Database Info

[Exploit] Location Stealing on Samsung smartphones

Edit: Uploaded new APK which is compatible with devices from Android 2.0 and up.
First of all, let me say this: I love Samsung smartphones, I myself own one, the Samsung Galaxy S, and these are great devices. Me sharing this information is only in the will to do good, so that people know how to protect themselves from this exploit and to pressure Samsung in fixing it on future updates.
What my exploit does it to obtain the user location, without the app needing any android permission AT ALL. Usually you could obtain the user location by using permissions such as ACCESS_COARSE_LOCATION, ACCESS_FINE_LOCATION or even via Internet. The thing is, by using one of those, the user is alerted that that particular app will have access to those permissions on the device, but with my exploit the app is able to get the same info without issuing any of those. Also, this does not rely on having Root permissions on the device, this exploit works on out-of-the box devices.
The reason why this happens is because a certain widget (accurweather widget that comes with the phone) on some modern Samsung phones places the info about the location readable by every app in System Properties, its hidden from the 'naked eye' if you're just looking at the API, but you just have to know its name to get it. So these next 2 lines of code will get you the information used for the exploit (go ahead and compile your own version if you're afraid of my APK):
String value1 = Settings.System.getString(getContentResolver(), "aw_daemon_service_key_city_name");
String value2 = Settings.System.getString(getContentResolver(), "aw_daemon_service_key_detail_info");
The problem is even more serious than I first though, because you only need to have the widget on the launcher once, and that info will remain in the system informations when you remote it from the launcher, even across reboots or even if you clear the widget's data and cache (pretty scary :S). Sometimes (I don't know why exactly yet) the info goes away for good, but only if you don't have this widget on your launcher!
So, what devices does this affect. From my tests, it affect the Galaxy Note and the Samsung Galaxy S II, but it should affect much more new Samsung devices probably, I just didn't test. I have a SGS but since I run cyanogenMod there was no point running it there either (cyanogenmod ftw! ).
Of course you might be wondering right now, that if you MANUALLY set the place to some strange place on the widget (let's say a remote village in China) what is reported by the exploit will be that place, but it seems to me that most people will be using this on "current location" setting.
So my truly advise is, root the phone and remove the widget for good (needs root because it is a system app). If you don't want to root the phone, then just manually change the place of the widget to something else.
In this thread I leave the simple app that shows you if your device its exploitable, and if so it shows you SOME of the information that could be exploited. As you'll notice during install, no permissions are required, nor the app will at any time ask for root permissions.
Market link to same app: https://market.android.com/details?id=com.pedronveloso.samsunglocationstealing

Indeed, very good sharing...
Keep the good work...
Cheers

Fortunately i don´t use TW....

"Issue parsing the package" error and does not let me download in the market as I'm on an LG Thrill. I would however like to see if the Thrill/O3D's Accuweather widget is also prone to this issue. Thank you.

So would it be enough for Accuweather to be updated (once its patched), or is the problem deeper then that?

Simple solution for me, just removed it.
Will search for an other weather app.

We have a class action lawsuit against HTC/Accuweather going on over on the HTC EVO side, although our accuweather issue is it's transmitting location unencrypted in plain text to advertisers.
Wonder if this could be modified to work with the Sprint/HTC accuweather

Snuble said:
So would it be enough for Accuweather to be updated (once its patched), or is the problem deeper then that?
Click to expand...
Click to collapse
From what I understand, the data is pulled with no permission or anything only because it's a system app. Remove it and be safe.

I knew I froze the app for a reason! Thanks for sharing your discovery.

Snuble said:
So would it be enough for Accuweather to be updated (once its patched), or is the problem deeper then that?
Click to expand...
Click to collapse
I don't know for sure yet, but I'm guessing it probably could. The thing is, I think accurweather its a modified version for the Samsung phones, so only a ROM itself would carry such update, and we know how long those take :\.

bedwa said:
"Issue parsing the package" error and does not let me download in the market as I'm on an LG Thrill. I would however like to see if the Thrill/O3D's Accuweather widget is also prone to this issue. Thank you.
Click to expand...
Click to collapse
Was probably because I made the minimum SDK equals to Android 2.3.3 . I've fixed that now, on the attachment and on the Market, so go ahead and try again please

Could anybody do me a huge favour, all i need is a screenshot of the results this application gets (a real location)
Im doing a dissertation on android gps forensics and it would be useful and as i dont have a samsung myself i cant do it.

