Every now and then (and it's getting more and more frequently), I get a notification that some app tried to install itself (!) but was blocked because it's from "unknown sources", and it's prompting me to disable the "block install from unknown sources" check from Settings.

It's not a notification but a dialog and it looks like this:

_{(Click image to enlarge; image courtesy of Piyush)}

At first I though these might be system updates and was tempted to disable the "unknown source" block, but now I am worried I might have some malware on my phone.

Yes, never enable that Unknown sources setting if you're in uncharted waters.

Where should I search for the APK that is trying to install itself (or the APKs)?

It's a bit difficult to find the app. I recommend finding the cause for the effect. In our case, the effect was the dialog hinting that the Unknown sources setting was blocked. That dialog is shown by Package Installer (a system-cum-core app). Package Installer is used by user or system apps which do not have the permission android.permission.INSTALL_PACKAGES to install an app. Since you did not attempt to side load an app, it stands to reason that an app called Package Installer without your consent. Our imminent goal is to find out that particular app.

The system service activity logs many important details. Among other things it shows the called package which in this case is Package Installer app with package name com.google.android.packageinstaller or com.android.packageinstaller. It also shows the calling package or the package which launched an another package.

Find the package name

Now, using adb in PC execute the command:

adb shell dumpsys activity activities

# this command should be executed only when that dialog is in foreground

Demo output: notice the highlighted line:

In the highlighted line, the string after launchedFromPackage= and before userId is the package responsible for launching Package Installer app. In your case it would be a different package name. Note down that package name (henceforth denoted as <pkg>).

Locate the apk

Now that we know the immediate cause we can hunt down the home or in other words, the apk. Execute the command:

Note: Finding the location of apk is required only for forensics. If you're not interested in that, I recommend you don't bother with this step and immediately jump to the heading Uninstall/Disable/Hide the app.

adb shell pm path <pkg>  

Demo output:

bash-4.2# adb shell pm path com.estrongs.android.pop

package:/data/app/com.estrongs.android.pop-1/base.apk

The string next to package: is the location of apk. You can also find the same information inter alia through the command:

adb shell dumpsys package <pkg>

Uninstall/Disable/Hide the app

If you know the label of the package or can get to know it through any means (such as with AppXplore) then go into the application manager under Settings app which typically comes down Settings → Apps → All apps in stock Android, find the malware app and uninstall it.

Things to note

• If Uninstall button is grayed out and so as the Force stop button then your app must be a device administrator. In that case, go into the Security settings, choose Device administrators option and revoke the administrator privilege from the app. Come back and attempt to uninstall the app.



• If you don't find the Uninstall option then your malware app is a system app. Whether your vendor shipped it or the app exploited your system or tricked you to install itself is another matter to deal with. For a system app, the button Uninstall is replaced by Disable.

  
  
  
  
  
  • If both Force stop and Disable buttons are grayed out then the app may be a device administrator as well. In that case, revoke that privilege and then attempt to disable the app.
  
  

  • If the Disable button alone is grayed out, then:

    
    
    
    
    

    • For a rooted Android: use adb to disable the app through the commands:

      
      
      

      adb shell
      
      su
      
      pm disable <pkg>
      
      

      
      
      

      To enable the app, replace disable with enable in aforesaid command.

      
      
      

      You can alternatively use an app, such as Titanium Backup, to disable/freeze the malware app. You can also consider removing the apk using a file manager app.

    
    

    • For a non-rooted Android: provided that you're using Android 4.4.x or above, use the commands:

      
      
      

      adb shell
      
      pm block <pkg>
      
      # for Android 4.4.x
      
      pm hide  <pkg>
      
      # for Android 5.x and 6.x
      
      

      
      
      

      To unblock/unhide the package replace block by unblock and hide by unhide in appropriate aforesaid command. In this particular case, hiding the package would achieve the same result as disabling would.

    
    
  
  

The package would remain disabled or hidden until you revert the changes.

Note for readers

It has been confirmed by question's author that the malware app in their phone has the package name com.android.tools.callassistant. I found its label as Caller ID and it has been reported as a malware by AVG.