Trojan detected ELF:BitCoinMiner-H

I just did a scan on my android phone, HTC one and it came up that it has detected a trojan, ELF:BitCoinMiner-H [Trj]. I can’t see exactly where the file is but what Avast does show is this /storage/emulated/0/Download/OTA_M7_UL_JB_50_Vodafone_UK_1… that’s all I can see. Is this likely to be a threat which I need to get removed or could it be a false positive? I don’t want to delete the file if it ends up being something I need on my phone.

Thanks

I’ve managed to find the whole location.

/storage/emulated/0/Download/OTA_M7_UL_JB_50_Vodafone_UK_1.29.161.11-1.7_release_315813_signedoj2qp335qmm8qjso.zip

Hi anthonykeithnorth,

The cryptocurrencies mining just tries to get in via a default combination of login and password. Our advice is to always change the default login and password, set by manufacturers, as soon as you start using your device. Furthermore, it is also necessary to periodically update software running in your devices whenever this process is not automated. Info credit and quote from AVG Virus Lab's Hynek Blinka
So take that advice from Hynek Blinka to heart. The malware at hand is a so-called PUP, a potentially unsafe program. When login and password have been changed, you will be safe to go,

polonus

For the download IP (Cloudflare) IP badness history:
https://www.virustotal.com/nl/ip-address/104.28.4.8/information/

VT scan gives no results: https://www.virustotal.com/nl/url/2a891e73138d1c3370db8b276080da62698b94174e3b4453ba1ccff3899185c4/analysis/1412290629/

HTTP Response headers
expires: Sat, 01 Nov 2014 22:57:14 GMT
x-powered-by: PHP/5.4.19
set-cookie: __cfduid=d901263ef7dc37cf6145a4004f08c936a1412290629529; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.htc1guru.com *; HttpOnly
x-google-cache-control: remote-fetch
server: cloudflare-nginx
connection: keep-alive
via: HTTP/1.1 GWA
x-cf-powered-by: WP 1.3.14
cache-control: max-age=2592000

for the download link you provided there is a somewhat longer run-time of the code here:
ajax.googleapis.com/ajax/libs/webfont/1/webfont.js benign
[nothing detected] (element) ajax.googleapis.com/ajax/libs/webfont/1/webfont.js
status: (referer=www.htc1guru.com/dld/m7_50_1-29-161-11-1-28-161-7_315813_signedoj2qp335qmm8qjso-zip/)saved 17380 bytes 45b3a11f70e46248a30471795ab43861e98b48e7
info: [decodingLevel=0] found JavaScript
suspicious: see: http://jsunpack.jeek.org/?report=3c664350a5b44c8536b6d9fd1e1a91a7a21306d7 *

  • above link provided for security researchers only, open up with NoScript active and in a VM

polonus

I just did a scan on my[b] android phone[/b],..............
you are posting in wrong forum section .... avast mobile security is here https://forum.avast.com/index.php?board=37.0