main_icn_My_Vodafone main_icn_Search main_icn_Chevron_right main_icn_Chevron_down main_icn_Close main_icn_Menu social-facebook social-google-plus social-linkedin social-twitter social-youtube main_icn_Community_or_Foundation main_icn_Location main_icn_Network_signal

Unlocking

Protect found threat on F1.apk - wont delete

3: Seeker

On my HW P1

After running VF protect, I have found a threat.
"/cust/vodafone/es/app/F1.apk
(infected by Android/youmi/A1Gen)"
but Protect cant remove it, and I cant find this directory through my pc file explorer.

what can I do to get rid? (what is it anyway)
thanks

View more options
20 REPLIES
Administrator

Hi chocchipcooki

 

Unfortunately I've been unable to recreate this here.

The first steps to troubleshoot this would be to back up all of your contacts and files, and perform a factory reset to see if this continues.

 

Did you notice this after downloading any apps in particular?

 

DaveCD

View more options
3: Seeker

 I guess you cant recreate it unless youve got the bad-code.

It was found after installing vfProtect. Dont know how long it'd been there.

 

If my FIRST step is to do a factory reset, what is the best way to back up contacts files etc.
Does that mean I lose all my apps too?

M

View more options
Moderator (Retired)

Hi chocchipcooki,

 

To back up your data from a Huawei Ascend P1, just follow these steps:

 

  • Go to menu > System settings
  • Scroll down and tap backup & reset
  • Select reset phone > Backup data > Backup.

 

Whilst the factory reset would remove any apps you have installed, your account will still recognise anything you have purchased or installed previously. This will allow you to add them back to the phone without paying again.

 

When you've done the reset, I'd test before restoring your data or reinstalling anything. This way you'll be testing with a "clean" phone. If there's no sign of an error then, reinstall things in stages, testing after each one. 

 

Dave

View more options
17: Community Champion

The basic file manager has restricted access, but there are other apps which can show hidden and system files.  I have a feeling that Androzip is one of them (option in settings).  You could give that a try and see if it can find the relevant folder.

 

Or it may just be a matter of telling the pc to show hidden files.

View more options
3: Seeker

thanks. I'm still needing advice!!

 

I switched on hidden files option on the pc explorer. the problem file was not shown.

I have factory reset the phone 4 times now, by the time I reinstall vfProtect and run it, the issue is still there.!!

I have a feeling that google is reinstalling stuff off my account, (I need to sign in to get Protect reinstalled) I am definately unticking the "restore from google" box, too.

 

I will try and find androzip and investigate that.

 

I cant believe I am the only one with this issue.

View more options
17: Community Champion

Googling for this doesn't bring up any results, so I'm wondering whether it's part of another problem and this particular file has been corrupted, or the file is corrupted but not infected, or whether it's a false positive.

 

You may need to show system files as well, but I'm pretty sure Androzip can look quite high up the directory tree.

 

The other possibility might be to leave Vodafone Protect off and try another AV app, such as Avast and see if that finds anything and can fix it.

View more options
17: Community Champion

@chocchipcooki wrote:

On my HW P1

After running VF protect, I have found a threat.
"/cust/vodafone/es/app/F1.apk
(infected by Android/youmi/A1Gen)"
but Protect cant remove it, and I cant find this directory through my pc file explorer.

what can I do to get rid? (what is it anyway)
thanks


The Folder "Android" is usually found in...

/storage/emulated/0/

 

This might be slightly different on your device?

Basically the search tree is this;

/ = Home

storage/ = onboard memory

emulated/ = sub partition of storage

0/ = Folder in sub partition

 

Yours might be...

/sdcard/sdcard/Android

 

I use ES File Explorer as it can go right to the root directory. You might not be able to delete system files without Root priviledges though?

 

My honest opinion is that it is a false positive as hrym suggested earlier. You might want to raise the question with the F1 app developers?

 

 

View more options
3: Seeker

thanks all

Oddly, I havent got an F1 app installed!

I will try and find one of the file tools suggested and explore using that.

 

I'd happily delete both these files.

"Youmi" googles as a chinese ad-server - so who knows.

View more options
17: Community Champion

The other possibility would be to try another AV product and see it that can clear it or identify the folder more clearly.  It's also possible that the file has installed itself as system and that, yes, it can't be deleted without root privileges, even by Vf Protect.  That would be fairly typical malware behaviour.  The other possibility is that it's an ad server for another app that you've installed and not actually a thread at all.

 

@thesoupdragon  If it's hiding as a sysyem file, would a factory reset get rid of it, do you think?

