Replacing Malware System Apps with Clean Versions of Apps

I have many times found devices or ROMs that have malware installed as system apps. This thread is intended to define a recurring problem and discuss and determine solutions.

Background:
In many cases malware apps can simply and directly be removed with root privileges. A complication, however, arises when the app to be removed is: a rather important app, necessary to run or boot the operating system, or an app of its kind is necessary to run or boot the operating system. Only removing such apps may resolve the malware problem, but creates other major problems such as an inability to meaningfully operate the Android environment or an inability to boot the Android operating system. A few typical examples of such apps are the Settings app and the Package Installer app.

Wherefore, to perform a proper repair, a malware app must instead be patched to remove the malware or replaced with another clean and compatible app.

For basic Android apps, such as the Settings app and Package Installer app, that are malware infected, I would think that the best course of action would be to replace the infected app with a clean AOSP version or clean OEM version. Using the OEM version of the app would only be acceptable if the app were available and the OEM is believed to not have or be the source of the malware.

The Problem Being Considered:
For a malware infected system app to be replaced with a clean AOSP version, my impression of the most obvious option that would be most likely to work would be to build Android from source against the target device and for the same architecture and Android version as the malware-infected system, and then donate its apps as replacements for the malware-infected apps and replace the malware-infected apps. Unfortunately, while the method should be effective, it comes with considerable costs. The sizes of the various Android source codes are quite large and it can take a rather long time to acquire and process it. It is worth considering other options.

Questions to Resolve Problem or Are Related to Problem:
Instead of building Android from source against the target device and for the same architecture and Android version as the malware-infected, AOSP-based system to use as a source for donating replacement apps:

Should it be sufficient to use apps from a pre-built AOSP or AOSP-based build of Android, such as LineageOS, with the same Android version and architecture as the build of Android of the infected device?

Should it be sufficient to use apps from a pre-built AOSP or AOSP-based build of Android for a different device, but with the same Android version and architecture as the infected device? Is the matching of the SoC or processors of the donating Android build and the target Android build important for donation app compatibility purposes?

Is it acceptable to use a build of Android of a different minor version to acquire an app for donation to the malware-infected app build? (For example, malware-infected build may be of Android version 7.0, but other, clean Android build may be of Android 7.1.2)

Can just single Android system app be compiled? If so, would it still require acquiring the source code for the entire Android version?

Are there any generic, pre-built offerings of Android that may be used to acquire the replacement apps for donation to the malware-infected Android build? If so, where?

Any other recommendations or things I may not have thought of?

Leave a comment

Your email address will not be published. Required fields are marked *