infects bootloaders so it's not that.

Are you absolutely sure the firmware you're trying to install from the needrom site is legit?

You're rooted yeah? Have you tried using a system file manager (root explorer) to remove the infection manually?
 
I'm not 100% certain it's legit, but the virus scanner (AVL - other scanners don't seem to scan /system and don't detect anything wrong at all) is reporting the same virus name as before (android.waps.a) and the symptoms are the same. This happened before I rooted it*.

It is rooted now though (well it has been, I've flashed it again since then!) The problem is the apk that is showing as infected is LQLauncher3.apk, which from what I can figure out basically runs the user interface, so removing that is unlikely to be helpful. I haven't tried digging around inside the apk, actually. That's an idea. Is that what you meant?

Actually, if I were to install another launcher, and then delete the default one...

If that doesn't work then I probably *do* need to roll my own just to be sure, don't I?

* I suspect it happened when I enabled installing apks from other sources for some android games I bought of Humble Bundle, but I don't really know - another article on the same topic suggest some infected apps made it into the Play store!
 
As El Pres says, you can't infect the bootloader. There are rootkit trojans that can infect the ROM though, which is what that article is about (unlikely to meet these if you install apps from the Play Store, but tread carefully if you go to random download sites). Frankly if the built-in launcher is infected I'd think it more likely it was infected out of the box than then Humble Bundle contained malware.

So replacing the ROM would fix one of these, but don't underestimate the effort needed to build CM for a device nobody else supports. Also fastboot isn't something you flash to the phone or compile, it's a utility that can be used to flash images to partitions on the phone (if you have an unlocked bootloader).

GiffGaff don't have a network of their own, they just buy airtime off O2 and resell it. So my guess is that your device just doesn't know about GiffGaff and so is just identifying the network that they are piggy-backing on instead.

As for replacing the launcher, I'd advise you to install the new one as a system app (e.g. use Titanium Backup to change it to a system app) and make sure it is working (including after a reboot) before you think about removing the existing launcher. If you just install a new launcher, remove the old one, and then do a factory reset for any reason you'll find yourself with no launcher at all.
 
Which Humble Bundle did you get? They're something I always pick up and I've never had any issues with any of them.

The install files are also directly from the game developers so it's unlikely they're infected.
 
It looks like it was called "Humble PC and Android Bundle 13"

edit: I apparently got it around August the 19th 2015. I don't think I ever disabled the options to install third party apks though, so that could have been the contamination vector even if it wasn't Humble Bundle its self.
 
It works!

Replacing the launcher worked! I've gone with Buzz Launcher because I have, mostly, and deleted LQLauncher3. it seems to be gone. Let's hope it stays that way!

Huge thanks to everyone - you've all be a huge help!
 
You must log in or register to reply here.
Back
Top Bottom