View more options
17: Community Champion
@hrym yes it would but reinstalling the app automatically from the Play Store would return the problem.
As you mentioned, I think it's a false positive. Otherwise it would be big news by now..?
View more options
3: Seeker

Detail I thought I'd included, but on checking, seems not.

 

On reset, and reinstalling Protect, after running the check, the "threat" is gone. (I've unticked all the reinstall-stuff options on google) 

Then about 2 hrs later Protect finds it again, with no usage by me, at all.

View more options
17: Community Champion

@thesoupdragon  I Googled for a problem with that file and couldn't find one, so the file itself isn't a problem, though I think Protect is saying it's been infected by something else.  What's odd is that, as I understand it, the OP hasn't installed an F1 app, which implies the file is coming from somewhere else.  Even if it's a false positive, it doesn't explain how the file gets there - unless it isn't at all and Protect has completely lost its marbles (not completely unknown for an AV program...)

 

Two things, really. 1. Is the file there? 2. Can something like Avast find it and/or zap it?

 

@chocchipcooki  Before the thing came back, did you reinstall any apps?  I'm still wondering whether it's come from somewhere else.  If this was Windows, I'd say it was one of those nastys that have the survival ability of a cockroach, but Android is different and, afaik, a factory reset really does clear everything.

 

One thing you could do is to boot into recovery mode and reset again, adding the clear system cache option.   It's just possible that some kind of installer is lurking there.

View more options
17: Community Champion

@hyrm I'm wonderring if this is simply one of those advertising redirect things that you get if you click on an in-app advert?

 

@chocchipcooki do you have a micro sd card inserted into the Phone? if you do, the file could be stored on there?

 

View more options
3: Seeker

thanks guys.

1) ES file explorer has found the vodafone/es/app/F1.apk
but will not delete it.
Oddly. If I touch F1.apk, it asks to install an app from a non-google source. So i havent done that!

 

NB F1 is NOT installed on the phone.

 

2) trying a different tack, I still cant find the youmi/A!Gen file that supposedly has infected it.

/sdcard/Android only has "data" directory, no files.

 

3) I'm doing another factory reset.
v annoyed with this. I dont like having something that may be doing something to my phone.

 

View more options
17: Community Champion

Now you've found the file, can you make a cable connection to a pc and find it again from there.  I think we tried this before, but it may be show hidden and system files.  It may also be a long shot, but it's possible that a different OS/file system can delete it, or you may be able to change the attributes and unlock it.

 

I'm wondering with the youmi file is in the system cache and I suspect you need to clear this as part of the reset process.  I referred to booting into Recovery Mode, but then remembered we weren't on the Samsung board and know if it's possible on a Huawei.

 

It's not uncommon for malware to install another file that reinstalls the program itself and to make this part of the system so that it's hard to get rid of.

 

Could you also give another AV app a go as well?

View more options
3: Seeker

I now think the dodgy F1.apk is there immediately after the reset.

The Youmi/A!Gen "cause" is not to be found.

 

I've tried clearing the cache at various times.

Avast didnt find anything.

I'm just running AVG now. Nothing to be found.

 

False positive. Looks like vodafone standard installation

 

where can i put the protect install file on my phone so i dont have to connect to Play.?

Is there a file in a download folder.

View more options
17: Community Champion

@chocchipcooki wrote:

where can i put the protect install file on my phone so i dont have to connect to Play.?

Is there a file in a download folder.


Not sure what you mean here...?

 

It looks to me as if the F1.apk is being installed along with the Vodafone protect App...?

What happens if you uninstall Vodafone Protect, does the F1.apk go as well?

View more options
17: Community Champion

I did a Google search for Youmi/A!Gen and eventually got to Youmi.A which is described as adware, which is rather what I suspected.   F1.apk seems to be the installer for the F1 Challenge game.  On balance, I think you've somehow got this (as part of another download/install??) and that it's installed itself as a system file, which is why you can't get rid of it.  I also think that the adserver stuff is built into it (and isn't located elsewhere), which is why Protect is picking it up.  It's not exactly a false positive, but the fact that Avast ignores it suggests that some signature files regard it as a threat and some don't.

 

On balance, as long as you don't execute the file, I think you're OK.  Do try having another go with the phone connected to a pc, showing system as well as hidden files.  If you find it, see if you can change the attributes (non-hidden, non-system) and if you can then delete it, either with the pc or with ES File Manager.

View more options
3: Seeker

F1 seems to be part of factory build.

Its there before Protect.

View more options