• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Help New phone is replacing all SD card contents with "abcd.iso"

shame918

Lurker
I ordered a brand new phone, an UMIDIGI G1 Max, and everything was perfect, until it briefly lost contact with the 64gb SD card I had in it. The card contained about 46 GB of music and cartoons. Once the phone rediscovered the SD card it said it's capacity was only 2 GB and all of its contents had been replaced with a single ISO file titled ABCD.iso. I have tried four different cards from four different brands and I've gotten the same results on all of them. Two of them were new and two of them were cards that I've used reliably for several months without a problem. Each time, after mounting the card, the capacity is listed as only 2 gigabytes and, whether it was empty or not, after formatting, there still exists the single .iso file titled ABCD.iso. I have not tried a factory reset because I only discovered this problem after creating about 150 links contained in folders on my homepage that I use for work, and the thought of having to redo it all again makes me sick! I searched high and low online for information about this particular situation, but all I can find is a ransomware virus by a similar name. I want to stress that my situation is not the ransomware virus titled ABCD! Although this may be related, this is something different than the ABCD ransomware virus. I appreciate any tips or insight you may be able to provide.
 
Well I'd not heard of this before, but a quick search reveals other cases, from different devices (not all even phones), some dating back years. Sadly very little information on cause or solution.

Normally if a card appears to have 64GB capacity initially and subsequently seems to have 2GB my first assumption would be a "fake" sd card: a small capacity card that is programmed to tell the phone it has a larger capacity and is then sold as a high capacity card (often priced cheaply for the capacity it is pretending to be). Usually the first sign of trouble with those is data corruption: the card exceeds its real capacity but the phone doesn't know, anything else that's written to it overwrites things that were already there. If you just have one card do this then I might wonder whether you had some glitch and it rebooted showing its real capacity, though why it would replace everything with an .iso I could not explain.

However, 4 cards doing the same thing, some of which had been used for some time, sounds unlikely. So I think it more likely this is a software problem.

I usually caution against assuming "malware" as the explanation for any oddity, but the fact that 4 cards of differing ages did the same thing means I can't rule it out. One thing you need to know is that your phone will assume that the card only has one partition, and the size of the first partition it finds is what it will report as the capacity of the card. So if something has repartitioned the cards, making a 2GB primary partition and doing who knows what with the rest, that would explain the card capacity appearing to change. Repartitioning like that, and filling the partition with an image, is not something that's going to happen accidentally, which is why I think we should consider malware as a possibility (the others option would be some very weird bug in the phone's operating system). If this is what's happened, whatever data were on those cards are lost anyway.

What can you do? Well if it is malware, and you trust UMDIGI not to have installed the malware as a system app, then it probably got on your phone from something else you installed. In that case a reset would probably remove it, but you'd need to be careful what you reinstall afterwards or else you'll just recreate the problem.

There have been a few reports (several years ago) of people finding malware already installed on new UMDIGI phones. Most are actually because the owner tried rooting them and the root tool they used was then detected as malware, but there seemed to be some discussion out there about whether one particular model (from 2016) did have malware in the ROM, or at least a backdoor that enabled unauthorised download of apps. That was the only model I found this for, but it does give me some slight concern that maybe the manufacturer is not wholly trustworthy (or at least very sloppy about security). The significance is that if the problem is in the ROM then a reset won't fix it. I still think it more likely you installing an infected app yourself, and I'm still not certain the problem is malware at all, but I wanted to make you aware of all possibilities.

As for what to do with the cards, if you are feeling brave, have a computer and microSD card reader, and are comfortable playing with things like GParted live flash drives then you could look at the cards and find out whether my guess is right, i.e. that they have been repartitioned, and what has been done with the rest of the space if so. However, if the card has been repartitioned then any data that were on it are gone anyway, so this wouldn't really help you, except that you could use Gparted to restore them to a single empty partition. If you do want to try to recover the cards though I'd be very careful, as you've no idea what is on that .iso: the reason I thought of a GParted live flash drive was that you would boot the computer from that rather than its own operating system and could make sure its own drive wasn't mounted before attaching the sd card, to minimise the risk of infection. The absolute safest thing would actually be to destroy the cards, but if you want to recover them I'd try something like that: I would not want to just plug those cards into a computer, as I've no idea what's on them (and if this is malicious someone could well put something nasty on the card just to catch someone who put the card into a computer to see whether their data could be recovered - which I do not think they can be).

The one thing that gives me hope that it might be some bizarre fault (or a run of really bad luck with fake cards) rather than malware is that one of the other reports of this I found seemed to involve a Nintendo 3DS rather than an Android phone, and it seemed very, very unlikely that there could be the same malware problem on a different platform. But since you can't ask questions of people who posted things several years ago I can't be sure that they've not left something important out of their story.

Sorry this does not provide a solution, and probably is the opposite of reassuring, but this isn't something I've met before and none of the other people who reported it seemed to have any ideas or found any answers. So all I can say is that if something was repartitioning the cards and loading an ABCD.iso onto that partition it would look like what you see, but without getting my hands on the cards I can't say whether that's actually what has happened, never mind what has done it. But I would be very cautious with those cards, and I'd be wary about trusting a phone that was doing something like that (because if it is malware you don't know what else might be going on).
 
Last edited:
Thank you for such an informative reply! I really appreciate you taking the time to look into it. I will check out gparted and see what I can accomplish with it. I've never heard of it before. I can confirm that the cards are not fake, well, three of them are true 64 gig, the fourth I can't be sure as it was brand new straight out of the package. I haven't permanently lost anything because it was full of music and videos that I already have backed up elsewhere. I'd like to understand what happened so I can prevent it from happening again. Anything I'm able to figure out I will post here to share with everyone. Thank you for the help!
 
Back
Top Bottom