Solved

can't remove a threat


My Secure anywhere detects Android.Gedma Smsreg com.mediatek.smsreg. It says it is a Trojan, but I cannot uninstall it. I have tried, but it keeps saying uninstall unsuccessful. What can I do?
Diana
icon

Best answer by CameronP 21 April 2014, 18:44

View original

32 replies

Userlevel 7
Hello Diana, welcome to the Webroot Community!
 
Forgive me for making sure I know what you mean, but I appreciate your patience.  When you say you cannot uninstall it, do you mean that the Webroot App cannot remove it or that you cannot uninstall it from the installed Apps in your Android settings, or both?
Userlevel 7
If you have gone to the Android settings, Apps and attempted to remove it without success, you should submit a Trouble Ticket
Userlevel 7
Hi Diana
 
And welcome to the Community Forums
 
Just to chip in/add to what David has already advised, quite correctly about submitting a Trouble Ticket.
 
I have done a little research and what you seem to have 'caught' is riskware/PUA that is particularly persistent and as such will require your phone to be 'rooted' (Rooting an Android phone lets the owner modify or delete the system files), to allow the removal of instances of SmsReg.apk.
 
Now I am no phone expert but given the above is not something for the average user...professional assistance is required from the Support Team.
 
Hope the additional information is of assistance?  And do post back to let us know how you get on.
 
Regards
 
 
 
Baldrick 
Userlevel 7
Badge +62
:DWelcome to the Webroot Communit jcluvr, We have a great bunch of Forum volunteers who will lead you in the right direction.
 
Please post back and let us know if you resolved with your support ticket with Webroot so that others can be addresses with this issue also.
 
Best Regards,
Userlevel 4
The app "com.mediatek.smsreg", or "SmsReg", is a built in app on some phones and tablets. This app is marked bad because it exhibits suspicious behaviors like the ability to gather information about your phone (like IMEI, IMSI, IP address, phone number, etc.), start up upon rebooting, and also send text messages. Since the app is bundled with the factory-installed software, you will need to manually go and disable this app. This can be done in the Android application manager, where this app will be listed as "SmsReg". If you scroll down to "SmsReg" in the applications list and tap it, it will bring up information about the app as well as the option to disable it.
 
Once the app has been disabled, it is no longer functioning. At this point, we recommend running another scan with Webroot. If the app is detected again, go ahead and check the checkbox to "Always ignore this threat" and tap the button to ignore it. Since the app is disabled, there is no need to keep scanning it.
 
As Baldrick stated, the only way to completely remove the app would be to root the phone, but this is not necessary. We do not recommend doing this in any way, since rooting can lead to many other security risks and the process itself could permanently damage your device. Disabling the app is, for all intents and purposes, just as good as uninstalling it. This prevents the app from running or doing anything until you go back and re-enable it in the same menu.
Userlevel 7
Thank you very much CameronP, that is a fantastic information!
 
If I recall correctly, there is also another downside to 'rooting' your device as a WSA user: Webroot does not guarantee support on 'rooted' devices as doing so can change the software environment in ways that make all apps malfuntion.
Userlevel 4
You're welcome! Yes, it is true we cannot guarantee support for issues on rooted devices. That's probably the most important point, and I totally forgot it!

There are many ways in which rooting can drastically change your phone's software, for better or worse, and this can really complicate things from a support standpoint.
Userlevel 7
Hi Cameron
 
Thanks for the intervention...always good to get the Professional's view/approach to how to handle this.
 
Duly noted for future reference...and I presume that as the solution here is making use of standard Android functionality to disable this app, then we in the Community are not stepping on the Support Team's toes...so to speak...by providing it ourselves?
 
Regards
 
 
Baldrick
 
Userlevel 4
I would say it's totally appropriate to provide those standard Android steps to use the app management to disable the app, like you said. My toes certainly won't feel stepped on 🙂
Userlevel 7
Hi Cameron
 
Many thanks for the clarification...that is good to know for the future.
 
As volunteers we always need to make sure that we advise appropriately and within the bounds of our remit/know when we need the Support Team professionals brought in.
 
Cheers
 
 
Baldrick
Thank you very much to all who replied!!! I disabled the app and then scanned my tablet again. Webroot still detected it as a threat so I checked "always ignore" and tapped "ignore threat" as CameronP said to do. Everything seems to be working fine now! Thank you!
Hi, I had the same issue raised on my phone just today.Is this a new finding as I have not downloaded any new app the past month and had both the phone and Webroot running for the past year! Yet this is supposed to be in the phone system in the first place.
Same experience with Webroot reporting can't be uninstalled after alerting this threat and offering to uninstall.
I am puzzled at Webroot logic still reporting this as a Threat even when as suggested here to have it diabled . I only rescan after rebooting the phone and double checked the SmsReg is still Disabled in the Apps List. Surely by choosing to tell Webroot to ignore, what if a future app install a new copy of SmsReg? Better Webroot Scan is set up to ignore apps that are disabled.
Userlevel 7
The problem was a False Positive, and a fix went out for it well over a week ago.  If you are still having a problem, please make sure your device has up to date definitions: force update definitions if you need to.
 
