Related
So... I'm rather new here and I'm not 100% sure that this is the correct forum to post this in (since I know it says "xda developed apps/games only"). However, I have seen commercial Android apps discussed here before... so... *shrug*.
Let me first say that I am not the developer... I just think this app should get some attention.
Pixie Network Monitor by 9bitlabs (would post a link but my account is restricted. ;-) )
It is a network monitoring app similar to Wireshark, but for Android. It is $4.99 on the Android market, it requires root, and it does not work on all phones (since not all phones can have their wifi put into promiscuous mode). There is a companion app called "Pixie Probe" available on the market for free. Pixie Probe will determine whether or not your phone is compatible with Pixie.
I have tested it out on my Evo (running CM6.1 RC1) and it seems to work amazingly well.
Pixie does not contain all of the features of Wireshark/Kismet. This is from the Pixie FAQ:
Q: What's the difference between Pixie and a desktop tool like Kismet?
A: The biggest difference between the tools lies in how they interface with the network. Kismet interacts directly with the wireless adapter and places it in monitor mode, allowing it to hear any packet over the wifi, even if it is not associated with a network. This can be problematic with some hardware, but many of the newer wifi chipsets work great with Kismet.
Pixie, on the other hand, is constrained by Android. Rather than expose the wifi adapter as an 802.11b device, Android actually hides all of that functionality: the wifi connection actually appears to system processes as a plain old Ethernet device. This means that we don't get monitor mode and we also don't get to see wifi-specific data, such as beacons and associate/disassociate packets.
On the plus side, Pixie runs in your pocket and that's harder to do with Kismet, unless you have very large pockets. Pixie is also significantly easier to set up for folks without Linux experience.
Click to expand...
Click to collapse
The Pixie website gives very detailed information about the app, so I suggest you go there if you want more info.
In any case, I hope other people find it useful.
Thom Holwerda at Real-Time Embedded OS specialized website OSnews reports about vulnerabilities that lurk in closed-sourced radio chips.
The second operating system hiding in every mobile phone
The insecurity of baseband software is not by error; it's by design. The standards that govern how these baseband processors and radios work were designed in the '80s, ending up with a complicated codebase written in the '90s - complete with a '90s attitude towards security. For instance, there is barely any exploit mitigation, so exploits are free to run amok. What makes it even worse, is that every baseband processor inherently trusts whatever data it receives from a base station (e.g. in a cell tower). Nothing is checked, everything is automatically trusted. Lastly, the baseband processor is usually the master processor, whereas the application processor (which runs the mobile operating system) is the slave.
(...)
With this in mind, security researcher Ralf-Philipp Weinmann of the University of Luxembourg set out to reverse engineer the baseband processor software of both Qualcomm and Infineon, and he easily spotted loads and loads of bugs, scattered all over the place, each and every one of which could lead to exploits - crashing the device, and even allowing the attacker to remotely execute code. Remember: all over the air. One of the exploits he found required nothing more but a 73 byte message to get remote code execution. Over the air.
Click to expand...
Click to collapse
Source, via HN
Comments at HN are also worth reading, I think.
Do note, that the study run on some old generation of MSM chips.
Here is a counter argument for instance:
Comment by OsQar
by OsQar on Wed 13th Nov 2013 09:51 UTC
I'm not a security expert at all, but I've been working on mobile radio access technologies for several years, so I feel quite confident to say that some or your claims are wrong. E.g:
"The standards that govern how these baseband processors and radios work were designed in the '80s, ending up with a complicated codebase written in the '90s - complete with a '90s attitude towards security."
Well, GSM's baseband was developed from late 80's to early 90's, UMTS' from late 90's to early 00's, and LTE's can be now be considered almost finished. I know that GSM is not secure at all now (it was when it was released, but now it has been cracked), but I'm not so sure about UMTS (CDMA is very hard to demodulate, so cracking is even worse) and LTE (OFDMA is quite a headache).
"What makes it even worse, is that every baseband processor inherently trusts whatever data it receives from a base station (e.g. in a cell tower). Nothing is checked, everything is automatically trusted."
This is NOT TRUE. At all. Even from GSM times. Handheld devices run a bunchload of ID checks to know what basestation is sending data; and basestations also carefully allocate and check mobile ID's. This is especially true in UMTS (where you have to discriminate interferring users by using pseudorandom codes) and LTE (where you even need angle-of-arrival information to reach more users).
So, I'm not claiming that mobile basebands are inherently secure, but they're definitively not based on 80's security technology.
On the other hand, I agree with your viewpoint that the closed implementations and the huge standards are not the best way to allow the community to check for security bugs. But manufacturers are the main supporters of actual standardization bodies, so it's quite complicated to fight against it.
Click to expand...
Click to collapse
Hello,
I want to figure out the Samsung Accesory Protocol in order to create a "open source" Gear Manager app replacement. This thread is to ask if anyone has been trying to do the same thing as well as try to gather as much information about this protocol as possible. Generic discussion is also accepted, in case anyone has better ideas.
Right now all I know is that this protocol is based on RFCOMM, albeit it can be transported over TCP too. It has a level 1 "framing" which consists basically on
Code:
packed struct Frame {
uint16_be length_of_data;
char data[length_of_data];
}
packed struct FrameWithCRC {
uint16_be length_of_data;
uint16_be crc_of_length;
char data[length_of_data];
uint16_be crc_of_data;
}
I also know that there are various types of packets. "Hello" packets are exchanged early during the connection and contain the product name, etc. Authentication packets are exchanged right after the initial "hello" and contain some varying hashes (crypto warning!). Then the normal data packets are "multiplexed", as in usbmuxd: they have 'session' IDs which described towards which watch program they are talking with. All Hello and authentication packets are sent without CRC, but normal data packets are. The CRC implementation used is crc16, same poly as in the linux kernel.
I suspect that whatever we uncover about this protocol might be useful to e.g. pair Gear with an iPhone, with a PC, things like that.
Note: most of this comes from viewing Bluetooth logs. However it's clear that reverse engineering will be required for the cryptographic parts. In this case I believe it's legally OK to do so in the EU because it's purely for interoperability reasons. I don't want to create a competitor to the Gear2, I just want to talk to it.
Motivation: I bought a Gear2 in order to replace a LiveView that was dying (buttons wearing out, broken wriststrap clips, etc.) . I used it both for notifications as well as map/navigation.
Since I have a Jolla, no programs are available to pair with most smartwatches, but I've been developing my own so far (MetaWatch, LiveView). Thus I decided on a replacement based purely on hardware characteristics and price. Also Tizen seems more open than Android, thus I figured out it would be easier for me to adapt to the watch.
However it seems that I understimated the complexity of the protocol that connects the Gear with the GearManager. So my options in order to make use of this watch are:
Sell Gear2 back and buy something that's easier to hack (e.g. another LiveView ),
Figure out the SAP protocol and write a replacement Gear Manager app (what this thread is about),
Write replacement Tizen applications that don't use SAP. This involves writing new programs for Calls, Messages, Notifications, Alarms, Camera, watchOn, Pulse monitor, etc. i.e. a _lot_ of work if I want to exploit all features of the watch.
But at least one can reuse the existing Tizen settings app, launcher, drivers, etc. (I started porting Qt to the Gear2 with this idea)
Use a different Linux distro on the Gear 2. Such as Sailfish, Mer, etc. This involves all the work of option 3 + possibly driver work.
As of now I've not decided which option is easier for me so I'll keep trying to push them all.
javispedro said:
Hello,
I want to figure out the Samsung Accesory Protocol in order to create a "open source" Gear Manager app replacement. This thread is to ask if anyone has been trying to do the same thing as well as try to gather as much information about this protocol as possible. Generic discussion is also accepted, in case anyone has better ideas.
Right now all I know is that this protocol is based on RFCOMM, albeit it can be transported over TCP too. It has a level 1 "framing" which consists basically on
Code:
packed struct Frame {
uint16_be length_of_data;
char data[length_of_data];
}
packed struct FrameWithCRC {
uint16_be length_of_data;
uint16_be crc_of_length;
char data[length_of_data];
uint16_be crc_of_data;
}
I also know that there are various types of packets. "Hello" packets are exchanged early during the connection and contain the product name, etc. Authentication packets are exchanged right after the initial "hello" and contain some varying hashes (crypto warning!). Then the normal data packets are "multiplexed", as in usbmuxd: they have 'session' IDs which described towards which watch program they are talking with. All Hello and authentication packets are sent without CRC, but normal data packets are. The CRC implementation used is crc16, same poly as in the linux kernel.
I suspect that whatever we uncover about this protocol might be useful to e.g. pair Gear with an iPhone, with a PC, things like that.
Note: most of this comes from viewing Bluetooth logs. However it's clear that reverse engineering will be required for the cryptographic parts. In this case I believe it's legally OK to do so in the EU because it's purely for interoperability reasons. I don't want to create a competitor to the Gear2, I just want to talk to it.
Motivation: I bought a Gear2 in order to replace a LiveView that was dying (buttons wearing out, broken wriststrap clips, etc.) . I used it both for notifications as well as map/navigation.
Since I have a Jolla, no programs are available to pair with most smartwatches, but I've been developing my own so far (MetaWatch, LiveView). Thus I decided on a replacement based purely on hardware characteristics and price. Also Tizen seems more open than Android, thus I figured out it would be easier for me to adapt to the watch.
However it seems that I understimated the complexity of the protocol that connects the Gear with the GearManager. So my options in order to make use of this watch are:
Sell Gear2 back and buy something that's easier to hack (e.g. another LiveView ),
Figure out the SAP protocol and write a replacement Gear Manager app (what this thread is about),
Write replacement Tizen applications that don't use SAP. This involves writing new programs for Calls, Messages, Notifications, Alarms, Camera, watchOn, Pulse monitor, etc. i.e. a _lot_ of work if I want to exploit all features of the watch.
