FastMHz.com

I Love Electricity

Cure for Chinese Notification Spam & Random App Installations on Android

I recently obtained a Star N9500, which is a Samsung Galaxy 4 clone. It’s a very nice piece of hardware, with the exception of the pre-installed spamware apps. I’m going to detail how I discovered which system apps were the culprit so that you can follow a similar procedure on your Chinese Android device.

The symptoms are Chinese language spam notifications that when touched will immediately begin downloading some other app, most often a game or Chinese social networking/dating app. Other times, Chinese apps would just randomly install, or links to other Chinese sites would appear on the home screen. The problem is that there is no obvious app to uninstall to stop this from happening, AdAway doesn’t prevent it, and none of the ad network / push detectors or blockers available in the Play Store found anything wrong. These apps are buried in the phone’s firmware, and this must be solved with detective work.

The removal process requires your phone to be Rooted.

The first thing that I did was to Google the name of each and every .apk in the /system/apps folder. You’ll have to use the Translate feature for most of the results. Only one app I Googled got a hit called “uuplay.apk”. Turns out that this is a known Chinese Adware app. I proceeded to rename it with a “.dis” extension with ES File Explorer and felt I solved the problem…but I didn’t.

Sure enough the notification spam continued, so I knew there had to be more. None of the APKs in the system apps folder resulted in any Google hits, so I had to figure this out myself.

I proceeded to use ES File Explorer to copy every file in the “/system/apps” folder to my desktop computer. Next, I used 7-Zip to unzip every APK to my RAMDRive. I started to look at the individual files with Notepad++ but found this quite tedious. Then I realized that Chinese apps probably access Chinese servers with a “.cn” domain.

I fired up Agent Ransack and did a search inside all of the decompressed app files for “.cn”. Sure enough, two hits on “GoogleUpdate[3738].apk” and “GoogleService[3738].apk”. I looked inside the “classes.dex” files and sure enough found links to Chinese sites located at “http://g.10086.cn”. I also found mention of “com.google.system.king”. Ahhhhh that makes sense, because I noticed that the SD Card ended up with a folder of the same name with Chinese looking files inside, such as “hziee”, and also “jrinfo.cfg”.

I Googled the king string and found a Chinese site that described the app as “Android application management, convenient and practical, Fool phone management experts.” Ah-ha!!! So I renamed both of those APKs in the system app folder with a “.dis” extension, rebooted my phone and voila – no more spam 🙂 They didn’t fool me, and hopefully this post will help someone else out there with this infestation.

UPDATE 08-09-2013:

Quick Fix: If your phone has the same rogue files as mine did, root your phone, and delete the following from /system/apps: UUPLAY.APK, GoogleUpdate[3738].apk, GoogleService[3738].apk, SystemThread[3738].apk, Backup_File[3738].i, projectmkmassags.apk, and smsreg.apk.

I completely decompiled the APKs to Java code and found these strings inside:

http://61.160.234.133:9090/date/getDate
http://g.10086.cn/gamecms/wap/game/wyinfo/700144311000?channelId=12068000
http://www.ccinchina.com/blog/upload_files/vlog/0/1/1_20111109151143_MzI0NzM3NjgwNjMxMTM3NzA3NQ%3D%3D.jpg
http://117.135.133.9:8080/source/appsource/15035916/BaiduBrowser_Android_2-3-28-6_1000934d.apk?imei=352520130058754
http://117.135.131.9:8080/push_4/push.action?imei=value
http://61.160.242.35:8080/pro_5/pro.action
/datang_gaohong/
SilentClient.apk
shurufa_01.apk
BaiduBrowser_Android_2-3-28-6_1000934d.apk

None of those other APKs were present, but a datang_gaohong folder was on my SD card, as well as a folder called LogicDownloads that referenced these types of filenames. I deleted all of them and haven’t had them come back. I deleted a bunch of other non-dangerous bloatware as well. The phone is now about as perfect as I could imagine one being. Battery seems to go forever now as well.

~Cevyn L (FastMHz)