Sophos Intercept X for Mobile is showing the pre-installed Calculator App on my brand new Ulefone Note 7P as infected with Malware.
Is this a false positive? I am aware that Ulefones shipped with malware in 2017, I believe it was reported by Sophos that they were possibly infected somewhere along the supply chain or worse by the manufacturer.Actually here is the article https://news.sophos.com/en-us/2018/10/02/the-price-of-a-cheap-mobile-phone-may-include-your-privacy/
I have disabled the app and can't easily uninstall it because it is a pre-installed system app. Any advice welcome!
Hi Mr Dad
It can be false positive, is the device already reset? Could you please perform a complete scan and check if it still detects the system application.
Just to update you on my previous reply.
I factory reset the device. Virus still shows up. I also discovered the Adups (wireless update) window pops up at the very last step of setting up the phone, making it look like part of the legitimate Android setup (the page is styled to look like part of the Google stuff). You can't proceed unless you agree to let them collect data about you!
Re the virus - it does still show up so it is part of the firmware.
Any other advice?
I will check this with my team and see what are the next possible steps
Phone model is https://www.amazon.co.uk/Smartphones-Fingerprint-Ulefone-Note-7P/dp/B07V1PKPFX
https://www.ulefone.com/support/software-download.html - line to ROM on their site goes to Google Drive
I installed the EU version and still got a detection.
Supplier came back saying maybe Sophos isn't well known AV (duh!) and to try other AV that obviously does not detect the malware!
I really appreciate your assistance, I would just like to know if it is malware or a false positive. The malware alert on the calculator app along with the presence of Adups (although not detected as malware) seems a little sketchy.
I was able to download the APK for the calculator app to my PC using ADB tool.
It is called PrizeCalculator.apk
I can send you this for analysis if you like?
I also uploaded the suspicious apk to Hybrid Analysis - showing some malicious / suspicious indicators linked to supply chain compromise like Adups style. And I can confirm Adups is installed too so, if your teams wants a look I can supply the apk or maybe they can extract it from the ROM - link is above.
Could you please submit the file via this link: Submit a sample sophos
Done, do you think they will reply to me? or is this an automated process?
There was no way to select Android from the submission menu so if it is analyzed by a robot it will come up clean.
It needs to undergo dynamic malware analysis!
Thanks for all your help!