• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Trojan

Runarsson

Lurker
Hi All,

Today my wife's Galaxy S7 (with Android 8) started to behave strange. It started to want her to install Google Pay (and ask for credit card number) and various things stopped working correctly. It also showed a second Chrome icon (looked a little bit different than the other one).
We suspected something malicious, so we tried to run through with different antivirus apps. Bitdefender picked up a 'Chrome.apk', that it got rid of, and 'Trojan.Banker.XO', which it cannot get rid of. We're not sure what it is or what it does, but we do trust Bitdefender's opinions to the fullest and would want to get rid of it before we use that phone for any more logins or bank stuff.

Anyone who can provide some help or further info about it (i.e. other than total factory reset)?
 
"Trojan.Banker.XO" may not be the name of a specific app but the name of the malware contained in one of the apps, or the name that Bitdefender assigns to a particular trojan or group of trojans (a "trojan" is a class of malware that hides inside another app - like Odysseus' fighters in the Trojan horse - and is the main type of malware you need to worry about on Android). So almost certainly you have at some point installed an app that contains malware designed to steal banking details.

So what happens when you try to get rid of it? I'm not familiar with Bitdefender on Android, so a detailed description of what you see may be helpful. You could also try a different app, such as MalwareBytes, and see whether that can detect and remove it.

I'm assuming that the phone is not rooted (if it is then you cannot assume that a factory reset would be sufficient, since if malware can infect the system rather than a user app it will survive a reset). On an unrooted phone the commonest way that an app can resist removal is if it has been assigned as an administrator. If so, search settings for "administrator" or "admin" apps to find the list of apps with this privilege, and if the one you are trying to remove is on the list you can disable its admin access, after which it can simply be uninstalled. But I doubt you are looking for an app called "trojan.banking.xo", but rather there will be some other app that contains that. Does Bitdefender tell you anything about what app is infected?
 
I've heard of Trojan Banker for Windows. There's a few YouTube videos about removing it from Android.

I would let your bank know, and maybe they can lock your account until the issue is resolved. I would do a factory reset without any backup files and then check again for the Trojan.
 
The actual 'problem' is solved, in a better (and simpler) way. Instead of a painful factory restore I'll buy her a new phone. I stumbled on a very low priced (refurbished) Galaxy S9, so I bought that. I know that's not the newest Galaxy either, but everything about it will still be better than her S7... and when it didn't cost more than $170, it's an easy choice. But I can still answer your (Hadron) questions.

So what happens when you try to get rid of it?
Malwarebytes was on our 'list'. We tried AVG, Avast, McAfee and Bitdefender. Bitdefender (and now also McAfee) have picked it up as threat and showed which app (not surprisingly that second Chrome), but none of them can touch it.
Some actions I could want in the settings had been disabled. Ex Device maintenance (to see battery usage/memory usage) and opening app details in Apps closed the settings completely.

Edit (30 minutes later):
NOW I have played with it a little more though. One thing it did was showing that 2 apps were running in the background when rebooted, Chrome and Bitdefender. Remembering that Bitdefender didn't work in Safe Mode when I tried before, I tried to see if this false Chrome was blocked there too... and it was. So in Safe Mode I could simply uninstall it in Settings. After doing this, both Bitdefender and McAfee say it's clean and all the weird behaviour has stopped.

But I still have to buy her that S9, since I have told her about it... 😊
 
Once I had over 600 Trojans for my windows, it is a very dangerous game. It was so hard to send it to the electronic people and give them, to ask them to wipe it all clean away. I done a complete wipe through my comp, took me up to the wire of sending it to them, pretty close to about five hours.
 
Back
Top Bottom