Zygote Asking for SU Permission

[M.L.]

Today I noticed that a couple of programs in the Notifications bar of
my rooted Galaxy T989 were missing so I rebooted the phone. After
booting, SuperSU launched a popup requesting SU permission for a
program called zygote, which I denied. A Google search showed that
there's an Android trojan that alters Android's native zygote process.
I only download from the Play Store or XDA, and don't install new
software that often. I don't know what to do from here. Any info on
this issue will be greatly appreciated. Thanks.

[VanguardLH]

Use some anti-virus software. Sophos, Avast, and others make mobile
versions of their AV software.

https://securelist.com/attack-on-zygote-a-new-twist-in-the-evolution-of-mobile-threats/74032/

What is Zygote:
http://coltf.blogspot.com/p/android-os-processes-and-zygote.html
https://anatomyofandroid.com/2013/10/15/zygote/

So it looks like an app wanted to connect out. Since you have many apps
that connect out, they are children of the zygote parent.

Today you noticed. That does not mention if you have ever restarted
your phone since you rooted it or restarted your phone after whatever
apps you lately installed. There was a reason why you rooted your
phone. Was it for an app that only runs on a rooted phone?

https://forum.xda-developers.com/general/security/strange-zygote-process-root-permissions-t3532364

I know Google periodically reviews accepted apps plus they have their
process for accepting apps. What does XDA do to guarantee they don't
get malware on their site? Obviously to install any XDA app then you
had to disable the security option in Android that prevents downloading
and installing apps from anywhere other than the Google Play Store.

There are apps called Zygote. One is for a game. Another is some
webhoster's app which looks to be just an advertizing lure. Someone
wants to confuse users by reusing the name.

[The Real Bev]

On 06/12/2017 03:12 PM, VanguardLH wrote:

> I know Google periodically reviews accepted apps plus they have their
> process for accepting apps. What does XDA do to guarantee they don't
> get malware on their site? Obviously to install any XDA app then you
> had to disable the security option in Android that prevents downloading
> and installing apps from anywhere other than the Google Play Store.
>
> There are apps called Zygote. One is for a game. Another is some
> webhoster's app which looks to be just an advertizing lure. Someone
> wants to confuse users by reusing the name.

And one is a website that offers google-earth-like views of the human
body. The free stuff is fascinating, and you can pay (I haven't, of
course) for additional features. Come on, 'fess up. You've always
wanted to know where the piriformis is, right?

https://zygotebody.com/
Enjoy.

--
Cheers, Bev
"Giving money and power to government is like giving whiskey
and car keys to teenage boys." -- P.J. O'Rourke

[M.L.]

Thanks for your reply VanguardLH.
- My phone has been rooted for years
- I use Lookout AV on my Android
- I have several apps that need root
- There is no downloaded or running zygote app in my Applications
list
- I rebooted and the zygote issue did not recur

Here is a troubleshooting quote from a forum poster:
<quote>
If you have ADB, issue the command adb shell ps | grep zygote. (Or
from Terminal Emulator as ps | grep zygote)
I believe the output will be two processes: one is the real zygote,
and the other 'zygote' is part of a package name, which is a malware.
</quote>

I did as directed but didn't find two processes, only one.

>adb shell
shell@android:/ $ ps | grep zygote
root 158 1 499980 25612 ffffffff 00000000 S zygote
127|shell@android:/ $ exit

I don't really know what the result means but I'm hoping the zygote SU
request was a system fluke that won't happen again. Zygote is a legit
Android daemon whose purpose is to launch Apps. It doesn't need root
permission... unless there's malware afoot.