Apps trying to install in background

Question

I recently wanted to install a metronome app, so I downloaded one from the Play Store, but in the "install" step nothing happened. The app just wasn't there. I installed another one and forgot about that strange issue.

Yesterday though, something started to happen. Every now and then (and it's getting more and more frequently), I get a notification that some app tried to install itself (!) but was blocked because it's from "unknown sources", and it's prompting me to disable the "block install from unknown sources" check from Settings.

It looks like there are more than one apps trying to install themselves: "Superb Cleaner". "com.android.helper.patch[...]" and some more.

At first I though these might be system updates and was tempted to disable the "unknown source" block, but now I am worried I might have some malware on my phone.

I do have some sensitive information (browser logins, credit card data), and I also don't want to factory reset my phone.

Where should I search for the APK that is trying to install itself (or the APKs)?

EDIT: It's this application: https://play.google.com/store/apps/details?id=com.andymstone.metronome. I'm not entire sure the app is the cause, but it's strange that I don't have it installed, but in my google play account it appears as "Installed"...

My phone is an Allview X2 Soul Style with Android 5.1.

After I have unchecked the "block apps from unknown sources", now I keep getting prompted the install screen for these apps. I keep pressing "Cancel" but they come again every half an hour or so. :(

EDIT2: Here are the adb logs requested: Windows and Activities

EDIT3: Dumpsys log for the suspicious package: Dumpsys

You could try uninstalling the second metronome app and see if everything stops breaking then. — Dan Hulme, Apr 28 '16 at 09:13
For the sake of completeness, can you provide the link to the metronome app that you installed? This may help us to test it in a controlled environment. Also, what's your Android model? There's a recent discussion on XDA that a company pushed an OTA with malware. — Andrew T., Apr 29 '16 at 01:24
Could you setup [tag:adb] in your PC and if the installation prompt appears again, use the PC to issue the command: adb shell dumpsys window windows and/or adb shell dumpsys activity activities and provide us the output? The output may be large (overwhelming), so use a code paste service, such as pastebin to upload it. Do provide us the screenshot for that installation prompt. — Firelord, Apr 29 '16 at 15:39
@Firelord Thanks for the suggestion, I have edited the question adding the logs you requested. — Bogdan Alexandru, May 05 '16 at 08:18
I have installed Metronome Beats on an emulator, run it, and.. nothing happened. The app's working properly, and there's no suspicious activity (the only permission is to have internet access, which is for showing ads, but nothing harmful). IMHO, it's not the cause (Play Store sometimes has that kind of bug). Now, reading the Activities log, it does certainly point to com.android.tools.callassistant, which is the source. — Andrew T., May 05 '16 at 10:23
@AndrewT. Thanks, but can you explain why you think that is the cause? And what could I do to remove it? I've done some Android programming a while ago but I have no experience with adb. I assume adb can do a lot of cool stuff though. — Bogdan Alexandru, May 05 '16 at 11:32
@AndrewT. : It appears that the calling package com.android.tools.callassistant is reported as malware by AVG and so as at many places on web per Google search. Seems to go by the label Caller ID. // Bogdan: could you do adb uninstall com.android.tools.callassistant and later see if adb shell pm list packages com.android.tools.callassistant reports anything? — Firelord, May 05 '16 at 13:53
@Firelord I have tried but it does not work: "Failure [DELETE_FAILED_INTERNAL_ERROR]" is the message I get. — Bogdan Alexandru, May 05 '16 at 15:18
I think it is a system app. Could you provide us the info of adb shell dumpsys package com.android.tools.callassistant? After that, do adb shell pm hide com.android.tools.callassistant. — Firelord, May 05 '16 at 15:26
@Firelord Done, edited the text to add the logs. I did hide the package, it says new hidden state is TRUE. How does that help? I'm thinking, can't I just disable these installation popups that keep coming over and over? There must be a way in Android to simply say "I don't want to install anything, period"... — Bogdan Alexandru, May 09 '16 at 08:59
pm hide makes Android treat the relevant package as being uninstalled, which means it wouldn't run at all unless it is reinstated. pm disable is more flexible and requires higher privileges but in the end, our goal to disable the package has been achieved. As for the prompts, if they are like this then my answer here might be of some service to you. — Firelord, May 09 '16 at 16:52
@Firelord Thanks. I have hidden the package, and indeed I cannot disable it - I am getting a Java SecurityException - Permission Denial. I'll wait and see if the prompts stops. FYI, I was getting the exact screen with "install blocked", then I unchecked the "don't install from untrusted source" checkbox, then the prompt changed to the install screen of the app. But it's still comming with the same frequency. — Bogdan Alexandru, May 10 '16 at 10:51
@Firelord Also FYI, although I have hidden the malware package, I can still uninstall an app... What does that mean? — Bogdan Alexandru, May 10 '16 at 10:53
Can you show me how the Unknown Sources setting looks like in your device? [Prompt] changed to the install screen of the app suggests me that you enabled Unknown sources setting. Now, did you follow my linked answer? It has instructions for non-rooted devices too. If you follow them you shouldn't be getting the installation screen at all. As for your last comment, hiding emulates that the program has been uninstalled but the APK (the code) still exists and it cannot run again unless you reinstate the app manually. — Firelord, May 10 '16 at 17:38
@Firelord Thank God! Hiding the package stopped all notifications! It's still there, but nothing bad happens anymore. Thanks a lot for the instructions! If you think it qualifies as a resolution for the question, post an answer and I will accept it. — Bogdan Alexandru, May 17 '16 at 08:34

score 7 · Accepted Answer · edited Apr 13 '17 at 12:18

Every now and then (and it's getting more and more frequently), I get a notification that some app tried to install itself (!) but was blocked because it's from "unknown sources", and it's prompting me to disable the "block install from unknown sources" check from Settings.