Phil750123 said:
Could anybody do me a huge favour, all i need is a screenshot of the results this application gets (a real location)
Im doing a dissertation on android gps forensics and it would be useful and as i dont have a samsung myself i cant do it.
Click to expand...
Click to collapse
This an earlier screenshot I have, almost the same but field names are in portuguese, however the info extracted is the same and reads in English so you can get the idea.

Thanks a lot just what i needed!

Hi, very good work.
it's possible to know which version of accuweather you refer?

Reports null on my samsung
Sent from my SGH-T679 using XDA App

Security Issues. a must see and read

Okay so ive been battling this for sometime. I'm starting to get a little more knowledgeable but still don't know what to do with all this.I experienced this first back in 2015 then I completely made a switch. Well now I'm back to same issues.
The problems I'm experiencing is it's happening on all the devices I have. The phone I'm on now bought brand new from metropcs. and not even a day 30minutes later I get an update for the phone. I new not to install or download. But it inventively did. Now it's sitting on my storage wanting me to move files to root.
LET ME MAKE THIS CLEAR. NON OF MY DEVICES ARE ROOTED.
to make this short. My devices seem to have a Bluetooth admin. And connects to any Bluetooth device without me knowing.
So far from what I see chromium and stage fright is a big part of what I'm seeing.
I'm attaching some pictures to give more detail look. And it's not just my Android devices it's my Xbox one S as well.
looking to completely remove. I'm not trying to waste money on switching networks or completly going Mia.
Fast responses please.
Sincerly,
-Desperate androidian

BLEEDCOLORYOU said:
Okay so ive been battling this for sometime. I'm starting to get a little more knowledgeable but still don't know what to do with all this.I experienced this first back in 2015 then I completely made a switch. Well now I'm back to same issues.
The problems I'm experiencing is it's happening on all the devices I have. The phone I'm on now bought brand new from metropcs. and not even a day 30minutes later I get an update for the phone. I new not to install or download. But it inventively did. Now it's sitting on my storage wanting me to move files to root.
LET ME MAKE THIS CLEAR. NON OF MY DEVICES ARE ROOTED.
to make this short. My devices seem to have a Bluetooth admin. And connects to any Bluetooth device without me knowing.
So far from what I see chromium and stage fright is a big part of what I'm seeing.
I'm attaching some pictures to give more detail look. And it's not just my Android devices it's my Xbox one S as well.
looking to completely remove. I'm not trying to waste money on switching networks or completly going Mia.
Fast responses please.
Sincerly,
-Desperate androidian
Click to expand...
Click to collapse
The Android community isn't what it used to be that's for sure. No help, no suggestions. Just nothing.