But at least one can reuse the existing Tizen settings app, launcher, drivers, etc. (I started porting Qt to the Gear2 with this idea)
Use a different Linux distro on the Gear 2. Such as Sailfish, Mer, etc. This involves all the work of option 3 + possibly driver work.
As of now I've not decided which option is easier for me so I'll keep trying to push them all.
Click to expand...
Click to collapse
I think your thread should probably go in the Dev section for Tizen. Have you made any development? If your want it moved, report your own post with the button in top right labeled report. You can then suggest your thread be moved to the new Tizen Development section. Ok, I wish you all the luck, you seem to be very talented programmer/dev. Thanks for your contributions.
Chris
noellenchris said:
I think your thread should probably go in the Dev section for Tizen.
Click to expand...
Click to collapse
Well, some mod already moved this thread from Development, where I originally posted it, into Q&A. This is not exactly "Tizen" development (SAP is used in may Samsung devices seemingly).
noellenchris said:
Have you made any development?
Click to expand...
Click to collapse
Yes, lots of progress. I have been able to write a program that connects to the Gear2 from my PC, succesfully "completes" the setup program and synchronizes the date&time. Things like changing the background color etc. are now trivial. I will soon port it to my Jolla.
I am now looking into how to send notifications to the watch. I've not been able to get Gear Manager to actually send any notifications (to use as "reference"), because goproviders crashes when I try to simulate notifications on my android_x86 VM
If anyone can send me an HCI / Bluetooth packet capture of their Android device while it is sending notifications to the Gear2 I would really appreciate it.
Unfortunately, the main problem here is that Samsung uses some cryptographic authentication as a form of "DRM". I am not exactly sure why.
There was no way for me to discover how the crypto worked so I took the unclean approach and dissasembled their crypto code (libwms.so). That means there's no way I would be able to distribute the code now without risking a lawsuit from Samsung.
Sadly this means that while I can distribute the protocol specifications I obtained, legally distributing "Gear Manager replacements" is probably impossible.
javispedro said:
Well, some mod already moved this thread from Development, where I originally posted it, into Q&A. This is not exactly "Tizen" development (SAP is used in may Samsung devices seemingly).
Click to expand...
Click to collapse
Ya, I was kinda in a Gear 1 mind set, and they have separate threads for Android and Tizen....
Chris
javispedro said:
Unfortunately, the main problem here is that Samsung uses some cryptographic authentication as a form of "DRM". I am not exactly sure why.
There was no way for me to discover how the crypto worked so I took the unclean approach and dissasembled their crypto code (libwms.so). That means there's no way I would be able to distribute the code now without risking a lawsuit from Samsung.
Sadly this means that while I can distribute the protocol specifications I obtained, legally distributing "Gear Manager replacements" is probably impossible.
Click to expand...
Click to collapse
I would gladly write a MIT-licensed C library implementing your protocol specifications. That would be correctly following the chinese-wall approach to reverse-engineering, right?
Anyway, AFAIK, being in Europe decompiling for interoperability purposes is allowed -- I know that wikipedia is not to be taken at face value, but: en.wikipedia.org/wiki/Reverse_engineering#European_Union
Antartica said:
I would gladly write a MIT-licensed C library implementing your protocol specifications. That would be correctly following the chinese-wall approach to reverse-engineering, right?
Anyway, AFAIK, being in Europe decompiling for interoperability purposes is allowed -- I know that wikipedia is not to be taken at face value, but: en.wikipedia.org/wiki/Reverse_engineering#European_Union
Click to expand...
Click to collapse
Well, the problem is not the protocol specifications per se, which I'm actually quite confident I'd be able to redistribute (I'm in EU). The problem is the cryptography part, which is basically ripped off from the Samsung lib "libwsm.so" . Unless we can find out what cryptographic method that lib uses, distributing alternate implementations Is a no-go.
javispedro said:
Well, the problem is not the protocol specifications per se, which I'm actually quite confident I'd be able to redistribute (I'm in EU). The problem is the cryptography part, which is basically ripped off from the Samsung lib "libwsm.so" . Unless we can find out what cryptographic method that lib uses, distributing alternate implementations Is a no-go.
Click to expand...
Click to collapse
If you have the time, I don't mind researching the possible crypto used (although I've only studied DES/3DES, AES and Serpent, hope that whatever scheme used is not very different from them).
Some ideas to start from somewhere:
1. As you have used its functions, it is a block cipher? I will assume that it is.
2. What is the key size and the block size?
3. Are there signs that it is using a stack of ciphers? (that is, applying one cipher, then another to the first result and so on)
Antartica said:
If you have the time, I don't mind researching the possible crypto used (although I've only studied DES/3DES, AES and Serpent, hope that whatever scheme used is not very different from them).
Some ideas to start from somewhere:
1. As you have used its functions, it is a block cipher? I will assume that it is.
2. What is the key size and the block size?
3. Are there signs that it is using a stack of ciphers? (that is, applying one cipher, then another to the first result and so on)
Click to expand...
Click to collapse
Hello, I've not forgotten about this, just somewhat busy and been using the MetaWatch lately
1. Yes it is clearly a block cipher, and the block size Is 16bytes.
2. I don't know about the key size, it is obfuscated.
3. Doesn't seem like a stack of ciphers. It looks like some overcomplicated AES. But to be honest AES is the only encryption I know of
By the way I think I will upload my current test "manager" source code to somewhere after removing the crypto specific files . Since the protocol itself has been obtained cleanly. Note I've used Qt (not the GUI parts) so it's useless for creating a library; the code will probably need to be rewritten to do so, but it may be useful as "protocol specs".
javispedro said:
Hello, I've not forgotten about this, just somewhat busy and been using the MetaWatch lately
Click to expand...
Click to collapse
No problem. Curiously, I've transitioned from the metawatch to the Gear1 fully (null rom, not pairing with bluetooth to the phone but gear used as a standalone device).
[off-topic]I'm not using my metawatch anymore. I was modifying Nils' oswald firmware to make it prettier and to have some features I wanted (calendar, stopwatch), but it was very inaccurate, supposedly because of missing timer interrupts (the existing LCD drawing routines were too slow). I rewrote the graphics subsystem just to stumble into a known mspgcc bug, and trying to use the new redhat's mspgcc resulted in more problems (memory model, interrupt conventions). In the end I couldn't commit enough time to fix that and my metawatch is now in a drawer[/off-topic]
Returning to the topic:
javispedro said:
1. Yes it is clearly a block cipher, and the block size Is 16bytes.
Click to expand...
Click to collapse
Good. We can at least say it isn't DES/3DES nor blowfish (64 bits block size). Regrettably there are a lot of ciphers using 128-bits block size; that I know: AES, Twofish and serpent.
Perusing the wikipedia there are some more of that size in use: Camellia, sometimes RC5 and SEED.
javispedro said:
2. I don't know about the key size, it is obfuscated.
3. Doesn't seem like a stack of ciphers. It looks like some overcomplicated AES. But to be honest AES is the only encryption I know of
Click to expand...
Click to collapse
I understand that to mean that you cannot use that library passing your own key, right?
What a pity! One way to test for these ciphers would have been to just cipher a known string (i.e. all zeroes) with a known key (i.e. also all zeroes) and compare the result with each of the normal ciphers :-/.
javispedro said:
By the way I think I will upload my current test "manager" source code to somewhere after removing the crypto specific files . Since the protocol itself has been obtained cleanly. Note I've used Qt (not the GUI parts) so it's useless for creating a library; the code will probably need to be rewritten to do so, but it may be useful as "protocol specs".
Click to expand...
Click to collapse
Perfect. I don't need anything more .
Ok, so I've uploaded my SAP protocol implementation: https://git.javispedro.com/cgit/sapd.git/ . It's "phone" side only, ie it can be used to initiate a connection to the watch but not to simulate one. In addition, it's missing two important files: wmscrypt.cc and wmspeer.cc which implement the closed crypto required to "pair" the watch. The most important file is sapprotocol.cc which implements the packing/unpacking of the most important packet types. The license of those files is GPLv3 albeit I'm very happy if you use the information contained on them to build your "Gear Manager" program under whichever license you'd prefer.
For anyone who hasn't been following the above discussion: I've figured out a large part (useful for at least establish contact with the watch and syncing time/date) of the SAP protocol used between the Gear watch and the Gear manager program on the phone. This has been done mostly by studying traces and afterwards talking to the watch using my test implementation above to figure out the remaining and some error codes. The debug messages left by the watch's SAP daemon were also immensely helpful. As long as I understand this is perfectly safe to do, publish and use as I'm in the EU and is basically the same method Samba uses.
Unfortunately, the protocol contains some crypto parts required for the initial sync (subsequent connections require authentication). However, the communication itself is not encrypted in any way, which helped a lot with the process. Because it's impossible for me to figure out whatever authentication method is used, I had to disassemble the library implementing this stuff (libwms.so). This is still OK according to EU law, but I'm no longer to release that information to the public. I'm looking for alternatives or ideas on how to handle this fact.
In the meanwhile, let's talk about the protocol. It's basically a reimplementation of the TCP(/IP) ideas on top of a Bluetooth RFCOMM socket. This means that it's connection oriented and that it can multiplex several active connections (called "sessions") over a single RFCOMM link. Either side of the connection can request opening a connection based on the identifier of the listening endpoint (called a "service"). Strings are used to identify services instead of numeric ports as in TCP. For example, "/system/hostmanager" is a service that listens on the watch side. Once you open a session towards this service (i.e. once you connect to it) you can send the time/date sync commands. In addition to be the above the protocol also seems to implement QoS and reliability (automatic retransmission, ordering, etc.). It's not clear to me why they reimplemented all of this since RFCOMM is a STREAM protocol, and thus reliability is already guaranteed!! So I've not focused much on these (seemingly useless) QoS+reliability parts of the protocol.
