Android Zygote64 asking for root access?

Discussion in 'Android' started by Cyan, May 22, 2018.

  1. Cyan
    OP

    Cyan GBATemp's lurking knight

    Global Moderator
    20
    Oct 27, 2002
    France
    Engine room, learning
    My phone: honor6x android7 stock ROM, 3 month old.


    Two days ago, SuperSu v2.82 on my rooted phone asked to allow root access to Zygote64.
    The application log doesn't have an icon, the log access doesn't have any zygote history!
    Checking the processes with 3CToolbox I saw both Zygote and zygote64 running, AND they have a "initial launch date" in the future : june's 10th 2018 with negative value "-22 day ago".



    I tried to search on internet, the only information I found is from xda forum, it seems other users have the same prompt since 2016 but nobody really knows what the problem is.
    people say it's either a malware, or a SuperSu bug. How can I be sure which one is mine?


    Zygote is a system process, and should never ask root access, but I'm not sure Zygote64 is an official process or not.
    Some people said to use adb to verify there is only ONE zygote process, all others are malware.
    I found some screenshot with that process name, so I don't know if I can trust it or not.
    maybe zygote64 is official and not malware ?

    Zygote could be infected with Android.Triada malware? some phone seems to be shipped(sorry, french only) with that malware pre-installed, but huawei doesn't seems to be affected.


    apps added last 15 days:
    Soundcloud (google store). Strangely, all logs I found about zygote64 also had soundcloud installed.
    NXLauncher (apk manual install)
    OTB Checker (google store)


    Symptoms:
    the prompt happened while using "New pipe" (fDroid), but I used it a lot without issues.

    The phone seemed very slow (specifically Firefox), and I had a lot of unknown process running. (app process)
    Firefox (and also Chrome) closed themselves when trying to load a GBATemp page.

    I rebooted, SuperSu doesn't have the app logged anymore.
    I don't have hundred of process running anymore.


    Do you think it's malware and I should restore a previous backup ? (unfortunately, I have only one from day one... I'll have to reinstall everything).

    I didn't install a lot of apps, I don't use any social app, or visit suspicious websites (no porn, etc.)
    I only use my phone for GBATemp and wikipedia/imdb/other common websites.
    Only 2 app I installed not from google play are : lucky patcher and NXLauncher.

    Thank you for any info you could provide :)
     
    Last edited by Cyan, May 22, 2018
  2. yusuo

    yusuo GBAtemp Addict

    Member
    9
    Oct 19, 2006
    I think its either malware (use malware bytes to check) or just an app that's checking for root access so it can block itself if it's found. Same way barcays app does.

    Run an avast check and a malware check if all OK I would lean towards trusting it
     
    Cyan likes this.
  3. Cyan
    OP

    Cyan GBATemp's lurking knight

    Global Moderator
    20
    Oct 27, 2002
    France
    Engine room, learning
    I installed malware bytes, but as expected it doesn't have root access, so how would it detect kernel's issues ?
    it scanned all the "applications", but not the kernel's processes, and ended with result "no malware found". without scanning Zygote itself, it can't detect any malware in it.
    I didn't try avast yet, but I suspect an antivirus would be as (un)useful.


    here are some screenshot I took:

    before reboot
    Warning: Spoilers inside!

    After reboot
    Warning: Spoilers inside!

    I tried to kill Zygote64 manually from 3CToolbox, and the phone rebooted its graphical interface (launched apps were still open and active when the phone was back to usable state).


    Could someone with 3CToolbox and Root access check their own kernel files?
    see if you have both Zygote and Zygote64, and if the memory usage is correct. (but I suppose it's good, virtual mem is not RAM)

    tell me if you have a lot of "app process" too. I also have 5 "sush" running processes.
    Thank you :)


    I don't do suspicious activities, don't visit lot of website, didn't install lot of apps, I didn't do anything special except install soundcloud in the last 15 days. to me, it would be very strange if it was a malware, but I'm a little paranoid now. I wouldn't want to keep a bank malware.
    the only bad thing or setting I did was disable google play protect (because it always deletes Lucky patcher).
     
    Last edited by Cyan, May 22, 2018
  4. yusuo

    yusuo GBAtemp Addict

    Member
    9
    Oct 19, 2006
    Had a little look into it and it looks as if its malware that's disguised itself as a system process. I would stay away from it, delete it if you can
     
  5. Cyan
    OP

    Cyan GBATemp's lurking knight

    Global Moderator
    20
    Oct 27, 2002
    France
    Engine room, learning
    you don't have that process?
    when I forced its termination, the phone rebooted, as if it was an essential process.
    If I delete it, I might not be able to boot the phone. and I don't know how to delete it. Manually from a root file explorer?

    I'd better just restore a NANDRoid ROM backup, but I did it only right after rooting, so I'll have to re-do all my settings. But if it's safer, I'll do it.

    Thank you for taking the time to read my messages and trying to help.

    edit:
    I removed malware Byte, it was sucking the battery. even if I force closed it and disabled realtime check, it always re-launched and the phone didn't like how much battery it used.
     
    Last edited by Cyan, May 23, 2018
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice