1

I had a problem with this app (I found on a package with the same name on Google Play, but I doubt it's the same thing) which kept getting installed all by itself again and again, and once istalled, it would start using my limited 3G internet traffic. My phone is not rooted and installing apps from unknown sources is forbidden. A scan with Malwarebytes doesn't detect anything.

From this I deduced that the offending app is somehow bundled by the manufacturer, so I won't be able to get rid of it without rooting (which I don't plan to do). Since uninstalling it didn't help as the app would get reinstalled, I figured I strip it of all permissions and forbid it to use background data. So far this solves my immediate problem with 3G traffic consumption.

However, I see that the app still gets started, consuming RAM (second entry in the list on a freshly booted phone, right after "Android OS") and creating storage data and cache objects. Is there anything I can do to prevent the app from getting started?

Edit: I have tried adb shell pm uninstall --user 0 com.freshmenu which indeed removes the package, but it gets reinstalled after a while. I have tried to search for installer in adb shell pm list packages -i com.freshmenu, and it's indeed set to null, so I could not discover the offender responsible for reinstalling. I have run adb shell dumpsys package to discover which apps have REQUEST_INSTALL_PACKAGES permission. There are 4 of them, and they don't look suspicious:

  • com.whatsapp (installer=com.android.vending)
  • android (installer=null)
  • com.google.android.apps.docs (installer=com.android.vending)
  • com.android.chrome (installer=com.android.vending)

There are 5 more apps having INSTALL_PACKAGES permission:

  • com.android.vending (installer=com.android.vending)
  • android (installer=null)
  • com.mediatek.datatransfer (installer=null)
  • com.google.android.packageinstaller (installer=null)
  • com.android.managedprovisioning (installer=null)
Dmitry Grigoryev
  • 615
  • 8
  • 24
  • Going to the app list from settings and force stop the app- see if it helps – beeshyams Aug 16 '18 at 11:26
  • 1
    Possible duplicate of Why are disabled apps still running? – beeshyams Aug 16 '18 at 11:30
  • 1
    @beeshyams Thanks, I'll check that solution (the non-root part of it) once I get to a computer with adb installed. Force stop doesn't seem to help. – Dmitry Grigoryev Aug 16 '18 at 11:32
  • 2
    @beeshyams the app is not disabled. It's rather along the lines of Unwanted apps auto installing without me doing anything. How to stop them? / How to Block Pre-Installed Auto App Installer Malware? / Random apps keep installing on the phone. I'd suspect some "bad app" with the REQUEST_INSTALL_PACKAGES permission behind the scenes. – Izzy Aug 16 '18 at 15:44
  • @izzy Yes. You are right. Retracted close vote. OP has enough material to figure out now – beeshyams Aug 16 '18 at 17:33
  • 1
    Does adb shell pm uninstall --user 0 PACKAGE_NAME also not work? – Firelord Aug 16 '18 at 18:58
  • 1
    pm hide is for Lollipop, the command mentioned above should work on Marshmallow and Nougat. – Zackary Aug 16 '18 at 19:22
  • @Firelord you mean that could keep the app from re-installing as it might not figure it's "not there"? Worth a try. If it works, we should pin that somewhere to find (some tag wiki for example), as those "self-installing-app-issues" come in waves it seems. – Izzy Aug 16 '18 at 19:26
  • 1
    @Firelord adb shell pm uninstall --user 0 com.freshmenu looked like it worked, but I recently got my bloatware back :( Apparently the process installing it is smart enough to check if the app cannot start and reinstall if needed. – Dmitry Grigoryev Sep 13 '18 at 12:48
  • You can remove that app again using pm and install a dummy app with same package name. If the malware is not smart enough, it wouldn't know what to do with the dummy app with same package name. Since your device is not rooted, you can try narrowing down your hunt to those system apps having the permission android.permission.INSTALL_PACKAGES. – Firelord Sep 13 '18 at 15:32
  • @Firelord sorry to bother you again, but how would I install a dummy app with a given name? Do I have to install Android Studio for this? – Dmitry Grigoryev Sep 17 '18 at 22:09
  • 1
    It is fine. I'm not bothered and it is my fault I didn't tell how to make that dummy app easily. You can use Tasker's "App Factory app" with "Tasker" (see tutorial; very easy) to create an app which could do nothing in fact, and would have package name com.freshmenu but obviously different developer's signature. Make sure you install this dummy app only when Freshmenu app is completely removed. After installing this dummy, installing Freshmenu app would result in https://i.stack.imgur.com/v8aMU.png – Firelord Sep 18 '18 at 09:10
  • 1
    I tested this by creating a dummy app which shows a toast and asks for no permission. Here you can find it: http://s000.tinyupload.com/index.php?file_id=72926899043468431377 // Do note that if your malware installer is intelligent enough, it would first remove any app with that package name and then install real Freshmenu app, which I don't think I can control without root access. // As for the last edit you made, my take is com.mediatek.datatransfer is compromised and does that, or your system is exploited using a vulnerability – Firelord Sep 18 '18 at 09:13
  • 1
    I would suggest you uninstall that mediatek app using pm command (this may result in boot loop though because I don't know how critical that app is for your Android to function, so please ensure backup is already made at least). Otherwise, I suggest you use a firewall to virtually limit all the apps which you mentioned in your last edit, just to see whether Freshmenu app still gets installed. If it does not, than the culprit is from the list in that edit. Otherwise, you have a real malware exploiting your system well enough. – Firelord Sep 18 '18 at 09:15
  • 1
    @Firelord I've installed your test app an will report in a couple of weeks. Unfortunately, I can't do much with that mediatek app (btw, it's called "Backup & Restore" in the app list and looks pretty legit). I tried to limit its permission via the Android Settings. Again, thank you so much! – Dmitry Grigoryev Sep 20 '18 at 14:56

2 Answers2

1

After a rather long exchange in the comments, it was discovered that installing a dummy package with the same name as the bloatware helps, by making the bloatware installation silently fail.

@Firelord was nice enough to make a dummy package for me, future readers could make their own packages with Tasker + Tasker App Factory plugin. Those who don't need Tasker and don't want to pay for it should be able to grab a 7-day free trial here.

Dmitry Grigoryev
  • 615
  • 8
  • 24
0

I'm of the never unlock an Android Device page.

I use the Applications tab, go in and disable as much of the bloatware I can. Clean/clear the cache. That strips them down to least objectionable. Some you can't disable, but you can reset to factory settings & uninstall all updates. It again saves some space.

I've had an 8gb phone, on Android 6.x. It sucked big time, & I could barely get the most needed Google Apps installed & updated. The HTC & US Cellular bloat-scheize was worthless!

Joel Huebner
  • 307
  • 2
  • 6