如何在/系统目录中自动修复恶意软件？ -- 5.0-lollipop 领域 和 malware 领域 android 相关 的问题

I bought a Lyf Flame 7 from Reliance Jio last september. It runs on Android Lollipop. My phone is not rooted and it has never downloaded any other apps from the internet except from the Play Store. Upto October it was working fine. In November I started seeing apps being downloaded automatically. My pre-installed antimalware app reported them to me and I uninstalled those downloaded apps. This happened in a 3 times/week frequency. Last week I found it again and then decided to look for any processes that might be downloading the annoying apps without my permission. It also started showing me pop up ads.

I found out that there's an app called "Wireless Update" and another called "flyee" and "fqad". I googled them and found out that Wireless update is a preinstalled system app in low end smartphones in Asia and it downloads random apps from the internet. I disabled it and found that it doesn't download files anymore. I later went to its settings and also stopped it from using mobile data to download apps automatically and to download only over wifi. I restricted its background data usage. Next morning I found out that there are a load of apps installed in my phone and the ram was totally eaten up. There were apps like a fake whatsapp, PhoneService, U Tobe(with youtube logo), flashlight, two fake phone apps and a lot of other apps. I figured that they were malware and the worst part was that I couldn't delete them. So they somehow managed a way to get root access to my phone and install them in the /system directory. They also started minimizing any apps that I am using.

Some other app also started downloading even more apps, and ads were popping up constantly. I force stopped them and disabled them only to find out most of them are enabled automatically. They were eating up the RAM and battery. I downloaded MalwareBytes and found that there were other apps installed as non-root too so I cleaned them up. But the /system apps couldn't be removed. I disabled downloads from third party and it stated downloading random apps from the play store one by one. To stop this I went into termux and generated a big 1.5 GB text file with random numbers in C++ to stop downloading any more apps. It couldn't download any more apps but then a new pop-up saying "Launcher Loading" came up and I couldn't use my phone. I couldn't open any apps or anything after the lock screen. This morning, I found out that the Launcher Loading pop-up is gone but a new problem came in. It started giving me alerts saying "Unfortunately PhoneService has stopped". And it goes on an endless loop. If for a moment, it's gone, another alert saying "Unfortunately Google Play Services has stopped" and the earlier alert appears. My phone is currently unusable and I cannot even make calls from it. What do I do? I am in a really serious problem. I tried booting in safe mode but didn't help.

Note: the following method is risky, you might delete core modules and your device will end up in bootloop or not booting at all. Do it at your own risk.

• You'll need to root your device and install BusyBox (from Google Play).

• Download Minimal ADB and fastboot

• Enabled USB debugging

• Install USB drivers

Open Minimal ADB and Fastboot tape the following :

adb shell  su mount -o remount, rw /system  cd /system/app ls (list all installed apps)  

or even better: lsattr (display all installed apps with their attributes).

Then using the rm command, delete any suspicious app, like following : rm com.exemple.malware.apk (tape the exact name displayed with ls command).

You may encounter some apps that refuse to be deleted with the rm command :

• First check their attributes with lsattr + com.app_name.apk i.e: -i-a--A com.app_name.apk

• Then remove those attributes with chattr -iaA + com.app_name.apk i.e: chattr -iaA com.app_name.apk

Finally you'll be able to remove them.

PS: Disable WiFi or data connection while doing this.

• You can post the output of installed apps here, and we'll check out what to remove or not.