BLEEDCOLORYOU said:
Okay so ive been battling this for sometime. I'm starting to get a little more knowledgeable but still don't know what to do with all this.I experienced this first back in 2015 then I completely made a switch. Well now I'm back to same issues.
The problems I'm experiencing is it's happening on all the devices I have. The phone I'm on now bought brand new from metropcs. and not even a day 30minutes later I get an update for the phone. I new not to install or download. But it inventively did. Now it's sitting on my storage wanting me to move files to root.
LET ME MAKE THIS CLEAR. NON OF MY DEVICES ARE ROOTED.
to make this short. My devices seem to have a Bluetooth admin. And connects to any Bluetooth device without me knowing.
So far from what I see chromium and stage fright is a big part of what I'm seeing.
I'm attaching some pictures to give more detail look. And it's not just my Android devices it's my Xbox one S as well.
looking to completely remove. I'm not trying to waste money on switching networks or completly going Mia.
Fast responses please.
Sincerly,
-Desperate androidian
Click to expand...
Click to collapse
I'm no expert but I'm struggling to see your exact issue you seem to think you have, is it just t your Bluetooth is switching on. All those licences, security certs, file locations etc look normal to me (without checking numbers or being able to compare to same phone os etc) though I have disabled many of those certs eg the Turkish ones etc & my Bluetooth files are different but I can find ref hill those locations online eg Xieomi phones
You appear to have a ZTE, please give model number and current OS & rev (must be stock I suppose). ZTE was found with a backdoor in older phones, sending data to China, so it's possible, & some Chinese phones also update their apps without notification. But as you say your whole network appears compromised so the source may be something else, like your router/modem, or Bluetooth as you think (though some apps require Bluetooth admin permission legitimately, you can disable it as an Admin). Tell us what behaviors you are seeing that you believe are malicious. New phone update soon after you turn on is quite common, as I'm sure you know.
When I had a quick look at your log it did have a lot of activity going to the US DOD, would you expect this, as well as the usual google & Facebook connections. Though (perhaps) strangely also to a server from a small marketing company here in Australia, but I'm no expert even if I looked at your log line by line I wouldn't understand it all.
Ref his other post
https://forum.xda-developers.com/general/security/security-global-family-credientals-t3665851
Things to try. Run a reputable antivirus. Boot into safe mode, so only system apps run, is it still happening? Can you turn off anything that is listed as a device admin? Try run a root checker app. Even if it all comes back negative you may still have a problem as a port may already have been opened and malicious app self deleted or something. Use an app like Fing to see if any device you don't recognise are connected to your network.
You may be able to block some activity if it's not going through root with a firewall eg NetGuard no root firewall, start with everything blocked.
Above are just some general hints, without knowing specifics I can only suggest you backup any stuff you want to keep then factory reset everything & change ALL passwords to strong ones (no good just adding a number on the end of your old ones!), better still reflash all firmware (updates if available) to overwrite everything. This incl your internet access points eg router, and only reconnect to the net/networks after you have done them all (one at a time preferably then you may be able to identify source of problems)
That turned out a lot longer than I intended!

IronRoo said:
I'm no expert but I'm struggling to see your exact issue you seem to think you have, is it just t your Bluetooth is switching on. All those licences, security certs, file locations etc look normal to me (without checking numbers or being able to compare to same phone os etc) though I have disabled many of those certs eg the Turkish ones etc & my Bluetooth files are different but I can find ref hill those locations online eg Xieomi phones
You appear to have a ZTE, please give model number and current OS & rev (must be stock I suppose). ZTE was found with a backdoor in older phones, sending data to China, so it's possible, & some Chinese phones also update their apps without notification. But as you say your whole network appears compromised so the source may be something else, like your router/modem, or Bluetooth as you think (though some apps require Bluetooth admin permission legitimately, you can disable it as an Admin). Tell us what behaviors you are seeing that you believe are malicious. New phone update soon after you turn on is quite common, as I'm sure you know.
When I had a quick look at your log it did have a lot of activity going to the US DOD, would you expect this, as well as the usual google & Facebook connections. Though (perhaps) strangely also to a server from a small marketing company here in Australia, but I'm no expert even if I looked at your log line by line I wouldn't understand it all.
Things to try. Run a reputable antivirus. Boot into safe mode, so only system apps run, is it still happening? Can you turn off anything that is listed as a device admin? Try run a root checker app. Even if it all comes back negative you may still have a problem as a port may already have been opened and malicious app self deleted or something. Use an app like Fing to see if any device you don't recognise are connected to your network.
You may be able to block some activity if it's not going through root with a firewall eg NetGuard no root firewall, start with everything blocked.
Above are just some general hints, without knowing specifics I can only suggest you backup any stuff you want to keep then factory reset everything & change ALL passwords to strong ones (no good just adding a number on the end of your old ones!), better still reflash all firmware (updates if available) to overwrite everything. This incl your internet access points eg router, and only reconnect to the net/networks after you have done them all (one at a time preferably then you may be able to identify source of problems)
That turned out a lot longer than I intended!
Click to expand...
Click to collapse
Thank-you. Now for a better visual. There's to many apps.
And if u can give me links to apps that will help.
And on my oneplus one the Bluetooth thing says :1002 sharing or midi or something.

