TimeLine . Notes

Preinfected Haier G7s Phone


TL;DR - Never assume your phone is clean!



Bought a Haier G7s phone from L'Eclerc in Poitiers.
Cost 149 Euros with two year guarantee.

Haeir G7s Reciept

I wanted something secure so chose a phone with a fingerprint scanner and a version of Android that is encrypted by default.
The box has a seal saying not to accept if broken , I cut the seal when opening , it had not been tampered with.


Performed Haier Firmware Update dated 2017-09-01

Haier Update date 2017-09-01

"So as not to cause the upgrade failed" - Chinese English!

Haier Update Completed


After three months I became suspicious of my data plan constantly going over 50 Mb per month so I start looking for answers.
I found an unknown Panna app ( Android/com.vsen.assault ) with full access to Contacts , Storage and Telephone.

First Malware found

Search internet for Panna (com.vsen.assault)
Uninstall Panna app , no idea where this has come from , I only use Google Play Store.


Install MalwareBytes , scan phone , discover Android/PUP.Riskpay.Excel.lib.kxqp malware in the 2Accounts System app.

Malware found in the preinstalled 2Accounts app

I am unable to remove it as it is a System app and I don't have root access , so I do what I can and disable it thinking this would be enough.
2Accounts app has access to Body Sensors , Calendar , Camera , Contacts , Location , Microphone , Phone , SMS and Storage.

2Accounts app Permissions

Tweet at @HaierEurope and @leclercbonplan about infected Haier G7s phone - no response.

No response from Haier or L'Eclerc via Twitter


Perform another MalwareBytes scan , another piece of malware is now installed called launcher ( Android/ ).

Another piece of malware , this one is called launcher

Launcher has access to Contacts , Location , Storage , Telephone.

Launcher has access to Contacts , Location , Storage , Telephone

Uninstall app.


Screenshot shows that Panna app (Android/com.vsen.assault ) is back and is running.

Screenshot shows that Panna app (Android/com.vsen.assault ) is back and is running

Uninstall app.


Another MalwareBytes scan turns up another piece of malware - mexu ( Android/Trojan.HiddenAds.GU )


I leave mexu running for a couple of weeks to see what will happen.

Another piece of malware - mexu

mexu has access to Contacts , Storage , Telephone.

mexu has access to Contacts , Storage , Telephone

mexu also has access to a load of other permissions.

mexu also has access to a load of other permissions

Uninstall app.


I wanted a secure phone but this infected device is too dangerous to use.
Perform a factory reset but leave it running and connected to WiFi.
For daily use I switch back to my old Samsung S2.


Install Norton Mobile Security app , Scan finds confirmation that 2Accounts app is malware , reports "This is a system app and cannot be removed or disabled"
2Accounts app also named Android/AdDisplay.RecmAds.F (Variant).
Install Kaspersky Internet Security app , Scan finds AdWare.AndroidOS.Ocikq.a adware installed as a system app.


I check for a Haier system update to remove malware - nothing. Latest version is 20180822.


Phone is left powered on but unused.
Perform another MalwareBytes scan as it seems most effective.
Discover another piece of malware called Medias ( Android/Trojan.Hiddad.JB )


Start getting buzzing notifications and new icons appearing on the phone.
Perform another MalwareBytes scan.
Discover another piece of malware called Devices ( com.whist.blowe )
Devices has access to Contacts , Location , Storage , Telephone.
Devices has used 35 Mb of data in two days.
Kasperksy names Devices as
Discover another piece of malware called medias ( com.ressor.swing )
medias has access to Contacts , Storage , Telephone.
Discover another piece of malware called Medias ( com.rupture.crack )
medias has access to Contacts , Location , Storage , Telephone.
So three pieces of malware at once now - Devices , medias , Medias!


Getting full-screen adverts for games , notifications.
Malware is constantly running.


Phone has used almost 3 Gb of data since factory reset , over 200 Mb per day.


Browser opens on its own , takes you to unknown sites like (Sport) , (Financial Management)


Cycle up to Poitiers with the follow explanatory letter , visit three separate Phone Shops.
1. Phone Shop , 125 Boulevard du Grand Cerf , Poitiers.
2. Docteur IT , 3 Rue de la Regratterie , Poitiers.
3. Docteur IT , La Galerie , Geant Beaulieu , Poitiers.
None were willing to write a confirmation to the solicitor to confirm phone was infected by system installed malware.

