Перейти к содержимому


Фото
- - - - -

What does AV threat alert "read-only.area.change.thread" mean?


  • Please log in to reply
5 ответов в этой теме

#1 cyberluddite

cyberluddite

    Newbie

  • Posters
  • 4 Сообщений:

Отправлено 11 Июль 2018 - 21:57

I'm seeing a really unusual threat alert pop up, "read-only.area.change.thread", that began after the most recent Dr. Web for Android update (two days ago).  It's accompanied by the location "com.google.android.apps.docs", and Dr.Web flagged it on my Notifications bar when I disabled/factory-reset the Google Drive and YouTube apps.

 

This doesn't happen when I completely uninstall anything, like Bejeweled or even Yandex Browser and AdGuard, only the root-installed apps (Drive and YouTube being the ones I've tested so far, but I'll be happy to throw others at this to see what happens.)

 

Specs:

 

Phone: Samsung Moto e4 (2017) 8GB

OS: Android 7.1.1
AV: Dr. Web for Android (subscription purchased from Google Play in March 2018)

 

Apps Disabled (Root-Installed): Amazon, Amazon Kindle, Amazon Music, Audible, Caller ID, Google Chrome, Cloud Print, Google Drive, Duo, Facebook (plus Facebook Apps Installer, Facebook App Manager), FM Radio, Gadget Guardian, Gmail, Google App, Instagram, Facebook Messenger, Google Photos, Prime Photos, Prime Video, YouTube.

 

I understand that it's a UI/non-UI thread switching issue, and since it only involves root-level apps the issue seems to be on Google's end.  My question is: can someone please clarify what the virus threat "read-only.area.change.thread / com.google.android.apps.docs" means?  I can work on a solution from there, but I've never seen this one before so I don't want to break my phone trying to fix something that may not be broken in the first place.

 

Thanks for your help, hope you have a great weekend!


I began flying my freak flag with pride, once I realized nobody else was insured for the shenanigans I'm capable of.


#2 Whispersmith

Whispersmith

    Guru

  • Dr.Web Staff
  • 3 143 Сообщений:

Отправлено 12 Июль 2018 - 19:31

cyberluddite, hello!

This warning "read-only.area.change.thread" means that you have some changes in your system area. You wrote that you have done factory-reset of the Google Drive so I suppose the antivirus's alert was about it. We have the white list of application that our application doesn't detect, maybe this application isn't in it. So you could send this file to our laboratory to check the detection. After checkup you will know if it is a threat or not.



#3 cyberluddite

cyberluddite

    Newbie

  • Posters
  • 4 Сообщений:

Отправлено 14 Июль 2018 - 00:40

@Whispersmith, hello!

 

Thanks for getting back to me on the matter, I've managed to replicate the issue.  Here's the steps to trigger the alert with the YouTube app:

 

1) Turn on smartphone's Wi-Fi feature.

2) Go to Android Settings > Apps > YouTube > Enable (this can be done with or without Wi-Fi).

3) Go to Google Play > My Apps and Games > Update "YouTube app" (primarily done with Wi-Fi due to date plan limitations).

4) Wait for Dr. Web scan to finish with "No threat detected."

5) [you can open the YouTube app or not, it happens either way.]

6) Go back to Android Settings > Apps > YouTube > Disable > "Ok" > "Factory reset?" > Yes.

7) About 5-7 seconds later, get Dr. Web notification: "read-only.area.change.thread" / "com.google.android.youtube"

 

Pressing the three-dot icon on the right-side of the "Threats" screen presents "read-only.area.change.thread" with options "delete" and "ignore".  Choosing "delete" causes the usual popup question "Do you wish to uninstall this app? Cancel / OK".  Choosing "OK" results in "Uninstall unsuccessful."  (This is expected, as the YouTube app is root-installed.)  Hitting "OK" at the bottom of the screen closes the window with a sound like "bow-wshh".

 

When you follow the same basic steps with the Google Drive app, you get "read-only.area.change.thread" / "com.google.android.apps.docs". Following the same procedures for removal result in the same response.

 

Google Duo app: "read-only.area.change.thread" / "com.google.android.apps.tachyon"

Gmail: doesn't happen

Google app: "read-only.area.change.thread" / "com.google.android.googlequicksearchbox"

 

I've tried it with the apps that don't have a factory-reset option, like Amazon, and they don't trigger a warning.  These results are not dependent on clearing cache and app data, and they don't require opening the app after enable and update.  I didn't try it with the Chrome or Facebook apps, because they're not secure at all.

 

You inquired about sending the files to your laboratory for detection purposes.  I need to figure out how to do that safely, short of actually sending my phone, since Google stopped allowing users in 2016 to get root-level access to Android OS without bricking the entire phone.  Otherwise, all I can tell you for certain is that thanks to Dr.Web, I've seen how badly infected Google's servers are.  I was getting notifications like crazy when wandering around Help Forum and G+; it may have been a factor in Google's "cypher_mismatch" partial outage error on June 26th.

 

I realize that last part's hypothetical diagnostics, but I figure it might help figure out where the issue's coming from.  Thanks for your patience, and I apologize for the long reply but again I'm not sure how to send the files if getting access to them will kill my phone.  I'm open to suggestions.


I began flying my freak flag with pride, once I realized nobody else was insured for the shenanigans I'm capable of.


#4 cyberluddite

cyberluddite

    Newbie

  • Posters
  • 4 Сообщений:

Отправлено 16 Июль 2018 - 19:12

UPDATE (July 16, 2018)

 

As per Whispersmith's recommendations, I'm going to see if I can quarantine the bugs instead of automatically deleting them.

 

Once again, emulating my forum user handle.  :facepalm:  Thanks for your patience in the meantime.


I began flying my freak flag with pride, once I realized nobody else was insured for the shenanigans I'm capable of.


#5 Whispersmith

Whispersmith

    Guru

  • Dr.Web Staff
  • 3 143 Сообщений:

Отправлено 17 Июль 2018 - 14:00

cyberluddite, sorry for the delay. I reproduced your problem. It is our misunderstanding of some of the processes of working with preinstalled applications. So we will fix it and I think it will be ok in the next version of our application. 

Also if you want you can send the apk files to our Laboratory from the Custom scan. You should open the Custom scan, find the apk-file in /system/data/youtube. Tap and hold the apk-file then tap Send to laboratory. In the next screen, enter your email address if you want to receive the results of the file analysis. Select a category for your request: Suspicious file.

Thank you for your very detailed information about your problem.



#6 cyberluddite

cyberluddite

    Newbie

  • Posters
  • 4 Сообщений:

Отправлено 31 Июль 2018 - 19:09

Whispersmith,

 

No problem, life's been keeping me busy here too.  Glad to hear I didn't press the wrong button again...  :P  Just a heads-up: since the update after my last reply, they now flag as "read-only.area.change.threat" (typo was corrected, I guess?)

 

Now that I know how to send the apk files to you, I'll get started on it.  Thank you again for your time and attention on the matter, have a great rest of the week!


I began flying my freak flag with pride, once I realized nobody else was insured for the shenanigans I'm capable of.



Читают тему: 0

0 пользователей, 0 гостей, 0 скрытых