BLEEDCOLORYOU said:
Thank-you. Now for a better visual. There's to many apps.
And if u can give me links to apps that will help.
And on my oneplus one the Bluetooth thing says :1002 sharing or midi or something.
Click to expand...
Click to collapse
And code.auroa? What is this

BLEEDCOLORYOU said:
Thank-you. Now for a better visual. There's to many apps.
And if u can give me links to apps that will help.
And on my oneplus one the Bluetooth thing says :1002 sharing or midi or something.
Click to expand...
Click to collapse
I don't have that phone so can't really tell what is a suspect app or not, especially just from screen shots.
Here use this app to run on demand scans against the virustotal database (this is not an "antivirus app" like Avast so offers no protection, it only scans apps on demand, so you should run a good antivirus also)
https://play.google.com/store/apps/details?id=com.funnycat.virustotal
it should flag any suspect apps and you can submit any unknown ones you are worried about.
---------- Post added at 05:12 AM ---------- Previous post was at 05:02 AM ----------
BLEEDCOLORYOU said:
And code.auroa? What is this
Click to expand...
Click to collapse
edit: not Firefox then.
org.codeaurora.bluetooth is a legit part of Bluetooth .... Well unless it's flagged by virustotal then it probably is a malicious app just given a common name to try and hide

IronRoo said:
I don't have that phone so can't really tell what is a suspect app or not, especially just from screen shots.
Here use this app to run on demand scans against the virustotal database (this is not an "antivirus app" like Avast so offers no protection)
https://play.google.com/store/apps/details?id=com.funnycat.virustotal
it should flag any suspect apps and you can submit any unknown ones you are worried about.
Click to expand...
Click to collapse
Okay but what is provisioning? Code auroa smartcard services googleplay for instance apps and
And IV never encrypted this phone.

BLEEDCOLORYOU said:
Okay but what is provisioning? Code auroa smartcard services googleplay for instance apps and
And IV never encrypted this phone.
Click to expand...
Click to collapse
And alot of the overlay apps n simtoolkit are all questionmarked

BLEEDCOLORYOU said:
And alot of the overlay apps n simtoolkit are all questionmarked
Click to expand...
Click to collapse
ser my edit above re aurora
sometimes virustotal will have 2 or 3 antiivirus companies flag a file, these are probably false positives so probably nothing to worry about (though could just be a new submission, other companies should soon update if real malicious code, check back in a day or two). If lots of companies flag an apk then you haven a problem.
It looks like you have a problem whit overlays (unless it's an app your phone company installs for that function, not sure what you mean). You should install a proper antivirus app like Avast, malwarebytes etc as a first step, hopefully it can remove malicious apk
---------- Post added at 05:51 AM ---------- Previous post was at 05:37 AM ----------
BLEEDCOLORYOU said:
And IV never encrypted this phone.
Click to expand...
Click to collapse
Doesn't matter, encrypting phone only protects unauthorised access to your data. Once it is unlocked anyone can view your stuff. And once a malicious app is on your system it can shall read all your data even if you had encrypted it as it's unencrypted when you use it

IronRoo said:
ser my edit above re aurora
sometimes virustotal will have 2 or 3 antiivirus companies flag a file, these are probably false positives so probably nothing to worry about (though could just be a new submission, other companies should soon update if real malicious code, check back in a day or two). If lots of companies flag an apk then you haven a problem.
It looks like you have a problem whit overlays (unless it's an app your phone company installs for that function). You should install a proper antivirus app like Avast, malwarebytes etc as a first step, hopefully it can remove malicious apk
---------- Post added at 05:51 AM ---------- Previous post was at 05:37 AM ----------
Doesn't matter, encrypting phone only protects unauthorised access to your data. Once it is unlocked anyone can view your stuff. And once a malicious app is on your system it can shall read all your data even if you had encrypted it as it's unencrypted when you use it
Click to expand...
Click to collapse
Okay so now I'm trying to post screenshots of when I'm connected to wifi and it's not letting me
Pairwise cyphers and
Group cyphers
Sim_num
?

BLEEDCOLORYOU said:
And alot of the overlay apps n simtoolkit are all questionmarked
Click to expand...
Click to collapse
Tap those with question marks to submit to virustotal for analysis

IronRoo said:
Tap those with question marks to submit to virustotal for analysis
Click to expand...
Click to collapse
/sys/fs/selinux/class/appletalk_socket/perms
Not suspious?

BLEEDCOLORYOU said:
/sys/fs/selinux/class/appletalk_socket/perms
Not suspious?
Click to expand...
Click to collapse
Now I'm not stupid, this is facts. I just need defined and solution!!!

