Banned Chinese Qvod Lives on in Malicious Fakes

By on

Qvod used to be a popular video player and developer in China. Due to piracy allegations and a threatened fine, the company went out of business in 2014. In spite of this, we have recently seen a number of malicious fake versions of Qvod.

One common feature of these malicious apps is to disguise their own icons to appear as the Qvod player or to use pornographic icons to attract users to install them. These apps contain a variety of malicious behaviors, including collecting user information, sending SMS that deduct payments, blocking legitimate SMS, pushing other apps (including malicious apps), and forcing users to activate the device manager.

These malicious apps are found mainly through forums, illegal video sites, and IM groups. They carry app names such as “midnight Qvod player,” “16-year-old-girl night player,” “midnight video player,” and “adult theater player.”

 

.

Examples of malicious fake Qvod apps.

After the victim installs and runs one of these malicious apps, it forces the user to activate the device manager. If the user attempts to cancel, the app occupies the entire screen, effectively requiring the user to activate the device manager. If the victim does not comply, they cannot use the phone. If the user does activate the device manager, the malware will respond to any attempt to delete the app by forcing a return to the desktop. Thus victims cannot follow the normal steps to uninstall the app.

 

Forcing the user to activate the device manager.

Next the malware attempts to trick victims to pay while in the background collecting user information and upload it to the server. It also downloads other apps and install them.

 

Example of an automatic app download in the background.

 

How to uninstall 

These malicious apps cannot be uninstalled by normal means. Use the following steps to regain control.

First, we need to prevent the malicious app from locking the screen during the uninstall operation.

Code to prevent locking the screen.

Then use the following method to place the deactivate device manager window on top.

Code to detect whether the device manger window is on top and to switch it to the top position.

Finally, you must switch the uninstall window to the top position to uninstall the app. You can also accomplish this step via the Android Debug Bridge utility, using the ADB uninstall command to remove the malicious app.

Code to switch the uninstall window to the top.

If you encounter a highly resistant variant of the malware, the preceding method may not work. You will have to restore the factory settings, or root the system, and then use ADB to connect to the phone and delete the malicious files.

McAfee Mobile Security detects this threat as Android/KboVedio and prevents mobile users from downloading this app.

 

 

 

 

Leave a Comment

Similar articles

This post was written with contributions from the McAfee Advanced Threat Research team.   The McAfee Advanced Threat Research team and McAfee Labs Malware Operations Group have discovered a new global campaign targeting nuclear, defense, energy, and financial companies, based on McAfee® Global Threat Intelligence. This campaign, Operation Sharpshooter, leverages an in-memory implant to download ...
Read Blog
Your home screen is just a matrix of numbers. Your device loses its charge quickly, or restarts suddenly. Or, you notice outgoing calls that you never dialed. Chances are your smartphone has been hacked. The sad truth is that hackers now have a multitude of ways to get into your phone, without ever touching it. ...
Read Blog
Rockstar Games’ Red Dead Redemption 2 has struck a popular chord with many online gamers. Unfortunately, the Western-themed action-adventure game has also become a popular vessel for malicious activity among cybercriminals as well. Scammers are tricking gamers into giving up their personal information with phony “free” downloads of the online game, while simultaneously making a ...
Read Blog