Soyes Android detection ID information

Hello,

I have recently came across a Chinese device where AVG reports two threats.

The device is a phone: Soyes S23 Pro mini. (This is practically a known scam, the device and the company lies about everything about this device, malware preinstalled on this phone is not only known to happen but also expected. I have used a throwaway account to set this phone up, it does not have a SIM card and I do not intend to use it for anything unless I can remove the malware or reflash it.)

The threats AVG is reporting are:
Updater: Detection ID 417e59d96da9
MTK Thermal Manager as well ID d5f9698e6567

The application does not provide any additional info on what those are.
Can we get more information about these two malicious applications?

Thank you.
 

A little bit more information about this phone. It does not have a virus scan, but it shows how much information the manufacturer provides is fake: https://www.youtube.com/watch?v=MNkMfap_LYo as well as construction.

This video is about a different Soyes phone that also comes with preinstalled malware. At 25:06 you can see the Updater screen (also seen in other reviews of Welcome devices) which is malware.

At 38:00 you can see Malwarebytes results with 5 detections. Including the updater. https://www.youtube.com/watch?v=RAeg1dxx8wI

 

Hello,
So my ticket was transferred to an AVG Senior Support member who sent it further to specialists to investigate the situation thoroughly. Thank you.

This is the answer I was later sent:
Let me inform you that our specialist checked the issue further, and I can confirm that the Updater app is correctly detected as malicious due to suspicious DNS requests to adware URLs.

Regarding the MTK Thermal Manager, we register this one as a potentially unwanted application.
I understand your effort to get rid of these applications for safe use of this device, but in the case of applications that are pre-installed by the manufacturer we have no possibility to remove them, only to warn about them.

Meanwhile I found out how to remove the malware myself. 

I also produced a clean system.img with the Updater app deleted which can be flashed back to the device using fastboot. The guide also includes steps how to download the whole firmware, including the tools.
The same steps will likely work even on other Soyes or Welcome devices as long as they use MTK processors.

I asked the specialist to help identifying what the other detection strings mean in case there are other suspicious files that should be removed.

Now I am going to leave the phone connected to the internet for a month with a spare sim inserted, observe how it behaves and check whether any new apps have been installed. Which would mean some undetected malware has surived.

I have managed to pull all apks from the phone via adb and run them through VirusTotal.
These are the unique detections it found:

Android.Riskware.TestKey.rB, AdLibrary:Generisk
Android.Riskware.TestKey.rA, AdLibrary:Generisk
Android.Riskware.TestKey.rC, AdLibrary:Generisk
Android.Riskware.TestKey.rB, Android.PUA.DebugKey
APK:RepMalware [PUP], Android.Riskware.TestKey.rB, AdLibrary:Generisk
Android:DwPhon-A [Spy], Downloader/Android.Agent.1220136, TrojanDownloader:Android/Dwphon.72e7b8e7, Android:DwPhon-A [Spy], Android:Evo-gen [Trj], ANDROID/SpyAgent.FSKJ.Gen, Android.Riskware.TestKey.rB, apk.trojan.dwphon, Malicious (score: 99), Android.DownLoader.812.origin, a variant of Android/Spy.Dwphon.A, Malware.ANDROID/SpyAgent.FSKJ.Gen, Android/Dwphon.A!tr.spy, Detected, Trojan ( 0001140e1 ), HEUR:Trojan-Downloader.AndroidOS.Dwphon.a, Trojan.AndroidOS.Dwphon.C!c, Artemis!9FC9C9BE23E5, Trojan.Gen.MBT, Other:Android.Reputation.1, Android.Trojan-Downloader.Dwphon.Rgil, Android.Malware.Spyware, AndroidOS/ABRisk.YYKP-4, HEUR:Trojan-Downloader.AndroidOS.Dwphon.a


Since I can not upload the whole report CSV file here, I put it on XDA developers forum along with the scripts and howto.
The report contains file names, device path, android package name, virustotal urls and detections.
Question - Soyes S23 Pro (Mini Chinese Phone From AliExpress) | XDA Forums

I would like to know what these strings mean and which are confirmed malware. Except the last longest string, because that has already been identified.

MTKThermalManager.apk has been detected as APK:RepMalware [PUP], Android.Riskware.TestKey.rB, AdLibrary:Generisk
VirusTotal

Thank you for providing more information about the issue, Olaf.
Upon checking your AVG account, our senior team already working on your concern, and I have mentioned this additional information in your case. 
You will get a response from them soon.
We're doing our best to provide efficient support and minimize the response time. However, delays do occasionally happen, despite our best efforts.
Thank you for your patience and understanding.

Hello Olaf, 

Thank you for reaching AVG support channel. We are sorry for the inconvenience caused. We will check and help you to know about the AVG detection. 

Could you please share us the screenshot of the AVG detection? So, we can check and help you to resolve it. Also, please explain when do you receive those detections? While accessing any specific program (or) will it occur randomly?

You can post the screenshot here in your topic. Click on Answer & then click on the Image [mountain symbol] & follow the instructions. Thanks in advance.

Thank you for your response and sharing the screenshot, Olaf.
I see that your concern was already escalated to our senior team.
Currently, they are working on your concern. Please expect an email from them as soon as possible. 
We appreciate your patience and understanding.

Thank you for taking out your most valuable time to writing us back and appreciate your efforts for sharing the screenshots.
We understand that you are facing an issue with on mobile device.
We do have a specialized team who deals with mobile queries.
We have escalated your case to concern team and they will get back to you via email and help further.
Thank you and keep us updated.

A little bit more information about this phone. It does not have a virus scan, but it shows how much information the manufacturer provides is fake: https://www.youtube.com/watch?v=MNkMfap_LYo as well as construction.

This video is about a different Soyes phone that also comes with preinstalled malware. At 25:06 you can see the Updater screen (also seen in other reviews of Welcome devices) which is malware.

At 38:00 you can see Malwarebytes results with 5 detections. Including the updater. https://www.youtube.com/watch?v=RAeg1dxx8wI

 

Hello Olaf, 

Thank you for writing back to us and update the status of you request. We see that you have already replied to our senior team. They will check and get back to you via email soon. If you need any further help with AVG, feel free to contact us at anytime. We are happy to help you. Have a great day!

Thank you for your response and sharing the screenshot, Olaf.
I see that your concern was already escalated to our senior team.
Currently, they are working on your concern. Please expect an email from them as soon as possible. 
We appreciate your patience and understanding.

Thank you for writing us back Olaf,
I appreciate your efforts for sending us the information. I will certainly share this information with my Senior team. They will certainly analayze this information and get back to you via email as early as possible. 

Thank you for your understanding.