My Device got attacked from a malicious app, Now what to do?

[snowpega]

Hi there!

Hope you're all doing well!

A few days ago, I received a notification on my mobile phone that my mobile phone was attacked by a malicious app. This has happened multiple times, two to three times in the previous month, and one time this month. I am sharing the SS here so you guys can understand what kind of attack I am facing on my mobile phone. I am using an Android mobile phone.

Other than this, whenever I received this notification, I instantly clicked the uninstall button. So, am I safe? I have turned on 2FA on my exchange accounts. And if not, how can I keep my mobile device safe from such an attack? As I don't join any kind of airdrops anymore, but I used to join back in time in 2023, it's already been too long since I last joined any single. So what is the reason behind such an attack? I will be waiting for a valuable response from community members. Thanks in advance!

[Porfirii]

Hey snowpega, I'm sorry for that.

You say you have access to your exchange accounts in your smartphone. First of all I would recommend not to have large amounts there, and secondly not to have access with your smartphone to large amounts either through wallets installed there or custodial services of any kind. I personally have a few wallets installed with some small change just in case some day I want to make a little payment to a friend or something like that, but it is a good exercise to think that whatever you store in your smartphone will be lost at some point.

Apart from this general recommendation, let's see what more technical users have to say about your problem with this particular Trojan: if there is not much to lose, it may not be necessary to take further action. But keep my advice for the future in mind, especially if you plan to increase your crypto holdings, keep them away from your smartphone.

[PostQuantumBTC]

Do you have the 2FA application on your phone with the exchange applications? It is not good to have both together. If you can use the 2FA on another phone, it is the best. There are malware that can let hackers know the TOTP that the 2FA app is generating every 30 seconds.

Stop downloading unnecessary app on your phone. Use a cold wallet if you have huge amount in cryptocurrencies.

Do you have all your coins on exchanges? Do you use other wallets that are not mobile wallets? If you have all your coins on exchanges, it is a very bad idea.

You can only be careful on phone but they are online devices, offline wallets are the best.

[Lucius]

If something informs you that you have a malicious app on your smartphone, then you probably have one of the built-in AVs - and I did a little research and it is possible that one of those AVs is giving false positive reports about some apps that are already on the phone itself. My advice is to review all the apps you have installed and pay special attention to those you installed before the problem started occurring.

[notocactus]

If something informs you that you have a malicious app on your smartphone, then you probably have one of the built-in AVs - and I did a little research and it is possible that one of those AVs is giving false positive reports about some apps that are already on the phone itself. My advice is to review all the apps you have installed and pay special attention to those you installed before the problem started occurring.

AVs can give false positive or false negative but if it shows an alarming security notification, it's always important to pay more attention on your device security and assume that it's no longer safe to use that phone, until a time you can clean up that device entirely or can confirm that it's a false positive notification.

bob123 post has more information on how AV analyzes malwares.

Virustotal and any other AV software can only recognize malware by 2 approaches:

• Heuristics
• Behavior analysis

Regarding Heuristics:
If the malware is either 1) new or 2) modified so that these AV's don't have it in their database yet -> No Heuristic to match the malware with.

Regarding Behavior analysis:
If the malware does not run malicious code when being analyzed (can be done with multiple techniques, e.g. checking whether being run in a sandbox) -> Not triggering the behavior analysis.


Now, if we combine these two statements, it becomes clear that it is quite easy to create malware which is completely undetected from AV's (at least until enough people have been infected with it and AV's have manually reviewed and sigged the malware as such).


Using AV's (whether paid ones on your computer, or online services like virustotal) does only protect you against 1) known and very wide-spread malware and 2) malware created by script-kiddies or any other non-commercial cyber criminals.

I missed bob123 but hopefully that he has been well since the pandemic Covid-19.

Other than this, whenever I received this notification, I instantly clicked the uninstall button. So, am I safe?

If you are unsure, let's assume that you are unsafe and take action like your device was already compromised.

[Upgrade00]

Multiple virus alerts in a month is valid reason for concern. Could be a false positive, but it's always safer to treat a threat as to be real when you're protecting your assets.

You can try doing a deep clean of your device and then logging back into your exchange accounts or any other important account to you. A lesser approach will be what has already been suggested; moving your 2FA and possibly your email accounts from the ''compromised' device to avoid having a single point of failure.

[ImGenius]

If you don’t have any funds in your non custodial wallet then you don’t need to worry so much. However you should still be very careful as these kinds of threats can steal your private information.
If possible, it’s a good idea to reset your phone and change your email passwords to stay on the safe side.. if possible change your email in exchange account to become extra safe.

[Karl_3000]

If you don’t have any funds in your non custodial wallet then you don’t need to worry so much

He has money on exchanges. What if the malware is a clipboard malware that can change the address he paste to hacker's address? He has to be worried.

If it is me, I will make sure I format the phone. I do not leave what is very important on my phone, so formatting is what I do if I see things like this.

[ImGenius]

He has money on exchanges. What if the malware is a clipboard malware that can change the address he paste to hacker's address? He has to be worried.

If it is me, I will make sure I format the phone. I do not leave what is very important on my phone, so formatting is what I do if I see things like this.

I also think that way that's why I recommend snowpega to reset his/her phone. Maybe you didn't read it all.

[promise444c5]

If you detect such and you aren’t really sure what exactly is going on.. Stop using and disconnect your device from the internet immediately, this won’t prevent the damage caused already if it’s a malware truly but it would prevent further damage from being  shipped or carried out..

