New Redmi Note 2 Rom Infected With Malware (file: Keychain.apk)???


Jul 7, 2014
14
2
15
#1
Hi,

A friend has a Redmi Note 2 installed with your ROM. He ran AVG antivirus and there was an infected file called KeyChain.apk.
I decided to dive in a little further and check it.
I uploaded to VirusTotal the file from the original (en.miui.com) ROM and the file from your ROM and found that the original file is clean where the file from your ROM is being marked by (ONLY!) AVG as infected with "Android/Deng.PIP".
Further checking the files showed that the file from your ROM contains the file "classes.dex" which is absent from the original APK and is the one that is marked as infected!

I checked the versions 5.9.18 and 5.9.24 and it is the same.
I haven't checked other devices' ROMs.

Here is the original file check:
https://www.virustotal.com/en/file/...b3a2e1185c2f084d95049bde/analysis/1443182383/

Here is your version check:
https://www.virustotal.com/en/file/...40ccd06fe548eb74547abc09/analysis/1443184276/

Please check, acknowledge or calm me down... :)
Thanks a lot!!!
Elad.
 
Jul 7, 2014
14
2
15
#3
Interesting that there has been no reply from Xiaomi.eu. It would be good to have an explanation as to why they are modified. You should post this o. Xdadevolopers general discussion: http://forum.xda-developers.com/general/general

Sent from my MI NOTE Pro using Tapatalk
The ROM is made here, no?
Do you think it is a good idea to post it there? (Genuinely asking!)

Anyhow, I will try to check more devices' ROMs this week to have a more complete conclusion.
 
Feb 27, 2015
104
26
38
#4
Yes of course, if you get a reply from one of the Devs here.. Otherwise asking elsewhere my spark more interest. I look forward to your findings.

Sent from my MI NOTE Pro using Tapatalk
 

Acid

Scripting Ninja
Staff member
Aug 20, 2011
2,726
744
247
#5
Hi,

A friend has a Redmi Note 2 installed with your ROM. He ran AVG antivirus and there was an infected file called KeyChain.apk.
I decided to dive in a little further and check it.
I uploaded to VirusTotal the file from the original (en.miui.com) ROM and the file from your ROM and found that the original file is clean where the file from your ROM is being marked by (ONLY!) AVG as infected with "Android/Deng.PIP".
Further checking the files showed that the file from your ROM contains the file "classes.dex" which is absent from the original APK and is the one that is marked as infected!

I checked the versions 5.9.18 and 5.9.24 and it is the same.
I haven't checked other devices' ROMs.

Here is the original file check:
https://www.virustotal.com/en/file/...b3a2e1185c2f084d95049bde/analysis/1443182383/

Here is your version check:
https://www.virustotal.com/en/file/...40ccd06fe548eb74547abc09/analysis/1443184276/

Please check, acknowledge or calm me down... :)
Thanks a lot!!!
Elad.
You're wrong. This is because you have no idea how to check apps.
Hermes rom is odexed rom so part of the apk is in odex file (thats why you can't see classes.dex) in APK.
But after we deodex the rom (to be able to make translations) classes.dex is moved to APK.
And about virus... get better one.
 
Jul 7, 2014
14
2
15
#6
You're wrong. This is because you have no idea how to check apps.
Hermes rom is odexed rom so part of the apk is in odex file (thats why you can't see classes.dex) in APK.
But after we deodex the rom (to be able to make translations) classes.dex is moved to APK.
And about virus... get better one.
Why are you defending by attacking me?!
I didn't accuse anyone of the staff here by injecting malware into the ROMs!

I'm fully aware of what odex/deodex are and just wanted to point out where is the cause.
If you would have checked the VirusTotal links you would see that I pointed out that only 1 out of 56 AVs marked the file as infected. This is a huge sign of false positive...
Still, maybe something got wrong in the process of making the ROM?

I just wanted you to check the issue and comment on it.
Again, if I was misunderstood, I am not accusing anyone here in wrongdoings!

Thanks for understanding!
Elad.
 

Acid

Scripting Ninja
Staff member
Aug 20, 2011
2,726
744
247
#7
I was not attacking you. I just clearly explained you that you have no idea what're you're doing.
You compared china odexed app with xiaomi.eu deodexed app and that was just non sense.

I don't care about some **** antivirus warnings. And everything is ok with process of making rom.
You can't inject any virus to decompiled dex file because we don't know how. Decompiled dex is smali code and nothing can be injected there and pass recompile process (unless its made specific for smali code) as our patches do.
 
Jul 4, 2014
18
1
13
#9
So I can tell the friends who are worried to calm down?! :)
They wanted to delete the file....
I told them to delete the AVG AV already... ! :D

Thanks a lot and keep up the good work you do!
Elad, hi. I have a question about a similar issue. A neighbor bought a Redmi Note 2. She installed CM Security and then emailed me a screen shot saying her phone has a Trojan. She is by nature scared of her phone getting infected and a nervous person. I wiped the phone, and reinstalled the latest stable MIUI ROM from miui.com (because I couldn't get the ROM here to install). Now popups for different "infections" are showing up. What would you suggest?
 

Attachments

Jul 7, 2014
14
2
15
#10
Elad, hi. I have a question about a similar issue. A neighbor bought a Redmi Note 2. She installed CM Security and then emailed me a screen shot saying her phone has a Trojan. She is by nature scared of her phone getting infected and a nervous person. I wiped the phone, and reinstalled the latest stable MIUI ROM from miui.com (because I couldn't get the ROM here to install). Now popups for different "infections" are showing up. What would you suggest?
First, it all could be false positives....
Also, you can try to search the files with virustotal.com and see what 50+ antiviruses say.
If you didn't wipe the old system then the files could remain there. I would suggest doing a clean install and if it doesn't help then I would do a full flash with Mi PC Suite.