Let's start with the link level. There are two important RFCOMM services exposed by the watch: {a49eb41e-cb06-495c-9f4f-aa80a90cdf4a} and {a49eb41e-cb06-495c-9f4f-bb80a90cdf00}. I am going to respectively call those two services "data" and "nudge" from now on. These names, as many of the following ones, are mostly made up by me .
The communication starts with Gear manager trying to open a RFCOMM socket towards the "nudge" service in the watch. This causes the watch to immediately reply back by trying to open a connection to the "data" service _on the phone_ side. So obviously this means that your phone needs to expose the "data" RFCOMM service at least. In addition, the watch will try to open a HFP-AG connection (aka it will try to simulate being a headset) to your phone. Most phones have no problem doing this so no work is required. Of course, if your phone is a PC (as in my case ) then you'll need to fake the HFP profile. I give some examples in my code above (see scripts/test-hfp-ag and hfpag.cc).
Once the RFCOMM socket from the watch to the phone "data" service is opened, the watch will immediately send what I call a "peer description" frame. This includes stuff such as the model of the watch as well as some QoS parameters which I still don't understand. The phone is supposed to reply back to this message with a peer description of its own. See sapprotocol.cc for the packet format.
After the description exchange is done, the watch will send a "authentication request" packet. This is a 65 byte bigint plus a 2 byte "challenge". The response from the phone should contain a similar 65 byte bigint, the 2 byte response, and an additional 32 byte bigint. If correct, the watch will reply with some packet I don't care about. Otherwise the connection will be dropped. It obviously looks like some key exchange. But this is the crypto part that's implemented in libwms.so....
After these two exchanges link is now set up. The first connection that needs to be opened is towards a service that is always guaranteed to be present, called "/System/Reserved/ServiceCapabilityDiscovery". It is used by both sides of the connection to know the list of available services present on the other side. Despite this, you cannot query for all services; instead, you must always know the name of the remote service you're looking for. There's some 16-byte checksum there which I don't know how to calculate, but fortunately the watch seems to ignore it!! I suspect that you're expected to actually persist the database of available services in order to shave a roundtrip when connection is being established. But this is not necessary for normal function. This service is implemented in capabilityagent.cc, capabilitypeer.cc . This part was actually one of the most complex ones because of the many concepts. I suggest reading the SDK documentation to understand all the terms ("service", "profile", "role", etc.).
If everything's gone well, now the watch will try to open a connection to a service in your phone called "/system/hostmanager". Once you get to this message things start to get fun, because the protocol used for this service is JSON! It's implementation resides in hostmanageragent.cc, hostmanagerconn.cc . For example, Gear Manager sends the following JSON message once you accept the EULA: {"btMac":"XX:XX:XX:XX:XX:XX", "msgId":"mgr_setupwizard_eula_finished_req", "isOld":1}. At this point, the watch hides the setup screen and goes straight to the menu.
Well, this concludes my high-level overview of the SAP protocol. Hope it is useful for at least someone!
Things to do:
Personally I'm looking for some traces of the notification service. Ie the one that forwards Android notifications towards the watch. For some reason it doesn't work on my phone, so I can't get traces. I suspect it's going to be a simple protocol so a few traces will be OK. It's the only stuff I'm missing in order to be able to actually use the Gear as a proper smartwatch with my Jolla.
We still need to tackle the problem of the cryptographic parts. Several options: either "wrap" the stock libwms.so file, try to RE it the "proper way", .... I'm not sure of the feasibility of any of these.
Many other services.
javispedro said:
After the description exchange is done, the watch will send a "authentication request" packet. This is a 65 byte bigint plus a 2 byte "challenge". The response from the phone should contain a similar 65 byte bigint, the 2 byte response, and an additional 32 byte bigint. If correct, the watch will reply with some packet I don't care about. Otherwise the connection will be dropped. It obviously looks like some key exchange. But this is the crypto part that's implemented in libwms.so....
Click to expand...
Click to collapse
About that 65-byte bigint... that is a 520-bit key. The usual length of ECDSA keys is exactly 520-bits, so we may have something there: it is possible that they are using ECDSA signing (just like in bitcoin, so there are a lot of implementations of that code).
Not forgotten about this!
Just an status update:
I'm still in the process of defining the API of the C library using javispedro's sources as template.
It's tougher than I originally supposed because the C++ code has a lot of forward-declarations of classes, which is very difficult to map into C. To counter that I have to move elements between structures and I'm not so comfortable with the codebase yet.
And then there is still the hard work of translating the Qt signals/slots to plain' old callbacks... and implementing the bluetooth part using bluez API... and... well, I hope that is all.
Anyway, patience .
I've now had access to a Samsung S2 and thus I have been able to obtain more traces. The latest Git now contains code to connect to the notification manager service, thus allowing to send notifications from the phone to the watch.
That was the last missing part to be able to use the Gear 2 as a 'daily' smartwatch with my Jolla, so I've now also ported the code to run under Sailfish. In fact I'm using this setup at the moment. My first comment is "wow the vibrator IS weak".
You can find a log of sapd's (ie my code) startup qDebug() messages; they may be useful (if you can't yet get your code to run)
I suspect that there may still be some important battery issues because the watch keeps printing error messages about SAP services it can't find on the phone (and instead of sleeping, it starts busy polling for them.... :/ ). It does not seem to happen while the watch is out of the charging cradle, so it may not be important, but not sure yet.
As for the encryption, I'm not sure how to proceed. I could describe the code to you, but that would be risky, because I don't understand what it does. Thus the only way (for me) to describe it would be to pass on the mathematical formulas/pseudocode ... Apart from that, we also have the problem of the keys...
Antartica said:
The usual length of ECDSA keys is exactly 520-bits, so we may have something there: it is possible that they are using ECDSA signing
Click to expand...
Click to collapse
They do use ECDH indeed, and they link with OpenSSL and import the ECDH functions. However it's not clear if they use ECDSA; while the crypto algorithm DOES resemble DSA, I cannot fully identify it.
Congratulations for managing to make it work with the Jolla .
I have finally found a suitable "flattened" class hierarchy as to be able to map your code into C; see the attachs. Basically, I have to move the functionality of SAPConnectionRequest, SAPSocket, CapabilityPeer and SAPConnection into SAPPeer, and then it is suitable for my needs.
javispedro said:
As for the encryption, I'm not sure how to proceed. I could describe the code to you, but that would be risky, because I don't understand what it does. Thus the only way (for me) to describe it would be to pass on the mathematical formulas/pseudocode ... Apart from that, we also have the problem of the keys...
They do use ECDH indeed, and they link with OpenSSL and import the ECDH functions. However it's not clear if they use ECDSA; while the crypto algorithm DOES resemble DSA, I cannot fully identify it.
Click to expand...
Click to collapse
If you manage to describe it using mathematical formulas as in
http://en.wikipedia.org/wiki/Ellipt...ture_Algorithm#Signature_generation_algorithm
it would be perfect, but I reckon that to be able write that you need intimate knowledge of the code and don't know if you have time for that :angel:
And identifying the hash function used would be a problem in itself...
One idea: how about a ltrace so we have the calls to the openssl library? That may uncover new hints.
Anyway, I have a lot of work before me until I need that, so don't fret over it.
Hi there! Any chance that the Gear can (really) work with an iPhone?
gidi said:
Hi there! Any chance that the Gear can (really) work with an iPhone?
Click to expand...
Click to collapse
agreed. Needs iPhone support please.
Antartica said:
Congratulations for managing to make it work with the Jolla .
I have finally found a suitable "flattened" class hierarchy as to be able to map your code into C; see the attachs. Basically, I have to move the functionality of SAPConnectionRequest, SAPSocket, CapabilityPeer and SAPConnection into SAPPeer, and then it is suitable for my needs.
Click to expand...
Click to collapse
You may want to look at the official Samsung SDK docs to match their class hierarchy. I tried to match my hierarchy to theirs, but this happened very late in the development process, so there is some weirdness.
Antartica said:
One idea: how about a ltrace so we have the calls to the openssl library? That may uncover new hints.
Click to expand...
Click to collapse
I more or less know what it is doing with OpenSSL, but that's because I looked at the dissassembly. They use OpenSSL for key derivation (ECDH), but the actual cryptographic algorithm is their own. This 'block cipher' is the part they have tried to obfuscate. Not much, but still enough to require more time than what I have available It is basically a set of arithmetical operations with some tables hardcoded in the libwsm.so binary, so no external calls to any library. The hardcoded tables are probably derivated from their private key, which is most definitely not on the binary. In fact I suspect this is basically AES with some changes to make it hard to extract the actual key used, so that's where I've centered my efforts.
Technically it should not even be copyrightable, so maybe I could just redistribute my C reimplementation of the algorithm, but as with any other DRM who knows these days... and that still leaves the problem of the tables/"private key".
Digiguest said:
agreed. Needs iPhone support please.
Click to expand...
Click to collapse
Well you are welcome to implement one such iPhone program yourself. Will be happy to resolve all the protocol questions you have.
(But please stop with the nagging).
Wasn't nagging at all. Just agreeing with him. I am no programmer so I have to rely on others for answers. Sorry if you thought otherwise.
Looking for to see more work on it though. Keep it up.
Hi there! Nice work on getting Gear2 to work with Jolla.
