How do I stop a hack that turns on "Do Not Disturb" A phone reset is required to fix.

Hi David. When factory resetting to solve a problem, it is best to do so without restoring from a backup or reinstalling your third-party apps straight away in order to give the 'phone a fresh start. If you do reinstall your third-party apps and one or more of them is the culprit, you will simply have reintroduced the problem that will reappear as soon as the misbehaving app restarts.

 

Regards, Penny

If using a secure browser but think it's being "hi-jacked" by other than a rogue app, please contact the browser's developer. If using the Chrome browser, please leave feedback from within the app .

If you are using only pre-installed apps contact your device manufacturer, to report the problem

Please check online for information on how to keep your account and devices secure and never share your personal information or devices with anyone.

If factory resetting starting again as new and using a secure browser, you should not be running into the problems you describe.

Penny.

Hi Penelope, I really appreciate your informed input. It does seem that I have most covered. The only apps added are from the Play Store. Namely Outlook (MS), Your Phone (MS) and You Version Bible app. That later is the only possible suspect , however the problem presented well before installing it.  I checked the  Kaspersky quarantine, it is revealing. With a Scan on 5th December it quarantined five problems. I note that I have scanned before and the problems soon return. This would indicate to me that the secure browser and Kasperky Internet Security are being bypassed. I list the quarantined items

1. Trojan-downloader.AndroidOS.Agent.hy    (Android folder)

2. Trojan-downloader.AndroidOS.Agent.ik    (Android folder)

3. Trojan-downloader.AndroidOS.Agent.ik     (Tencent folder)

4. Trojan.AndroidOS. MobOk.i   ( Tencent Folder)

5. AdWare.AndroidOS. Magic.a  (Tencent Folder)

I have never been anywhere near the Tencent web sites. Items 1 & 2 are in a path:  /storage/emulated/0/Android/data/com.mediatek.factory mode/files/syspatch/.pl

This path name may be a clue to the message "Factory test has failed"

My friend that had the same problem had the exact same phone as previously detailed. He now has another phone and has not seen the problem. Raising the prospect of a vulnerable phone or Android 7 version.

Three unusual folders have been created. Tencents plus two others with odd naming (each of the two, containing a folder: com.mediatek.factory mode.  I cannot remember the odd naming  because I deleted all three folders. odd naming like XYZT.

Remember that I do not visit web sites, the Internet connection is for Android/Google updates and emails.

Does this reveal insights for you?

Hi David. Something you have installed or a website you've visited/email link you've clicked has installed a Trojan(s) on your device as there's no other way for such things to get into your device. 

 

Firstly I would factory reset once again (disconnect from the Internet) but without installing anything other than the preinstalled apps when you've done and, of course, don't restore from a backup. (Run for as long as practical with only the basics installed to check all is well).

 

You should then secure your Google A/c: https://support.google.com/accounts/answer/6294825?hl=en

 

You should also check any/all other devices that are sync'd to your 'phone (on the same network) as if one is infected then all may be so.

 

Check the bona fides of all third-party apps you install as even those on the Play Store are vulnerable despite the system's best endeavours.

 

I'm sorry not to be able to pinpoint precisely what is causing your malware infestation as, touch wood, I've never experienced anything like this myself. I would just add that I don't have any anti-virus or anti-malware apps installed on my 'phone and only Windows Defender on my PC - I did pick up a Trojan once on Windows 95 but nothing since.

 

Regards, Penny

 

EDIT: The article here seems to contain some useful advice (it's a secure site - I checked) https://www.digitaltrends.com/mobile/how-to-remove-malware-from-your-android-phone/

Hi Penelope, Many thanks again. This is indeed a very illusive problem. I was not linked to any other device and as already advised no really suspect apps installed. Instead of another factory reset and the inconveniences involved I uninstalled all added Apps, ie Outlook. Your phone and Bible. Scanned with Kaspersky a no issues found. I also deleted a remaining odd named folder. Then re-connected to the Internet and no problem was evident.  Left connected to the Internet overnight. Next morning the problem was back, with message FactoryTest isn't responding (correct detail this time) with options Close app and Wait, plus invading web page. A Kaspersky scan quarantined two trojan entries

Both being Trojan-Dowloader.AndroidOS.Helper.a

One In Tencents folder the other in: com.mediatek.factorymode

New folders have been created

1. =1 "?K? ( the odd named folder last deleted has returned)

2. com.mediatek.factory mode

3.Tencents

4. xxo

5. zmg

All previously deleted. So just leaving a connection overnight enabled all this installation.!!!

Follows my initial impression that all that is needed is an Internet connection. This time the Browser the one that is part of Android 7. Same result as with Chrome and Edge.

So I start with no additional apps, remove all trojans, delete all suspect folders. All OK for a period then back it comes!!!

I was going to progress forward step by step installing an app at a time to try and isolate, but decided to see if just a simple connection to the Internet was an issue. It proved to be so !!!

Whilst writing this I left the phone connected and the two trojan entries were re-setablished following the quarantine of the previous two. This will certianly continue with the contents of the new folders not deleted.

Need to have a long consideration what action to now take.

Hi Penelope.

Best if I continue on investigating. You need not contribute for now. The posibility the problem is related to the phone model has increased. The mediatek.factorymode folder looks like it is related to the Mediatek chipset. Maybe a bug related to the chipset that enables a download that includes a trojan. It is certainly something that Kaspersky cannot stop, best action being to quarantine, then only during a scan. Now checking with Kaspersky support.

Clearly I have to disable Internet connection and use the phone purely as a phone.

When something useful and identified is found I will post.

Listing the problems encountered, suspect number one occurs first.

1. Unexplained message FactoryTest not responding (Mediatek related)

2. Unsolicited games pages appear. (Tencent related)

3. Message card full, please delete messages. This occurs even with no stored messages.

4. 5 unwanted folders created in storage.

5. Enables Do Not Disturb. Blocking calls. If manually disabled it will again enable.

Thanks for your inputs to date.

Hi Phillip. Please follow the advice given earlier in this thread of visit the Google Accounts Help Centre/Community Forum as we can't deal with individual accounts issues here.

 

Regards, Penny

I can now report the solution. Kaspersky Labs advised me to install the AIDA64 app and run it to create a report on the status of my phone. I forwarded this to them and they analysed. They then advised that the malware was embedded in the firmware of the phone and to flash the phone with new firmware (what I suspected all along). Visted the Oukitel web site and found new firmware being offered. Found here: http://oukitel.com/latest-software-rom-for-all-oukitel-smartphones-142.html

With new firmware now flashed the problem is gone.

Note. The instructions for flashing supplied by Oukitel did not work for me. A simpler method is detailed here: https://www.ytechb.com/sp-flash-tool-download/

Clearly the flashing files supplied by Oukitel were used with this better method.

My phone is an Oukitel C8 4G.

This may help Phillip and others. Thanks to Penelope for her effort.