It's not a notification but a dialog and it looks like this:

_{(Click image to enlarge; image courtesy of Piyush)}

At first I though these might be system updates and was tempted to disable the "unknown source" block, but now I am worried I might have some malware on my phone.

Yes, never enable that Unknown sources setting if you're in uncharted waters.

Where should I search for the APK that is trying to install itself (or the APKs)?

It's a bit difficult to find the app. I recommend finding the cause for the effect. In our case, the effect was the dialog hinting that the Unknown sources setting was blocked. That dialog is shown by Package Installer (a system-cum-core app). Package Installer is used by user or system apps which do not have the permission android.permission.INSTALL_PACKAGES to install an app. Since you did not attempt to side load an app, it stands to reason that an app called Package Installer without your consent. Our imminent goal is to find out that particular app.

The system service activity logs many important details. Among other things it shows the called package which in this case is Package Installer app with package name com.google.android.packageinstaller or com.android.packageinstaller. It also shows the calling package or the package which launched an another package.

Find the package name

Now, using adb in PC execute the command:

adb shell dumpsys activity activities      # this command should be executed only when that dialog is in foreground

Demo output: notice the highlighted line:

In the highlighted line, the string after launchedFromPackage= and before userId is the package responsible for launching Package Installer app. In your case it would be a different package name. Note down that package name (henceforth denoted as <pkg>).

Locate the apk

Now that we know the immediate cause we can hunt down the home or in other words, the apk. Execute the command:

Note: Finding the location of apk is required only for forensics. If you're not interested in that, I recommend you don't bother with this step and immediately jump to the heading Uninstall/Disable/Hide the app.

adb shell pm path <pkg>

Demo output:

bash-4.2# adb shell pm path com.estrongs.android.pop
package:/data/app/com.estrongs.android.pop-1/base.apk

The string next to package: is the location of apk. You can also find the same information inter alia through the command:

adb shell dumpsys package <pkg>

Uninstall/Disable/Hide the app

If you know the label of the package or can get to know it through any means (such as with AppXplore) then go into the application manager under Settings app which typically comes down Settings → Apps → All apps in stock Android, find the malware app and uninstall it.

Things to note

If Uninstall button is grayed out and so as the Force stop button then your app must be a device administrator. In that case, go into the Security settings, choose Device administrators option and revoke the administrator privilege from the app. Come back and attempt to uninstall the app.
If you don't find the Uninstall option then your malware app is a system app. Whether your vendor shipped it or the app exploited your system or tricked you to install itself is another matter to deal with. For a system app, the button Uninstall is replaced by Disable.
- If both Force stop and Disable buttons are grayed out then the app may be a device administrator as well. In that case, revoke that privilege and then attempt to disable the app.
- If the Disable button alone is grayed out, then:
  - For a rooted Android: use adb to disable the app through the commands:
```
adb shell
su
pm disable <pkg>
```
    To enable the app, replace disable with enable in aforesaid command.
    
    You can alternatively use an app, such as Titanium Backup, to disable/freeze the malware app. You can also consider removing the apk using a file manager app.
  - For a non-rooted Android: provided that you're using Android 4.4.x or above, use the commands:
```
adb shell
pm block <pkg>      # for Android 4.4.x
pm hide  <pkg>      # for Android 5.x and 6.x
```
    To unblock/unhide the package replace block by unblock and hide by unhide in appropriate aforesaid command. In this particular case, hiding the package would achieve the same result as disabling would.

The package would remain disabled or hidden until you revert the changes.

Note for readers

It has been confirmed by question's author that the malware app in their phone has the package name com.android.tools.callassistant. I found its label as Caller ID and it has been reported as a malware by AVG.

score 2 · Answer 2 · answered May 17 '16 at 10:38

Some mobile phone manufacturers include an OEM app that automatically download and install other apps. (They reduce the cost of the phone or increase their profits with these marketing deals.) So, you will need to find and disable that app which is doing the sly installs. In my case, it was an app called Cube26.

Use apps like Startup Manager or Task Killer to see if find out which app is doing the downloads. An Android developer can also find out the app by looking at LogCat view of the IDE when the phone is debugged via USB. Ensure that your wireless router is not compromised.

Another thing you can do is to remove your Google account from the phone and add a new one with another gmail address. This will ensure that the apps that you have already downloaded don't get automatically installed again. This time, install only those apps that are well known and have good reviews. Before this, of course, remove/disable unwanted apps.