I'd love to get Gear1 to work with WP8.1. Do you have the code for Jolla
on github/bitbucket so I could give it a peek? Thanks in advance.
Duobix said:
Hi there! Nice work on getting Gear2 to work with Jolla.
I'd love to get Gear1 to work with WP8.1. Do you have the code for Jolla
on github/bitbucket so I could give it a peek? Thanks in advance.
Click to expand...
Click to collapse
javispedro had the sources in gitorius, but they are not there anymore (surely related to gitlab buying gitorius).
I attach a tarball with javispedro sources as of 19 October 2014.
Note that it lacks the files implementing the crypto, so just porting it is not enough to be able to communicate to the gear. OTOH, I know that there are some differences in the protocol between the Android Gear1 and the Tizen Gear2 (if the gear1 has been updated to Tizen, it uses the same protocol as gear2). Specifically, to be able to communicate with both watches, the gear manager package has both gear manager 1.7.x and gear manager 2.x. javispedro's code implements the gear 2 protocol.
Personally, I have my port on hold (I have problems with bluetooth in my phone, so there is no point in porting sapd right now as I would not be able to use it).
Found this thread created recently on another website. I thought you guys might be interested in reading the content.
Github page: https://github.com/julKali/nokia8-evenwell
Here are some of the most interesting comments:
mattlondon 2 days ago [-]
So I have spent some initial time looking at this.
com.evenwell.autoregistration.Caivs has some worrying looking stuff.
There is a website here with the username and password in cleartext in the jars: https://www.c2dms.com Nothing visible/doable once logged in from what I could see.
It also appears to be collecting fine-grained location data, e.g. this is the output from logcat (I have obfuscated my own GPS coords here, but they are 6 digits of accuracy)
Code:
2019-03-30 19:38:21.406 15139-15159/? D/[CAIVS] LocationFinder: LocationUpdated: 3.location:Location[gps 51.xxxxxx,-0.xxxxxx hAcc=39 et=+1d19h59m28s923ms alt=102.50201416015625 vel=3.09 bear=14.3 vAcc=24 sAcc=3 bAcc=10 {Bundle[mParcelledData.dataSize=96]}]
2019-03-30 19:38:21.406 15139-15159/? D/[CAIVS] LocationFinder: updateLocation: gps accuracy:38.592003
2019-03-30 19:38:21.406 15139-15159/? D/[CAIVS] LocationFinder: updateLocation: is in accuracy :1000
com.evenwell.autoregistration.Utils.RegisterManager seems to be doing some scheduled checks and doing something with this collected data in the first 24 hours, then phased at 15 and 90 days. It is not clear what is happening having only done an initial scan over this.
It does look like they are doing some checking to see if the device is a Nokia device and selectively doing or not doing location-based stuff based on that, e.g. from com.evenwell.autoregistration.Utils.GetInfo
Code:
2019-03-30 20:09:25.108 16558-16577/? D/[CAIVS] GetInfo: getCellLocation: in black list
Further investigation probably warranted. This looks a bit suspect and might only send data on specific days (and would explain why I did not notice anything outbound over my 4 day period of checking before).
Click to expand...
Click to collapse
I found this in English: https://web.archive.org/web/20081027134825/http://www.cseed....
Quote: "CAIVS notifies our system when the handset is purchased. Data includes the date, time, and location that a SIM card is first inserted into the handset, the inserted SIM card's telecom operator, the handset's operating system, the handset model and phone number, and even the time when it is first turned on. "
WTF.
It is not clear at the moment if there is a blacklist on the MCC code going on in com.evenwell.autoregistration.Util.XMLHelper that reads from /product/etc/AutoRegConfig.xml is this line:
Code:
<NOKIA>
<REJECTMCCLIST>232,206,284,219,280,230,238,248,244,208,262,202,216,274,510,272,222,247,295,228,246,270,278,204,242,260,268,226,231,293,655,214,240,228,234,235,520</REJECTMCCLIST>
</NOKIA>
These are - I think - the Mobile Country Codes (https://en.wikipedia.org/wiki/Mobile_country_code) it gets from the cellsite. This list is basically the EU + South Africa, Thailand and Indonesia. Don't know what things are like in SA, Thailand or Indonesia but in the EU this sort of thing would not be acceptable. Looks also like there is a hard-coded short-circuit in getLocation() in com.evenwell.autoregistration.Util.GetInfo to always return no location lat-longs which appears to trigger another shortcut in RegisterManager that shortcuts out to the "Caivs not in registration phase" log output which returns without triggering the sendToServer() calls on other code paths.
I am not convinced that this will never send location back, but looks like it might have been updated with to prevent phoning home in those countries in the MCC list (and maybe by hard-coded shortcuts the actual code). This would meet with what was said with there recent phoning home response from Nokia - i.e. (https://translate.google.com/translate?u=https://nrkbeta.no/...)
Click to expand...
Click to collapse
As foobarbazetc noted, the listed packages have been specifically developed for Nokia (HMD). And although many only actually send telemetry on Nokia phones that have been sold in China, there is still quite a lot of data at stake that can be used to track the device when combined with data from other sources.
I wanted to share my findings to create the awareness that the mechanisms are there and it only takes a little misconfiguration (see https://arstechnica.com/gadgets/2019/03/hmd-admits-the-nokia...) and all this goes straight to the Chinese authorities.
Click to expand...
Click to collapse
full thread: https://news.ycombinator.com/item?id=19530670
This is why I feel like a custom rom for this phone is long overdue so we can use our phones free of concerning bloatware and privacy issues.
Hello,
Thanks for taking some time to read this. Let me start off by mentioning that this all originated on my PC I believe and an unauthorized user obtained access to my network and therefore all my devices.
My OnePlus 7 Pro was what seriously concerned me as not only was it infected, the attacker actually pushed a firmware update to my phone and it randomly reset as I was using it into a completely different/custom rom that he of course had complete control over.
I upgraded to a OnePlus 8T and after walking out of the T-Mobile store I found out my new phone was already infected.... How? Well, the escalated priviliges this attacker had allowed him to auto connect to my OnePlus device using the OnePlus SmartSwitch app. Yeah, I thought it was crazy too.
So I've tried to hard reset my devices, which actually turned out to be a bad idea as this infection actually hijacked the the process by (I'm not super familiar with reading all the log data) but it was clear that multiple main processes were killed and it took control and a warning popped up saying (WARNING! This is a Debug Kernel and is not fit for a standard ROM. If you did not authorize this then your privacy may be at risk as this could potentially allow an unauthorized user complete control of your device" it was something along these lines, may not be the exsct wording but you get my point. (This was on my Samsung Galaxy Tab S7+)
More or less the same thing with my OnePlus 8T and it has complete control over all of my apps. The permissions my apps have are literally insane. I've attached screenshiots.
How can I mitigate this? What should I do? It has infected my 2017 MacBook Air, PC, OnePlus 8T, Samsung Galaxy Tab S7+, Asus ROG Rapture GT-AX11000 Router, Netgear Nighthawk Router and possibly more. This thing is crazy advanced to the point I didn't even know malware like this existed.
ALSO: I found out that Busy Box is installed on my devices without my authorization BUT my device isn't rooted.
[Samsung Galaxy Tab S7+]
|One UI Version|
2.5
|Android Version|
10
|Baseband Version|
T978USQS1ATJ5
|Kernel Version|
4.19.81-19543082
#2 Sun Oct 11 17:18:26 KST 2020
|Build Number|
QP1A.190711.020.T978USQS1ATJ5
|SE for Android Status|
Enforcing
SEPF_SM-T978U_10_0020
Sun Oct 11 16:58:25 2020
|Knox Version|
Knox 3.6
Knox API level 32
TIMA 4.1.0
DualDAR 1.2.0
HDM 2.0 - F
|Service Provider SW ver.|
SAOMC_SM-T978U_OYN_TMB_QQ_0026
R52N810TWJM
TMB/TMB/TMB
|Carrier Configuration Version|
2.340001
|Security Software Version|
MDF v3.1 Release 5
WLAN v1.0 Release 2
VPN PP-MOD v2.1 Release 3.0.1
ASKS v3.1 Release 20200806
ADP v3.0 Release 20191001
FIPS BoringSSL v1.4
FIPS SKC v2.1
FIPS SCrypto v2.5
SMR Oct-2020 Release 1
|Android Security Patch Level|
October 1, 2020
[T-Mobile | OnePlus 8T]
|Model|
KB2007
|Android Version|
11
|Carrier Configuartion Version|
2.360001
|Baseband Version|
MPSS.HI.2.0.c4-00028-SDX55_RMTEFS_PACK-1.327103.53
|Kernel Version|
4.19.110-perf+
#1 Wed Dec 16 22:01:42 CST 2020
|Software Version|
11.0.6.8.KB09CB
|Android Security Update|
November 1, 2020
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
I have the same malware on my device! It's a spyware-type malware, and I'm not sure how my device contracted it, to be honest. I'll type my software information below so that others can find this post, too, and not feel left out.
