Banned Chinese Qvod Lives on in Malicious Fakes
Qvod used to be a popular video player and developer in China. Due to piracy allegations and a threatened fine, the company went out of business in 2014. In spite of this, we have recently seen a number of malicious fake versions of Qvod.
One common feature of these malicious apps is to disguise their own icons to appear as the Qvod player or to use pornographic icons to attract users to install them. These apps contain a variety of malicious behaviors, including collecting user information, sending SMS that deduct payments, blocking legitimate SMS, pushing other apps (including malicious apps), and forcing users to activate the device manager.
These malicious apps are found mainly through forums, illegal video sites, and IM groups. They carry app names such as “midnight Qvod player,” “16-year-old-girl night player,” “midnight video player,” and “adult theater player.”
Examples of malicious fake Qvod apps.
After the victim installs and runs one of these malicious apps, it forces the user to activate the device manager. If the user attempts to cancel, the app occupies the entire screen, effectively requiring the user to activate the device manager. If the victim does not comply, they cannot use the phone. If the user does activate the device manager, the malware will respond to any attempt to delete the app by forcing a return to the desktop. Thus victims cannot follow the normal steps to uninstall the app.
Forcing the user to activate the device manager.
Next the malware attempts to trick victims to pay while in the background collecting user information and upload it to the server. It also downloads other apps and install them.
Example of an automatic app download in the background.
How to uninstall
These malicious apps cannot be uninstalled by normal means. Use the following steps to regain control.
First, we need to prevent the malicious app from locking the screen during the uninstall operation.
Code to prevent locking the screen.
Then use the following method to place the deactivate device manager window on top.
Code to detect whether the device manger window is on top and to switch it to the top position.
Finally, you must switch the uninstall window to the top position to uninstall the app. You can also accomplish this step via the Android Debug Bridge utility, using the ADB uninstall command to remove the malicious app.
Code to switch the uninstall window to the top.
If you encounter a highly resistant variant of the malware, the preceding method may not work. You will have to restore the factory settings, or root the system, and then use ADB to connect to the phone and delete the malicious files.
McAfee Mobile Security detects this threat as Android/KboVedio and prevents mobile users from downloading this app.