The main signs that malicious behaviour is occurring in the system area are as follows:
- The multiple appearance of the same threats in the same areas, even after the anti-virus has removed them. Threats usually reappear after a device reset.
- Notifications in Dr.Web Security Auditor.
Due to the specific features of the Android OS, it's impossible to employ the standard features of ANY anti-virus to neutralise trojans in the system memory because, just like any other application, an anti-virus installed on a non-root device does not have administrative privileges: Dr.Web can detect malicious programs that get into the Android system directory, but it is not authorised to remove them. In addition, the quarantine option is not available for them (or for any other installed application).
To close firmware vulnerabilities and neutralise threats in /system, you can stop or disable some system applications. This will not eliminate a threat completely, but it will neutralise it until you can remove it permanently.
To stop an application: in the list of installed applications on the screen Settings → Applications, select the application that has been determined to be a threat and then on the screen containing the information about it, click on the Stop button.
This action will need to be repeated every time you restart the device.
Disable the application via the device settings: in the list of installed applications on the screen Settings→ Applications, select the application that has been determined to be a threat and then on the screen containing the information about it, click on the Disable button.
If your device is rooted (with superuser privileges that allow you to make any type of change you want, including to the firmware) and an application can be removed without disrupting device operation or cured, you will see the corresponding option in the anti-virus's interface.
With root access enabled, you can also try to remove malicious applications with the help of special third-party utilities.
In some cases, configuring root access may lead to the device manufacturer denying to provide you with warrantied maintenance.
If your device has custom firmware, you can restore the device manufacturer’s official software on your own or contact the service center. If you are using the device manufacturer’s official software, try to contact the manufacturer to get more information about this application.
If the manufacturer recommended that you update the firmware, before doing this, make a backup of all your user data and then do a reset to the factory settings.
To disable information about threats in system applications that cannot be removed without disrupting device operation, tick the System Applications box in the Settings section → General settings → Additional options.
We also recommend that you read the Anti-virus Times issue dedicated to this topic — System business. Please refer to the issue Firmly rooted to know how trojans can find their way into firmware.