Model:
Samsung S9+
Model number:
SM-G956U
One UI version:
2.5
Android version:
10
Baseband version:
G965USQU9FVB2
Kernel version:
4.9.186-22990479
#1 Thu Feb 24 18:22:06 KST 2022
Build number:
QP1A.190711.020.G965USQU9FVB2
SE for Android status:
Enforcing
SEPF_SM-G965U_10_0030
Thu Feb 24 18:33:14 2022
Knox version:
Knox 3.4.1
Knox API level 30
TIMA 4.0.0
Service provider SW ver.:
SAOMC_SM-G965U_OYN_TMB_QQ_0026
32564c5336363098
TMB/XAA/VZW
Carrier configuration version:
2.450001
[Update]
(P.S. After factory resetting my device, it changed to "0.0.0")
Security software version:
MDF v3.1 Release 5
WLAN v1.0 Release 2
VPN PP-MOD v2.1 Release 3.0.1
ASKS v3.1 Release 20200806
ADP v3.0 Release 20191001
FIPS BoringSSL v1.4
FIPS SKC v1.9
FIPS SCrypto v2.2
SMR Mar-2022 Release 1
Android security patch level:
March 1, 2022
When I tried to mess around with my Developer's options, it showed that I am not the administrator. It doesn't allow me to turn on "Restrict my SMS and call log access" under Apps, and a bug report I opened and had looked at gave me these additional specifications I had never seen before:
Build fingerprint:
'samsung/star2qltesq...'
Bootloader:
G965USQU9FVB2
Radio:
G965USQU9FVB2
Network:
(unknown)
Module Metadata version:
330477090
Kernel:
Linux version 4.9.186-22990479...
Besides this, all of my applications have been compromised; they all have odd versions, permissions I cannot control (such the system app, Tips, being able download files without notifying me), can change system settings, install unknown apps, have "Open source licenses," and so on. Some of the capabilities that my app, Messages, has is the ability to modify my call logs, send out messages without my knowledge (then delete them), use my microphone to record at any given time, and connect or disconnect from Wi-Fi. It's quite difficult for me to find authentic information online, because my Google Chrome app constantly gives me false redirections to fake/modified links that appear legitimate.
Everything on my phone will tell me that the apps, the websites, and the operating system are safe and authentic, but they're all infected. I have been under the false impression that nothing was wrong with my device for months now, because judging from my Wi-Fi usage history, it had spiked up between June-July.
I'll also go ahead and attach a sh*tload of screenshots on what the malicious, system applications look like.
Rotting Brain said:
I have the same malware on my device! It's a spyware-type malware, and I'm not sure how my device contracted it, to be honest. I'll type my software information below so that others can find this post, too, and not feel left out.
Model:
Samsung S9+
Model number:
SM-G956U
One UI version:
2.5
Android version:
10
Baseband version:
G965USQU9FVB2
Kernel version:
4.9.186-22990479
#1 Thu Feb 24 18:22:06 KST 2022
Build number:
QP1A.190711.020.G965USQU9FVB2
SE for Android status:
Enforcing
SEPF_SM-G965U_10_0030
Thu Feb 24 18:33:14 2022
Knox version:
Knox 3.4.1
Knox API level 30
TIMA 4.0.0
Service provider SW ver.:
SAOMC_SM-G965U_OYN_TMB_QQ_0026
32564c5336363098
TMB/XAA/VZW
Carrier configuration version:
2.450001
[Update]
(P.S. After factory resetting my device, it changed to "0.0.0")
Security software version:
MDF v3.1 Release 5
WLAN v1.0 Release 2
VPN PP-MOD v2.1 Release 3.0.1
ASKS v3.1 Release 20200806
ADP v3.0 Release 20191001
FIPS BoringSSL v1.4
FIPS SKC v1.9
FIPS SCrypto v2.2
SMR Mar-2022 Release 1
Android security patch level:
March 1, 2022
When I tried to mess around with my Developer's options, it showed that I am not the administrator. It doesn't allow me to turn on "Restrict my SMS and call log access" under Apps, and a bug report I opened and had looked at gave me these additional specifications I had never seen before:
Build fingerprint:
'samsung/star2qltesq...'
Bootloader:
G965USQU9FVB2
Radio:
G965USQU9FVB2
Network:
(unknown)
Module Metadata version:
330477090
Kernel:
Linux version 4.9.186-22990479...
Besides this, all of my applications have been compromised; they all have odd versions, permissions I cannot control (such the system app, Tips, being able download files without notifying me), can change system settings, install unknown apps, have "Open source licenses," and so on. Some of the capabilities that my app, Messages, has is the ability to modify my call logs, send out messages without my knowledge (then delete them), use my microphone to record at any given time, and connect or disconnect from Wi-Fi. It's quite difficult for me to find authentic information online, because my Google Chrome app constantly gives me false redirections to fake/modified links that appear legitimate.
Everything on my phone will tell me that the apps, the websites, and the operating system are safe and authentic, but they're all infected. I have been under the false impression that nothing was wrong with my device for months now, because judging from my Wi-Fi usage history, it had spiked up between June-July.
I'll also go ahead and attach a sh*tload of screenshots on what the malicious, system applications look like.
Click to expand...
Click to collapse
to fix this you need to reinstall te full firmare in odin, and format the sd card o the device ( a back up is not recommended due the malware can be copy too
tutibreaker said:
to fix this you need to reinstall te full firmare in odin, and format the sd card o the device ( a back up is not recommended due the malware can be copy too
Click to expand...
Click to collapse
Thank you, I was planning on doing so, anyway. I'm just learning as much as I can before I reinstall the stock firmware, such as if there's a method I could use that wouldn't trip Knox because I like using some of the Samsung applications.
I have 2 other phones that have been compromised, as well, and the hacker knows, essentially, all my passwords now to all of my accounts, and has access to my SIM card/number. It's frustrating that when an application requests a verification code, I get messages like these:
<#> Account: [redacted] is your Samsung account verification code.
bP2ROrn3fZQ
Click to expand...
Click to collapse
<#> Your WhatsApp code: [redacted]
You can also tap on this link to verify your phone: v.whatsapp.com/[redacted]
Don't share this code with others
4sgLq1p5sV6
Click to expand...
Click to collapse
And it also gets onto my WhatsApp account. I really have to flash my mobile devices, I'm just afraid I'll f*ck up really badly.
Rotting Brain said:
Thank you, I was planning on doing so, anyway. I'm just learning as much as I can before I reinstall the stock firmware, such as if there's a method I could use that wouldn't trip Knox because I like using some of the Samsung applications.
I have 2 other phones that have been compromised, as well, and the hacker knows, essentially, all my passwords now to all of my accounts, and has access to my SIM card/number. It's frustrating that when an application requests a verification code, I get messages like these:
And it also gets onto my WhatsApp account. I really have to flash my mobile devices, I'm just afraid I'll f*ck up really badly.
Click to expand...
Click to collapse
usind odin wont trip knox
tutibreaker said:
usind odin wont trip knox
Click to expand...
Click to collapse
That's relieving to know, thank you!
I have the same issue now going on for 2 years.
I have changed everything from emails devices wifi and cel companies. I've been super careful to not access any infected data from previous devices. On my new note 20 5g ultra out of box disabled blue tooth and dis not connect to any wifi so far. I di not transfer data from any device..
I've lost so much time and money trying to get rid of this. I've lost all 99 of all my Pic videos for over the past decade emails and social media accounts.
Knox has been activated I tried to access the account but I've been unsuccessful.
Has flashing it work for anyone else. I have on previous devices galaxy 8plus just to reverse back to the compromised state.
Glow1717 said:
I have the same issue now going on for 2 years.
I have changed everything from emails devices wifi and cel companies. I've been super careful to not access any infected data from previous devices. On my new note 20 5g ultra out of box disabled blue tooth and dis not connect to any wifi so far. I di not transfer data from any device..
I've lost so much time and money trying to get rid of this. I've lost all 99 of all my Pic videos for over the past decade emails and social media accounts.
Knox has been activated I tried to access the account but I've been unsuccessful.
Has flashing it work for anyone else. I have on previous devices galaxy 8plus just to reverse back to the compromised state.
Click to expand...
Click to collapse
To be honest, I eventually gave up on it because whoever it is that wants access to my devices clearly has the resources to do so.
On top of that, no one would believe me when I tried to explain to them how serious it is and all the information I've gathered to prove my point.
Unfortunately, I'm not fluent enough in coding or low level system management to professionally explain my concern for anyone to listen to.
I came to the realization that in the bigger picture, I'm a nobody in the cybersecurity field and what that means is no one will take me, and most likely you, seriously nor do others want to spend their time assisting us for anything short of a fortune.
If you are experiencing something similar to what I've posted here then chances are high you are being targeted specifically and without the relevant cybersecurity knowledge to protect yourself, you will never get away from it.
Hate to be negative here but I can assure you that I spent countless days, weeks, months trying to figure it out by researching, contacting cybersecurity specialists, forums etc. all to no avail.
I genuinely wish you luck and if you happen to find some information you could share with me, I'd appreciate it.
Outside spending a small fortune to hire an expert to come to my house and dig deep into my network, I don't see a way to resolve it, personally.
Good luck
Sentimental Sugarcube said:
I have the same malware on my device! It's a spyware-type malware, and I'm not sure how my device contracted it, to be honest. I'll type my software information below so that others can find this post, too, and not feel left out.
Model:
Samsung S9+
Model number:
SM-G956U
One UI version:
2.5
Android version:
10
Baseband version:
G965USQU9FVB2
Kernel version:
4.9.186-22990479
#1 Thu Feb 24 18:22:06 KST 2022
Build number:
QP1A.190711.020.G965USQU9FVB2
SE for Android status:
Enforcing
SEPF_SM-G965U_10_0030
Thu Feb 24 18:33:14 2022
Knox version:
Knox 3.4.1
Knox API level 30
TIMA 4.0.0
Service provider SW ver.:
SAOMC_SM-G965U_OYN_TMB_QQ_0026
32564c5336363098
TMB/XAA/VZW
Carrier configuration version:
2.450001
[Update]
(P.S. After factory resetting my device, it changed to "0.0.0")
Security software version:
MDF v3.1 Release 5
WLAN v1.0 Release 2
VPN PP-MOD v2.1 Release 3.0.1
ASKS v3.1 Release 20200806
ADP v3.0 Release 20191001
FIPS BoringSSL v1.4
FIPS SKC v1.9
FIPS SCrypto v2.2
SMR Mar-2022 Release 1
Android security patch level:
March 1, 2022
When I tried to mess around with my Developer's options, it showed that I am not the administrator. It doesn't allow me to turn on "Restrict my SMS and call log access" under Apps, and a bug report I opened and had looked at gave me these additional specifications I had never seen before:
Build fingerprint:
'samsung/star2qltesq...'