Dear Sir / Madam, Using MalwareBytes and other malware scanner software I believe this phone is infected with Android/PUP.Riskpay.Excel.lib.kxqp in the System App 2Accounts.
I would like you to confirm this.
I would also like you to confirm (if possible) that the user does not have root access and that the bootloader is unchanged.
This confirmation proves that I would not be able to install or tamper with the 2Accounts app to the System area of the phone.

We do not want it repaired.
Your confirmation of factory installed malware will be given to our lawyer in a possible legal case against l'Eclerc / Haier.
The phone has been factory-reset / wiped and contains no personal data , you may factory-reset it as you see fit.
Once connected to the internet the pre-installed malware will download more malware.
Be careful with other phones and devices on any network this phone is connected to , I do not know the capability of the pre-installed malware.

Update - 2018-05-14
I checked the phone again using MalwareBytes.
It now has three extra peices of malware installed.
* Medias - com.rupture.crack , Android/Trojan.Hiddad.JB , used 85 Mb of data in 6 weeks.
* medias - com.ressor.swing , used 209 Mb of data in 3 days
* Devices - com.whist.blowe , used 35 Mb of data in two days.

The chrome browser is randomly opening and taking me to websites , showing adverts.

Disappointed by the lack of local backbone , I turn to MalwareBytes via Twitter and put in a support request.


2Accounts app , even though it is disabled has used over 3 Gb of data.

Results of MalwareBytes Scan , sent to them via email on 2018-06-15


Device: Haier, HM-I560-FL
OS: Android 6.0 [23]
Build: Android - release, [3284]
Root: No

Total Physical Memory: 1992952 kb
Free Memory: 1216876 kb

Machine: dd505074c7ab607b
Inst. Token: YJ2HFyssz_nam25J3Znm1519812828
License Status: free
Trial ends: 2018-03-30T10:22:14.000+00:00

Database: initialized
Supports SMS: true
Onboarding completed: Yes
Malware DB: v2018.06.14.01 (Jun 15, 2018 14:40:01)
Malicious URL DB: v2018.06.14.01 (Jun 15, 2018 14:35:50)
RTP: N/A (disabled)
ARP: N/A (disabled)
Accessibility: N/A (disabled)
Scanning SMS links: N/A (disabled)
SMS control: N/A (disabled)
Auto update: N/A (disabled)
Auto update Wifi only: N/A (disabled)
Scan after update: N/A (disabled)
Scan during charge only: N/A (disabled)
Scan power saving only: N/A (disabled)

- Last scan has been performed more than 2 weeks ago
- After last scan you've ignored some dangerous malware
- Security Audit detected some issues
- Premium is not activated

Whitelisted items:

Last scan information:

Time: 2018-06-15T14:39:30.942+02:00
Duration (s): 38
Malware (apps): 2 of total 137
Malware (files) : 0 of scanned 637


MalwareBytes confirms that phone is infected with malware at purchase - see attached PDF of email exchange.
"This app is an malicious system app, which you maybe can not remove. This app is preinstalled and came within the firmware."


Power on phone , take a few screenshots , transfer to tablet , Factory Reset again.
Installed MalwareBytes , update database , scan phone , 2Accounts is found as malware.
Leaving phone on to do its malware crazyness again.


One week later.
Updated MalwareBytes database and scanned phone.
A new piece of malware has been silently installed - Settings ( com.comona.bac ).
Classified as a virus - trojan.agent.ash
Settings has access to Contacts , Storage , Telephone.


Decided to get the phone out and have another look.
Updated MalwareBytes and scanned - still infected.
Adverts started popping up again.
There are now three peices of malware on the phone.
I check for a firmware update , there is a new version , perhaps without a built-in malware dropper.
Firmware Version = HM-G7s-FL-H01-S010-20181110.
UpdateDate = 2019-09-09
PatchSize = 217.40M
Install new firmware , multiple reboots.
Bootup phone and do a factory reset. Setup phone again with WiFi password and test Google account.
The previous preinfected app - 2Accounts is gone , perhaps it is clean now ? Install MalwareBytes again , update database and scan phone.
New malware dropper is already installed as a System app.

So this Haier phone is purposefully preinfected via the manufacturer.


Last Updated : 2020-05-09

What is your experience with your Haier G7s and Support ?
Contact Me at

Would you like to help to translate this site into other languages ?