Malware warning on my phone (mirai-gx)

Submitted ⁨⁨6⁩ ⁨days⁩ ago⁩ by ⁨joulethief@discuss.tchncs.de⁩ to ⁨cybersecurity@infosec.pub⁩

Hey there, not entirely sure where to post this, hope it fits.

This morning, for the first time ever, my phone (a Huawei P20) showed a malware warning to me. The app ‘Idealo’, a german portal for price comparison, was supposed to be infected with ‘mirai-gx’. I tapped uninstall and began researching.

I consider myself very tech- and IT-savvy, but I lack deeper knowledge of malware.

Apparently, mirai was (is) a worm that primarily infects IoT devices to join them into a bot net. The BSI (german authority for cyber security) states that it resides in volatily memory only, so that a reboot should suffice to get rid of it.

The warning was issued by Huawei’s UI ‘MIUI’ as far as I can tell, not Play Services. I am aware that the latest security patch for my phone is from 2022, I just couldn’t afford to buy a new one up until now.

Some questions that arise:

(1) How can I trust that the information presented by my phones notification is correct? I mean, how would an IoT worm infect an app that was downloaded from the Google Play Store, is that even possible without root access to the phone or accessing the developers Play Store account?

(3) Right now, I’m combing through recent DNS queries in my PiHole log that originated from my phone. How can I tell regular queries from those of a bot net?

(4) What does the -gx suffix even mean? Information on this is very scarce.

(5) Just how bad of an idea is it to use a phone that has already gone two years without patches?

source

Comments

Sort:hotnew top

skullgiver@popplesburger.hilciferous.nl ⁨5⁩ ⁨days⁩ ago
Standard Mirai wil target devices like routers and cameras. It won’t infect phones. If someone took Mirai and packaged it into an Android app (either because you downloaded a scam app or because the supply chain for the app was compromised), the Android sandbox should protect your phone. If all is well, removing the app should be enough to clear the infection. If that doesn’t work, the malware obtained root credentials and cleaning it will require a factory reset or even a factory reset + complete reinstallation of the system (basically, useless unless you’re knowledgeable in Android modding).

My recommendation would be scanning the phone using a bunch of antivirus tools (starting with Google’s and MIUI’s) to see if the infection is still there. If you don’t trust it, back up the phone and factory reset it. Be especially wary of banking apps, logging in to important websites through browsers, and any government ID apps you may use. As always, SMS 2FA should also be treated with caution.

As for your questions:

Notifications can be faked. Hold the notification and click the settings icon to go to the app’s settings, that can’t be faked. If it brings you to a system package, it’s probably legit. Several Chinese smartphone companies have malware scanning from companies like Avast integrated into them.

It’s possible that the notification was a false positive. Virus scanners can be wrong sometimes. Try scanning your phone with Google’s antivirus or any other reputable antivirus app on Google Play.

It happens quite often that some malware company sells “advertising” to a small app which actually contains malware. Or a dependency of the Android app got compromised. Google Play’s malware scanning doesn’t catch all malware, unfortunately.

An app that was not packaged with your phone cannot infect another without root access. However, malware can exploit unpatched vulnerabilities in your phone to gain root access, so if you haven’t downloaded any OS security updates the past 2-3 months, there’s a good chance your phone is quite easy to get root access on if a hacker knows about it.

Given that Huawei has been banned from Google Play for longer than they normally serve security updates for their phones, my guess is that you’re probably quite behind. Last security update I can find for your phone was 2.5 years ago. You may be able to find custom ROMs to install on your phone that are more up to date in regards to security stuff (though those bring their own risks, of course).

Hard to say. Mirai also works with plain IP addresses so if this mirai-gx is the same, you may not see any evidence of it in your DNS logs. Or it could just hard-code a DNS-server, that’d also hide the DNS traffic from pihole.

It’s a name chosen by an antivirus company. There’s usually no explaining those. From what I can find online, it’s a dropper binary that will download other malware, rather than the normal Mirai, but there’s not a lot to be found about it online.

No problem at all if you don’t get infected. Not a problem at all if you don’t do anything important with it. Probably fine if you reset the phone and the infection clears. Life-changing if you get infected and hackers start opening bank accounts using information from your email accounts to launder money through phone scams.
source
RVGamer06@sh.itjust.works ⁨5⁩ ⁨days⁩ ago
Have you determined what package did the malware notification come from? And what is the engine they use for scanning?

source
- joulethief@discuss.tchncs.de ⁨5⁩ ⁨days⁩ ago
  It was certainly the Huawei System UI. How do I tell which engine they’re using?
  
  source
  - RVGamer06@sh.itjust.works ⁨5⁩ ⁨days⁩ ago
    There must be some clue, but i don’t know how to find them without seeing the screen.
    
    source
    -> View More Comments
HaleHirsute@infosec.pub ⁨5⁩ ⁨days⁩ ago
Why don’t you / can’t you patch the phone?

source
- skullgiver@popplesburger.hilciferous.nl ⁨5⁩ ⁨days⁩ ago
  OP stated they use a Huawei P20. From what I can tell online, that hasn’t been officially supported since 2020. The list of currently supported Huawei devices doesn’t list any P20 models either.
  
  source
  - HaleHirsute@infosec.pub ⁨5⁩ ⁨days⁩ ago
    Ah yeah, that’ll do it.
    
    source
- joulethief@discuss.tchncs.de ⁨5⁩ ⁨days⁩ ago
  Can you? I wasn’t aware of that
  
  source