Bootloader:
G965USQU9FVB2
Radio:
G965USQU9FVB2
Network:
(unknown)
Module Metadata version:
330477090
Kernel:
Linux version 4.9.186-22990479...
Besides this, all of my applications have been compromised; they all have odd versions, permissions I cannot control (such the system app, Tips, being able download files without notifying me), can change system settings, install unknown apps, have "Open source licenses," and so on. Some of the capabilities that my app, Messages, has is the ability to modify my call logs, send out messages without my knowledge (then delete them), use my microphone to record at any given time, and connect or disconnect from Wi-Fi. It's quite difficult for me to find authentic information online, because my Google Chrome app constantly gives me false redirections to fake/modified links that appear legitimate.
Everything on my phone will tell me that the apps, the websites, and the operating system are safe and authentic, but they're all infected. I have been under the false impression that nothing was wrong with my device for months now, because judging from my Wi-Fi usage history, it had spiked up between June-July.
I'll also go ahead and attach a sh*tload of screenshots on what the malicious, system applications look like.
Click to expand...
Click to collapse
I'm glad that at least someone believes me.
My God, seriously.
I really hope you were able to get this fixed. I haven't been able to since my entire network has been infected. It's a really long story but the bottom line is that I've never seen malware with these capabilities. They are incredible and not one you would ever want to be infected with.
Glow1717 said:
I have the same issue now going on for 2 years.
I have changed everything from emails devices wifi and cel companies. I've been super careful to not access any infected data from previous devices. On my new note 20 5g ultra out of box disabled blue tooth and dis not connect to any wifi so far. I di not transfer data from any device..
I've lost so much time and money trying to get rid of this. I've lost all 99 of all my Pic videos for over the past decade emails and social media accounts.
Knox has been activated I tried to access the account but I've been unsuccessful.
Has flashing it work for anyone else. I have on previous devices galaxy 8plus just to reverse back to the compromised state.
Click to expand...
Click to collapse
I'm very sorry to hear that, I can't imagine what it's like to have to deal with this for such a long time. I slowly started losing my sanity when my devices were infected, especially my primary device (the Samsung Galaxy S9+), and had started becoming irrational at times due to the paranoia and lack of understanding about what had been going on the entire time.
I have yet to flash any of my devices, so I don't know just how well it'll work out doing so. What Android version is your Samsung Galaxy S8+, though? Because devices running on Android 9 (Pie) and up are pretty unique in the sense that the security rids the device of malware & spyware once a factory reset takes place, so if you have a newer operating system like you do on your Samsung Galaxy Note 20 Ultra 5G, then you may be able to fix that issue. Although, it would only clear up issues you have on your firmware/software & not be able to help issues you'd occur with a compromised hardware & network connection.
When I factory reset my Samsung Galaxy S9+ (which runs on Android 10), the oddity disappeared! I wish I had done it sooner or routinely, at least, because it would've saved me from so much stress & anxiety.
Although, as @JesseJamez55 mentioned, you may be directly targeted, and that makes a huge difference in the matter. I, for one, am not specifically in the center of attention — my best friend is, and I suppose I somehow got involved in this awfulness just for knowing about so many of the concerning experiences he's had in the last several years.
JesseJamez55 said:
To be honest, I eventually gave up on it because whoever it is that wants access to my devices clearly has the resources to do so.
On top of that, no one would believe me when I tried to explain to them how serious it is and all the information I've gathered to prove my point.
Unfortunately, I'm not fluent enough in coding or low level system management to professionally explain my concern for anyone to listen to.
I came to the realization that in the bigger picture, I'm a nobody in the cybersecurity field and what that means is no one will take me, and most likely you, seriously nor do others want to spend their time assisting us for anything short of a fortune.
If you are experiencing something similar to what I've posted here then chances are high you are being targeted specifically and without the relevant cybersecurity knowledge to protect yourself, you will never get away from it.
Hate to be negative here but I can assure you that I spent countless days, weeks, months trying to figure it out by researching, contacting cybersecurity specialists, forums etc. all to no avail.
I genuinely wish you luck and if you happen to find some information you could share with me, I'd appreciate it.
Outside spending a small fortune to hire an expert to come to my house and dig deep into my network, I don't see a way to resolve it, personally.
Good luck
Click to expand...
Click to collapse
I was planning on doing the same thing when I had gotten tired of it; I was just going to accept that my life will always be this way and there's nothing I can do to try to stop it from happening because I wasn't educated enough about the problems I was facing, and couldn't find any real information due to the DSN spoofing.
It's best to not share this with too many people — we'll end up looking like nutjobs, which we probably are a little of, due to apophenia & the heightened stress/anxiety (causing paranoia), haha. But in all seriousness, the people of people won't understand or believe is — especially when we're more suspectable to being discredited.
I think that's what the hackers/stalkers do — pick out & mess with those that have disadvantages (such as if one uses illegal substances known to distort our thinking or if one is diagnosed with a serious mental illness) because we're easily discredited.
How long has this been happening to you, if you don't mind me asking?
JesseJamez55 said:
I'm glad that at least someone believes me.
My God, seriously.
I really hope you were able to get this fixed. I haven't been able to since my entire network has been infected. It's a really long story but the bottom line is that I've never seen malware with these capabilities. They are incredible and not one you would ever want to be infected with.
Click to expand...
Click to collapse
I was extremely relieved when I found out there are others that believed me too & who were suffering from the same issues & malware.
I was able to get it fixed, thankfully, but I've also changed my way of thinking about this whole thing. I've started taking my medications, too (or I'm starting to again). And I agree, it's definitely a considerably severe form of electronic harassment. But I suppose it's inevitable, and there's no point in stressing out so much over it anymore — for me, at least.
JesseJamez55 said:
To be honest, I eventually gave up on it because whoever it is that wants access to my devices clearly has the resources to do so.
On top of that, no one would believe me when I tried to explain to them how serious it is and all the information I've gathered to prove my point.
Unfortunately, I'm not fluent enough in coding or low level system management to professionally explain my concern for anyone to listen to.
I came to the realization that in the bigger picture, I'm a nobody in the cybersecurity field and what that means is no one will take me, and most likely you, seriously nor do others want to spend their time assisting us for anything short of a fortune.
If you are experiencing something similar to what I've posted here then chances are high you are being targeted specifically and without the relevant cybersecurity knowledge to protect yourself, you will never get away from it.
Hate to be negative here but I can assure you that I spent countless days, weeks, months trying to figure it out by researching, contacting cybersecurity specialists, forums etc. all to no avail.
I genuinely wish you luck and if you happen to find some information you could share with me, I'd appreciate it.
Outside spending a small fortune to hire an expert to come to my house and dig deep into my network, I don't see a way to resolve it, personally.
Good luck
Click to expand...
Click to collapse
Your completely right. I thank you for your feedback and I greatly appreciate it. I usually get laughed at or from IT support at cox or other companies that will explain how to what is happening to my digital life is none existent and has not been developed yet and send me on my way after a virus scan resulting in 0 threats.
Your also think your right been someone targeting me. At this point I need to get my foil hat.. I really don't share that thought because even my bf has advised me to get a mental health evaluation... I understand after hearing me try to figure it out for mths 24/7..
This is the reason why I believe that it is a possibility. When all this came about I lived in North Las Vegas it's pretty bad unfortunately I didn't know when I bought and moved in from California. I felt safe it's a gated community!
I'm just gonna lay it out and I know what I sound like and I did end up going to get checked out clean menta aside from some anxiety from all of this.
After moving in a mth later I had some tampering with my truck but wasn't sure maybe by accident I did it .. I was always on the run.. but a few wks later I heard the back door open and I asked who was there and I caught someone's backside running out. I figured some stupid curious teen .. so concerned me living alone employed running a company and also a side business flipping cars and a truck a sports car and a classic that I was rebuilding.. maybe was drawing attention of the wrong kind. I got me a dog! Problem fixed um no still night noises outside and once on the roof that my BF was there that night and we would call the Police dept.. over and over again. So time to get cameras. Started with the ring system I had cameras in every direction including a couple inside. It was amazing! For a day that night someone tripped by breaker lost power again we ran out it was the BF of the person that managed the community... another police report for the pile. To make it short unless I was looking at it live what ever that was recorded I would get to see it original video maybe once and when I would try to show someone video would be gone or edited (at the time I did not know that video could be edited or set privacy guards filters from amazon etc) also I would started to see at night someone with lazer pointers. Later I was told it would disable the camera. True or not after looking like a mad woman with claiming to have proof to call the police.. and I no longer had the evidence no matter where I would back It up to.. I was mad all that money on the ring for this BS.. so I got Canary then I got Alfred and a long list of cameras apps and all the same. Luckily I was giving some credit when on a motion in an inside my home you could see a hand reaching to move the camera a I was able to show my BF and a friend but by the time pd showed up the video had been edited and the beginning with the dogs barking and the hand over my bed reaching for the camera was missing.. yes someone was in my bedroom while I was asleep and my BF was in bed asleep with me. The other hard evidence was not digital.. I was in the bathroom and heard noise coming from under my home.. I screamed out for help to the people that had come over for a get together. They saw the guy run from under the house and they chased him about a block and jumped into a waiting minivan. The rest of evidence I had in video that I once could see actual break ins in process and video with excellent quality would with in a min turn to a smear of colors exta zoomed imaged glared lights .. that nobody believed that I saw the person committing the crime. I had kept the videos and images of my smeared proof with hopes that one day I could get help and reverse the editing that destroyed my proof. I don't have many left..
