Software runs my life

Remove Adware infected YouTube App

I recently bought  Xiaomi Redmi Note 2 and Note 3 phones off Lazada in Singapore. Both times the standard ROM was installed, but some modifications had been made. The phones were rooted and some apps had been installed (Kingroot, Google Play Services etc.). The most annoying part however was that if Chrome hadn’t been used for ~10mins and you opened it, then it would open a popup with a full screen advertisement. I started researching how to remove this annoying Adware.

I found one really good article which detailed the debugging process. There are a few pre-steps however:

  1. Root the phone
  2. Install ADB tools on your computer
  3. Plug in the phone via a USB cable

As per the article above, you can then use the ADB logcat to debug what’s going on. Do the following steps from a terminal prompt on your computer:

  1. adb logcat > log.txt
  2. Open Chrome on your Android phone, wait for the ads to load. Take note of the Ad URL that loads (there might be a couple, so try and get the first one)
  3. Ctrl+C to kill logcat
  4. Open the log.txt file in a text editor and search of the URL you noted in step #2

My Ad spam URL was “ymtracking.com” and so I searched for that in log.txt. It came up with this line:

I/ActivityManager(  808): START u0 {act=android.intent.action.VIEW dat=http://global.ymtracking.com/trace?offer_id=111090&aff_id=27742 flg=0x10000000 cmp=com.android.chrome/com.google.android.apps.chrome.Main} from uid 10035 on display 0

This line tells me that a process running under UID 10035 is calling the ad URL. Time to hunt and kill that UID!

  1. adb -d shell
  2. su

Then you need to view the file /data/system/packages.xml. The Xiaomi phones don’t seem to have vi as a text editor installed, so move it to /sdcard/ to download it to your computer, or open it on the phone itself in the browser. Look for the package line that matches the UID you find earlier (10035):

<package name=”<<PACKAGE NAME>>” codePath=”<<DIR>>”  sharedUserId=”10035″>

Now you know the package name and the location. Normally you could enter the following command from the ADB shell as su “pm disable <<PACKAGE NAME>>”, but when I tried that it was not allowed (read only). Trying to reinstall the package didn’t work either. I found I had to actually use the code path and delete the .apk file itself:

  1. cd /system/priv-app/Youtube (what you had as <<DIR>> above)
  2. mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /system
  3. rm -rf Youtube.apk

That was it! Reboot the phone and the ads are gone. You can then use the Play Store to install YouTube as normal, from the official source.

Previous

Graduating from my INSEAD EMBA

Next

AsianGut Launched!

1 Comment

  1. Dave

    I got the same irritating malware on the youtube app built into a Leagoo M5 phone I bought from AliExpress from Store name: Shenzhen ValueDeal.

    My advice: don’t buy the absolute cheapest, it’s not worth the few saved dollars. And also make sure the seller is listed on the manufacturers site as official channels.

Leave a Reply

Your email address will not be published. Required fields are marked *

Powered by WordPress & Theme by Anders Norén