If you still have the problem after that, you will want to submit a Trouble Ticket (link below) so that Webroot Support can help get this fixed for you.
Thanks for the update. Great! But I can't find a way amongst the options on the app to force an update. All I can see on info is that my definition set is at 775 and v.3.6.0.36759
Userlevel 7
Badge +62
😃 Helo gulibo, Weclome to the Community, I was lookin on my Android Mobile and my version is the same as yours but my Definition set is: 776. So it seems to me you are missing something here. Can you go to settings and clear out the cache and then reboot and see if that works for you? Otherwise I would suggest if I may to have you uninstall WSA if the definitions don't update..First make sure you have your code for WSA upon reinstalling. ok?
 
1: clear cache
2: uninstall WSA
3:reboot
4:install WSA
 
Only do this if clearing the cache doesn't work.
Please post back if you need further assistance and even then let us know if we solved your problem so that we may help others.
 
Have a great weekend,
Regards
Userlevel 7
To force an update of thr definitions, please do the following:
 
  • Open the WSA Mobile interface
  • Click the Security button at the bottom
  • Click Anti Virus
  • Click the Schedule button at the bottom
  • Click Force Definition Update Now
This should force the definitions to update.  While you are in this screen, you might adjust the schedule to check for definition updates daily.
Thanks for your advice. But the issue gets more complicated. 
A. Clearing the apps Cache will only reduce reported 24KB to 12KB. Then rebooting made no difference.
B. The Uninstall button is greyed out! So can"t from Manage App route. Then from the Apps View dragging it to the top of screen to remove triggers a new screen saying "Can't uninstall because this package is an active device administrator",with a button to 'Manage Device Administration'. selecting this presents a Check box each already ticked for both 1. Android Device Management and 2.Webroot Secure Anywhere.
Deactivating the former removes the tick in the respective box. But deactivating to extra functions on the second doesn't remove the tick in that box! Afterall this going back to apps icon view to drag it to uninstall just repeat the above again!
 
Its this app that is causing the biggest worry!
Thanks David for point how to get to the force update button. When I got to this page it states the last check was on Thur,24Apr2014 (I am in UK)8:22pm. But pressing this to trigger Updating Definitions banner don't even change this Last Checked date! There is something seriously wrong with this app on my phone. The update frequency btw was on Daily, which should have been good enough to address my original issue! I have now changed it to hourly anyway. Background scan was at weekly I have changed this as well for now to Daily.
Definition still at set 775. Tried to uninstall from the app menu but gets the same hurdles that I can't over! The phone is running 4.2.2  Can"t believe this app can be so difficult to remove- real worry!
Userlevel 7
Badge +62
Hi gulibo, I'm very sorry for your issues..All I can say is to contact support via support ticket and they'll get it all straightened out
To uninstall did you go into Webroot itself and when you open app. Go to the bottom of screen in Webroot ,you are protected screen and you'll see general settings, change password, register, about, uninstall. ...did you try that?
Userlevel 7
If you have tried to:
 
1) Force Update the Definitions
 
2) uninstall and reinstall the WSA-Mobile app
 
and you are still having problems, you will want to submit a Trouble Ticket
 
The information we have from Support is that the issue has been fixed and the fix fully distributed via the new definition set.  As the app is either inable to update definitions or uninstall, it would appear that possibly something is corrupted that may require the assistance of Support..
Thanks David and Sherry for your help within the forum. As I've tried all the uninstall route including from within the app's menu to no avail, trust webroot team will be as responsive. Hope to update my outcome afterwards.
Felt I should update earlier than planned because after posting my 'Trouble' ticket to Tech Support , I was going to try once again to force an update only to find the app have not only managed to update the Definition Set in the background to 777 but the app version as well to3.6.0.6579! The bad news though after I forced a scan it still reports the same threat from com.mediatek.smsreg.
Doesn't make sense now about Webroot has recognised this a False Positive and fixed it a week ago. Have also updated Tech Support my new findings.
Userlevel 7
Hi gulibo
 
May I somewhat belatedly welcome you to the Community Fora. :D
 
I think that we need to be careful here in terms of what is and what is not an FP.  In the research I have done it appears that in some cases this is an FP (usually when part of the OEM install) but in some cases it is not (when not part of the OEM install).
 
The common denominator is .smsreg but there are apparently a number of variants and so it is possible that it is an FP but has not yet been recognised by Webroot, especailly if it is newish.
 
Well done for updating your Support Ticket with the latest information you have and requesting guidance from the Support Team/Threat Researchers...as they are the experts in the matter.
 
I hope that is of assistance?
 
Regards
 
 
 
Baldrick
Hi Baldrick,
 
Thank you for your welcome and your opinion.
 
1. False Positive on SmsReg
I have since loaded and scanned my phone with a couple other Security Apps - CM Security and Norton Mobile.  Neither identified this as an issue.
 
2. Uninstalling
This separate problem to uninstall Webroot legitimately is even more alarming! For example I unstalled the Norton Mobile app easily after I ran tthe scan with ease!
 
So this experience has left with quite unimpressed with the app.
 
Gilbert
Sorry Baldrick- also thought you may have realised that the SMSReg was from OEM install (mediatek) hence the inability to remove the 'Threat' in the first place in my earlier postings.

Reply