After living in fear with most of my belongings and valuable stolen a walked away from my purchased home to rent in a safer neighborhood. Un the process I lost my job my side business..the classic dismantle my truck crashed into while parked at night hit and run ofcourse and turbo taken out of sports car .. and almost losing my mental.. having to deal with "hacking" constantly having to change passwords removing my device form child restrictions or fighting with my own virus protection software that would be program to restrict me accessing help and getting error codes when accessing government agencies google cox and tmobile.. it was the worst I believe. I'm glad I'm safe but still with this issue issue.. I've been trying to learn on my own and I Google everything.. I mean every word I come across and YouTube if I need further clarification and I started taking some classes to understand and remove and prevent what is happening to me one day.
Sorry about the novel.. lol
I'm going to attach a sample of my smeared images and some images of the modification that I have currently maybe someone understand all of this
Where I'm at .. I bought this phone and did not connect to wifi disabled blue tooth and disabled automatic downloads and I had not even turned on my data .. so I looked into OTA .. over the air programing and issues with samsung the data breaches etc.. I talk to samsung they said the modifications was not via OTA .. the IT rep could have been right ?? Not sure yet .. how else could possibly else be .. (about 2 years ago I found in my google shared doc that I was sharing to other my experiments results with radio data communication.. and was very common for me to see the verbiage spectrum radio, RTU, Scada, unlicensed radio, IoT, Ericson, transmitting data over radio as a wifi alternative. Alot of the apps I had then had something to do with that technology and companies) My ignorance at the time told me it had something to do with the huge radio antena that came with the home.
So I revisited that idea as a possible entrance point of infection??
I found libav64 with over 1060 system files saved on my device
Also in the framework files I found several of Verizon files.. I have t mobile never had Verizon. Because I have a Verizon build enforcing t mobile .. tmobile support accused me of inserting a Verizon chip .. I explained that I don't have one and never did .. she asked me to return it manufactur and exchange for new one.
I'm having an issue with upload speed for the images so I will repost with just the images
Sentimental Sugarcube said:
I'm very sorry to hear that, I can't imagine what it's like to have to deal with this for such a long time. I slowly started losing my sanity when my devices were infected, especially my primary device (the Samsung Galaxy S9+), and had started becoming irrational at times due to the paranoia and lack of understanding about what had been going on the entire time.
I have yet to flash any of my devices, so I don't know just how well it'll work out doing so. What Android version is your Samsung Galaxy S8+, though? Because devices running on Android 9 (Pie) and up are pretty unique in the sense that the security rids the device of malware & spyware once a factory reset takes place, so if you have a newer operating system like you do on your Samsung Galaxy Note 20 Ultra 5G, then you may be able to fix that issue. Although, it would only clear up issues you have on your firmware/software & not be able to help issues you'd occur with a compromised hardware & network connection.
When I factory reset my Samsung Galaxy S9+ (which runs on Android 10), the oddity disappeared! I wish I had done it sooner or routinely, at least, because it would've saved me from so much stress & anxiety.
Although, as @JesseJamez55 mentioned, you may be directly targeted, and that makes a huge difference in the matter. I, for one, am not specifically in the center of attention — my best friend is, and I suppose I somehow got involved in this awfulness just for knowing about so many of the concerning experiences he's had in the last several years.
Click to expand...
Click to collapse
My situation isn't on Android only, it's my entire network which includes the following;
PC's
Android Phones
Android Tablets (No longer own)
Macbook Pro (No longer own)
MacBook Air (No longer own)
Chromebook (After allowing Linux via Developer Settings)
Router
Samsung Smart TV (No longer own)
Sony AV Receiver
My CCTV DVR System (No longer own)
Any other device that either connects to my network or can be accessed via the Nearby Devices pervasive permission within Android (This is my best guess for how devices are being infected when I haven't in any way accessed my network)
After all my research and some helpful clues/texts/emails sent to me, i found out that I am being specifically targeted by my upstairs neighbor that strongly dislikes me and finds me extremely amusing.
I won't go into further details but this is why I gave up. They are exponentially more fluent in cybersecurity than I could ever hope to be and since they have local access to my devices, I could never hope to win. I need to move which I will be doing very soon.
This is why I say if you are going through anything close to what I am then it's almost certainly a targeted attack. I'm sure there are other possibilities but this is what my experience is.
Do you ever use the Tor network? Depending on where you decided to browse or what you may have downloaded, you can get some especially nasty malware from there, too. Even just browsing some sites can deliver drive-by malware or not having your browser/firewall set up correctly is enough to lose your anonymity. Something to think about since it could be a government agency keeping tabs on you for a reason only you would know. Just a thought.I'll leave you with one final thought; would you honestly consider yourself a very interesting person? Do you have hobbies others would be interested in learning more about it they had the relevant skills to do so?After thinking about it, I do. I have my hobbies that I would find different or weird if I were someone else. So that mixed with some neighbors that have networking skills, are always home and way to damn nosy is how I got where I'm at.That's my real situation so just something to consider.
I am so glad I came across this thread. Honestly. Had the exact same issue Dec last year. Although I suspect they were in the network for a couple of years before I realised. Tried to solve it for 6 weeks. Gave up, threw all network devices out and started over. All good. For three months. Even with the most strictest routines in watching what I was clicking online, not downloading anything, updates ran regularly, new vpn and more costly antivirus and equipment. It returned.
I honestly don't think its a personal attack, but it's insane how it spreads. I've worked constantly on it since June. Contacted so many people. I can't afford to throw this new stuff out, don't have money to replace it all again. My doc sent me to see a psychiatrist. Said I'm delusional. I told them I was feeling stressed and exhausted just trying to boot whoever this was out of my network and life. Psychiatrist says I'm sane, just needing to relax and have someone actually listen to me.
I have 2 pcs, laptop, 3 mobile phones, xboxes and TV being controlled by whatever this is. Root trust certs are all wrong. Traffic being directed to http although looks legit as if its https. All have been flashed with wrong ota updates. I am considering flashing my phone but don't think it will help as will be doing it with infected pc... seems pointless.
I am starting to realise I have to live with it and just get on with stuff. I've been seriously slacking in work and been so focused on this malware/spyware/rootkit whatever it is.
Honestly it's a massive relief to know I am not alone.
I am having the same issue. What I have learned so far:
> The malware is a RAT
> It can infect and embed itself in most IoT capable devices and most anything that has RF capability, including BT, NFC, Zigbee, etc.
>It enumerates all devices in your local network. After this step it appears to inject malicious code into device drivers, specifically network interfaces. It then creates virtual network interfaces, swaps and/or spoofs MAC addresses on the devices in your network. For example, what appears to be your router on first glance, is actually your xbox or laptop which is now hosting all your devices while your router is throwing out hidden wifi networks that connect other devices.
>It creates virtual BT interfaces and is capable of discreetly connecting with other BT capable devices in the background.
>It appears to be sending a continous video/audio stream to servers located in New York and Ashburn, VA.
>It changes VPN settings for your carrier.
>It routes browser traffic to a CDN server so you get preloaded versions of certain webpages and apps.
>Some of the code I discovered in app manifests include instructions for the phone to access a created hidden camera interface called "hiddencamera0", while specifying that the led indicator for the camera remains turned off.
>It prevents me from doing a hard reset and won't allow usb or wireless debugging, making it impossible (for me at least) to flash a new OS to my device.
>When I removed certain DNS entries from the registry or updated my AD on any of my 4 Windows based computers, the OS was wiped. When it was reinstalled, the same activity resumed.
>Using simple network command prompts, I discovered early on that my computers had established connections with various servers, even with all of the network capable devices turned off. I was able to stop these by disabling each device.
>Each time the device is restarted, the malware seems to gain more control over the system.
>Antivirus software does not detect it and the only way I was able to see what was going on was to uninstall my antivirus and go into Windows Defender Firewall as an admin. There I was able to see over a hundred rules enabling communication between my device and the remote server. I immediately deleted the inbound and outbound rules, but they repopulated until I manually disabled each interface. The first time I did this on my laptop, my phone and my son's phone actually switched back to the appropiate mobile network for about 15 minutes. Then my computer reset itself and it went back to it's malware version of operation.
I will attach screenshots a bit later.
Oh y
sudo_null said:
I am having the same issue. What I have learned so far:
> The malware is a RAT
> It can infect and embed itself in most IoT capable devices and most anything that has RF capability, including BT, NFC, Zigbee, etc.
>It enumerates all devices in your local network. After this step it appears to inject malicious code into device drivers, specifically network interfaces. It then creates virtual network interfaces, swaps and/or spoofs MAC addresses on the devices in your network. For example, what appears to be your router on first glance, is actually your xbox or laptop which is now hosting all your devices while your router is throwing out hidden wifi networks that connect other devices.
>It creates virtual BT interfaces and is capable of discreetly connecting with other BT capable devices in the background.
>It appears to be sending a continous video/audio stream to servers located in New York and Ashburn, VA.
>It changes VPN settings for your carrier.
>It routes browser traffic to a CDN server so you get preloaded versions of certain webpages and apps.
>Some of the code I discovered in app manifests include instructions for the phone to access a created hidden camera interface called "hiddencamera0", while specifying that the led indicator for the camera remains turned off.
>It prevents me from doing a hard reset and won't allow usb or wireless debugging, making it impossible (for me at least) to flash a new OS to my device.