Recover, Sign in  back  into  all necessary apps and services you’re using from another trusted device, change all that’s necessary including passwords before resetting the infected device.

[DYING_S0UL]

If something informs you that you have a malicious app on your smartphone, then you probably have one of the built-in AVs - and I did a little research and it is possible that one of those AVs is giving false positive reports about some apps that are already on the phone itself. My advice is to review all the apps you have installed and pay special attention to those you installed before the problem started occurring.

AVs can give false positive or false negative but if it shows an alarming security notification, it's always important to pay more attention on your device security and assume that it's no longer safe to use that phone, until a time you can clean up that device entirely or can confirm that it's a false positive notification.

Yeah it's very possible it's a false positive on OP's case. The only way to confirm our suspicion is to format the whole device to factory. Then immediately install that app (I would avoid .apk install, as well as unknown 3rd party sources, but only use Google Play Store in this case) which was being flagged as trojan. And have it rechecked again to see if it gets flagged or not. Apart from that, I donno know how we can be sure. Maybe use an external AV?

IMO, there are can be two cases.

1. It's real malware/trojan
2. It's showing false positives due to AV, manufacturer, location, OS, ROM etc.

For example, see this below. This is my device. I have a CN variant phone, with the Chinese ROM, China region and all. And for some reason, it would always flag Binance as a malicious app, yeah not some unknown apps but an exchange known among the whole world probably . It would warn me multiple times. And not only that, there are many legitimate well known apps that show themselves as trojan, just because I think it's not an international variant phone, and these apps are banned there, and have no data on them (maybe).




For OP, if there isn't any important big sized data (excluding small data, passcode, documents), then he should give it a factory test and see how it goes.
 

[BitMaxz]

If you're using a Chinese phone, you're probably getting this malware/virus warning because the operating system was infected before being sold to users.

Do you remember "Hummingbad" or other malware hidden in the phone firmware? The majority of them are created by Chinese people and are intended to be used for marketing.

Those malware, I am sure, still exist on new Chinese phones, which is why I never use clones or Chinese phones.


@OP, would you mind telling us first the specs of your phone or the unit model of your phone so that we can give you the best solution for your current issue?
I use the Samsung S series; I've never had such problems, even when I carelessly visit a malware-infested website.

[ColdLava40]

So what is the reason behind such an attack? I will be waiting for a valuable response from community members. Thanks in advance!

It's better you uninstall any third party apps you downloaded so you try to trace all Trojans. You can see the Av clearly stated what kind of malware the app is.

Sometimes you might not even be the one who downloaded it but they still get installed. If you feel your device is unsafe I may advice you clear up your device and manually reinstall all your important apps back again just to be clear.

[uchegod-21]

You say the notifications keep coming even after clicking the uninstall button? This is really a serious concern. You should also check if your mobile device is updated, as this helps fix some device vulnerabilities and gives you extra security. You can manually check your device settings and uninstall all suspicious and unknown apps you see, maybe including some apps you may have installed earlier.

My most honest advice is that you should get a separate device for your crypto dealings if you can. Having the same device where you download stuff online, install applications and share WiFi with unknown persons is very risky. If you have a separate device, it will help you reduce the exposure of your wallet to further risk. If I were you, I will move my coins first while trying to fix the issue.

[PX-Z]

Is your device have avast built in app as AV Scanner? It should just be false positive, you can try to search google "android:evo-gen" some users got such  result too from their AV blockers using avast.

Although it is really describe as trojan, or even it is a false positive, better to uninstall it. Then check your Apps in your settings and sort it by date installed and check some suspicious apps that are new installed you never installed by yourself. There should be one, and its the reason why that app was installed again and again.

[suzanne5223]

Hi there!

Hope you're all doing well!

A few days ago, I received a notification on my mobile phone that my mobile phone was attacked by a malicious app. This has happened multiple times, two to three times in the previous month, and one time this month. I am sharing the SS here so you guys can understand what kind of attack I am facing on my mobile phone. I am using an Android mobile phone.


Other than this, whenever I received this notification, I instantly clicked the uninstall button. So, am I safe? I have turned on 2FA on my exchange accounts. And if not, how can I keep my mobile device safe from such an attack? As I don't join any kind of airdrops anymore, but I used to join back in time in 2023, it's already been too long since I last joined any single. So what is the reason behind such an attack? I will be waiting for a valuable response from community members. Thanks in advance!

I can see the Trojan notification as Android evo-gen [Trj], aka Android Evolutionary Generic Trojans. They are mainly used to gain remote access to your device, steal passwords, banking info, SMS codes, and mobile phone contacts, install other malware, show aggressive ads, or act as a keylogger. However, there's a chance you'll receive the notification also if an app is using an older Android SDK version, but i will choose to trust the notification rather than believing it's the SDK version. Do you download the app from the Google Play Store or a website?

Uninstall the suspicious app, do a full scan of the phone using a reputable antivirus, look for any recently installed apps you don't recognize through your phone settings by checking the Apps section.

[Potato Chips]

It may just be a false positive because of what it can do. Quick search and this seems to be an app for transferring data from old phone to new.

But if you wanna errr on the side of caution as we're not 100% sure it's not malicious, a factory reset is a good idea for that. Personally, if I was in your shoes, I'd opt for this cause I'm paranoid lol.

It's a great to hear you have 2FA enabled, but where are you getting your TOTP codes though? generated from an app on the same mobile in question?