>When I removed certain DNS entries from the registry or updated my AD on any of my 4 Windows based computers, the OS was wiped. When it was reinstalled, the same activity resumed.
>Using simple network command prompts, I discovered early on that my computers had established connections with various servers, even with all of the network capable devices turned off. I was able to stop these by disabling each device.
>Each time the device is restarted, the malware seems to gain more control over the system.
>Antivirus software does not detect it and the only way I was able to see what was going on was to uninstall my antivirus and go into Windows Defender Firewall as an admin. There I was able to see over a hundred rules enabling communication between my device and the remote server. I immediately deleted the inbound and outbound rules, but they repopulated until I manually disabled each interface. The first time I did this on my laptop, my phone and my son's phone actually switched back to the appropiate mobile network for about 15 minutes. Then my computer reset itself and it went back to it's malware version of operation.
I will attach screenshots a bit later.
Click to expand...
Click to collapse
One more thing that is particularly disturbing: It appears to be connected to my vehicle BT and Uconnect interface. There is more, but I will inckude that later as well.
This is exactly what I am facing.
It seems like it has been a couple of years.
Yes the LED of the camera is off too.
Did you manage to solve it ?
Anyone with a solution?
To be honest I'm not into the cybersecurity field but it sounds like the ultimate type of malware - one that hacks everything conveniently. I hate to say it, but you might have to replace literally everything. You could try to at least backup some stuff that's important but you're going to have to look at the local technician to see what you need. I could provide some help for those who need it in this forum.
Glow1717 said:
Your completely right. I thank you for your feedback and I greatly appreciate it. I usually get laughed at or from IT support at cox or other companies that will explain how to what is happening to my digital life is none existent and has not been developed yet and send me on my way after a virus scan resulting in 0 threats.
Your also think your right been someone targeting me. At this point I need to get my foil hat.. I really don't share that thought because even my bf has advised me to get a mental health evaluation... I understand after hearing me try to figure it out for mths 24/7..
This is the reason why I believe that it is a possibility. When all this came about I lived in North Las Vegas it's pretty bad unfortunately I didn't know when I bought and moved in from California. I felt safe it's a gated community!
I'm just gonna lay it out and I know what I sound like and I did end up going to get checked out clean menta aside from some anxiety from all of this.
After moving in a mth later I had some tampering with my truck but wasn't sure maybe by accident I did it .. I was always on the run.. but a few wks later I heard the back door open and I asked who was there and I caught someone's backside running out. I figured some stupid curious teen .. so concerned me living alone employed running a company and also a side business flipping cars and a truck a sports car and a classic that I was rebuilding.. maybe was drawing attention of the wrong kind. I got me a dog! Problem fixed um no still night noises outside and once on the roof that my BF was there that night and we would call the Police dept.. over and over again. So time to get cameras. Started with the ring system I had cameras in every direction including a couple inside. It was amazing! For a day that night someone tripped by breaker lost power again we ran out it was the BF of the person that managed the community... another police report for the pile. To make it short unless I was looking at it live what ever that was recorded I would get to see it original video maybe once and when I would try to show someone video would be gone or edited (at the time I did not know that video could be edited or set privacy guards filters from amazon etc) also I would started to see at night someone with lazer pointers. Later I was told it would disable the camera. True or not after looking like a mad woman with claiming to have proof to call the police.. and I no longer had the evidence no matter where I would back It up to.. I was mad all that money on the ring for this BS.. so I got Canary then I got Alfred and a long list of cameras apps and all the same. Luckily I was giving some credit when on a motion in an inside my home you could see a hand reaching to move the camera a I was able to show my BF and a friend but by the time pd showed up the video had been edited and the beginning with the dogs barking and the hand over my bed reaching for the camera was missing.. yes someone was in my bedroom while I was asleep and my BF was in bed asleep with me. The other hard evidence was not digital.. I was in the bathroom and heard noise coming from under my home.. I screamed out for help to the people that had come over for a get together. They saw the guy run from under the house and they chased him about a block and jumped into a waiting minivan. The rest of evidence I had in video that I once could see actual break ins in process and video with excellent quality would with in a min turn to a smear of colors exta zoomed imaged glared lights .. that nobody believed that I saw the person committing the crime. I had kept the videos and images of my smeared proof with hopes that one day I could get help and reverse the editing that destroyed my proof. I don't have many left..
After living in fear with most of my belongings and valuable stolen a walked away from my purchased home to rent in a safer neighborhood. Un the process I lost my job my side business..the classic dismantle my truck crashed into while parked at night hit and run ofcourse and turbo taken out of sports car .. and almost losing my mental.. having to deal with "hacking" constantly having to change passwords removing my device form child restrictions or fighting with my own virus protection software that would be program to restrict me accessing help and getting error codes when accessing government agencies google cox and tmobile.. it was the worst I believe. I'm glad I'm safe but still with this issue issue.. I've been trying to learn on my own and I Google everything.. I mean every word I come across and YouTube if I need further clarification and I started taking some classes to understand and remove and prevent what is happening to me one day.
Sorry about the novel.. lol
I'm going to attach a sample of my smeared images and some images of the modification that I have currently maybe someone understand all of this
Where I'm at .. I bought this phone and did not connect to wifi disabled blue tooth and disabled automatic downloads and I had not even turned on my data .. so I looked into OTA .. over the air programing and issues with samsung the data breaches etc.. I talk to samsung they said the modifications was not via OTA .. the IT rep could have been right ?? Not sure yet .. how else could possibly else be .. (about 2 years ago I found in my google shared doc that I was sharing to other my experiments results with radio data communication.. and was very common for me to see the verbiage spectrum radio, RTU, Scada, unlicensed radio, IoT, Ericson, transmitting data over radio as a wifi alternative. Alot of the apps I had then had something to do with that technology and companies) My ignorance at the time told me it had something to do with the huge radio antena that came with the home.
So I revisited that idea as a possible entrance point of infection??
I found libav64 with over 1060 system files saved on my device
Also in the framework files I found several of Verizon files.. I have t mobile never had Verizon. Because I have a Verizon build enforcing t mobile .. tmobile support accused me of inserting a Verizon chip .. I explained that I don't have one and never did .. she asked me to return it manufactur and exchange for new one.
I'm having an issue with upload speed for the images so I will repost with just the images
Click to expand...
Click to collapse
You need to right now remove the malware, as that's the problem. The symptoms of this malware seems to be that people randomly attack you because they know your location and are listening to you 24x7. You remove that malware first and then fix the home security later. Good luck
This seems a bit over-exaggerated, the "dangerous" processes you're talking about actually look like normal services on a samsung device lol, it's not uncommon for some frameworks and stuff to have a lot of privileges, the message you're saying you see on boot could maybe be the:
Code:
The phone is not running Samsung's official software. You may have problems with features or security. and you won't be able to install software updates.
This is typical for a bootloader unlocked/modified device, feel free to send photos of the messages you're describing, and it can help point into the correct direction.
The "traced" app you're using seems very misinforming though. The Call app having permissions to call and read storage/contacts is normal.
If you're really that paranoid about random services (which look fairly normal) - feel free to format everything, debloat down to the core OS, wrap your walls in tin-foil, throw out your phone and hide under your bed lol (sarcasm)
rainyskye said:
This seems a bit over-exaggerated, the "dangerous" processes you're talking about actually look like normal services on a samsung device lol, it's not uncommon for some frameworks and stuff to have a lot of privileges, the message you're saying you see on boot could maybe be the:
Code:
The phone is not running Samsung's official software. You may have problems with features or security. and you won't be able to install software updates.
This is typical for a bootloader unlocked/modified device, feel free to send photos of the messages you're describing, and it can help point into the correct direction.
The "traced" app you're using seems very misinforming though. The Call app having permissions to call and read storage/contacts is normal.
If you're really that paranoid about random services (which look fairly normal) - feel free to format everything, debloat down to the core OS, wrap your walls in tin-foil, throw out your phone and hide under your bed lol (sarcasm)
Click to expand...
Click to collapse
And remember kids, if someone tells you "the government wouldn't do that!", Oh yes they would.
rainyskye said:
This seems a bit over-exaggerated, the "dangerous" processes you're talking about actually look like normal services on a samsung device lol, it's not uncommon for some frameworks and stuff to have a lot of privileges, the message you're saying you see on boot could maybe be the:
Code:
The phone is not running Samsung's official software. You may have problems with features or security. and you won't be able to install software updates.
This is typical for a bootloader unlocked/modified device, feel free to send photos of the messages you're describing, and it can help point into the correct direction.
The "traced" app you're using seems very misinforming though. The Call app having permissions to call and read storage/contacts is normal.
If you're really that paranoid about random services (which look fairly normal) - feel free to format everything, debloat down to the core OS, wrap your walls in tin-foil, throw out your phone and hide under your bed lol (sarcasm)
Click to expand...
Click to collapse
I love how we are calling them schizophrenias, when they clearly need help with cleaning a serious infection on their devices
fillwithjoy1 said:
I love how we are calling them schizophrenias, when they clearly need help with cleaning a serious infection on their devices
Click to expand...
Click to collapse
could that infection be called "blink" by any chance? it's a serious piece of software that makes its way onto every windows and android device without user discretion. that sounds a lot like what's happening, and blink has the ability to utilize any active internet connections when activated.
pmnlla said:
could that infection be called "blink" by any chance? it's a serious piece of software that makes its way onto every windows and android device without user discretion. that sounds a lot like what's happening, and blink has the ability to utilize any active internet connections when activated.
Click to expand...
Click to collapse
Possibly could be, but it does seem like the OP would need to completely reset their devices which won't be easy