No these are normal library files. Stagefright "the malicious exploits" were called this as it was the stagefright framework it exploited. Everyone has these files, here are mine below.
You need to use tools like antivirus to identify bad files but even that is no guarantee as there is the possibility the original malicious file could have self deleted and, for example, just left open ports which would not be found as a "virus" but still allow remote access to your device.
If you cannot identify the actual exploit on your phone then the best solution is probably to just reflash the stock rom as this will wipe & overwrite everything. But if a malicious file is left on your SD card or another networked device you could soon be infected/compromised again. That is why I said before if you can't identify the source of your infection you really need to factory reset or reinstall all OS on all devices affected including your home router etc (or maybe it's your work or public network) and change all passwords.

IronRoo said:
No these are normal library files. Stagefright "the malicious exploits" were called this as it was the stagefright framework it exploited. Everyone has these files, here are mine below.
You need to use tools like antivirus to identify bad files but even that is no guarantee as there is the possibility the original malicious file could have self deleted and, for example, just left open ports which would not be found as a "virus" but still allow remote access to your device.
If you cannot identify the actual exploit on your phone then the best solution is probably to just reflash the stock rom as this will wipe & overwrite everything. But if a malicious file is left on your SD card or another networked device you could soon be infected/compromised again. That is why I said before if you can't identify the source of your infection you really need to factory reset or reinstall all OS on all devices affected including your home router etc (or maybe it's your work or public network) and change all passwords.
Click to expand...
Click to collapse
I'm on a video bridge network I got the direct TV setup with 2 wireless setups. Both secure from what I know.

BLEEDCOLORYOU said:
Pairwise cyphers and
Group cyphers
Sim_num
?
Click to expand...
Click to collapse
These are for encryption of your connection, not your phone
BLEEDCOLORYOU said:
I'm on a video bridge network I got the direct TV setup with 2 wireless setups. Both secure from what I know.
Click to expand...
Click to collapse
I'm no coding/security guru, but I have worked on telecoms, military electronics, etc but my coding & network security knowledge is limited.
I would run this app Fing to check your local network, are there any unknown devices connected?
https://play.google.com/store/apps/details?id=com.overlook.android.fing
note: this only finds currently connected devices, so you'd want to do this several times & especially when you see suspect behavior.
Also check for open ports, easiest way is probably this site, it will scan the first 1000 ports or so (select all)
https://www.grc.com/
go to shields up
but you really need to scan ALL possible ports with a tool like Zenmap (for PC) if you think you are compromised
https://nmap.org/zenmap/
However it's not clear to me if you ever installed a proper antivirus and whether it found and deleted anything? Virustotal seemed to find some suspect apks, I had a quick look at Trendmicro database but it didn't list details of the one it found in your screenshot, but the fact some of those antivirus companies called the suspect apk names with "joke" in it may suggest it's just a joke app your mate has installed, though probably not a joke app if your other devices are really also compromised, from memory there is also real malware with that name which may be able to infect other devices. Running a proper antivirus should easily find and clean any "joke" app on your phone & hopefully any real malware. If you've done this and still seeing indications you are compromised then do what I suggested above. (Also repeat malware checks on other devices and removable storage media)
You should also log into your router as admin and check settings, are you using a secure router password? Is firmware up to date. Is firewall set up correctly? Also close any open ports that you don't use. Turn off remote admin, if router has it. Etc etc what do your router logs show (turn on more detailed logging if necessary) Factory reset or reinstall firmware if you think changes have been made to your router by someone else.

Hi I am having same issues. Exact same behaviors regardless of new phones new carrier and all accounts being unconnected in name. Google etc. This is extreme. Its via bluetooth I agree something with esims or virtual sims for use of wifi access and or signal piracy for media. The DOD files are also something I am familier with seeing. Code Aurora was also a govt project way back. Its Interesting thst I have Verizon files loading on at & t phones and sprint loading on Verizon. Whatever this is has managed to infiltrate my computers as well. Its relentless. Its impressive and sophisticated. Please please help.

Spidder77 said:
Hi I am having same issues. Exact same behaviors regardless of new phones new carrier and all accounts being unconnected in name. Google etc. This is extreme. Its via bluetooth I agree something with esims or virtual sims for use of wifi access and or signal piracy for media. The DOD files are also something I am familier with seeing. Code Aurora was also a govt project way back. Its Interesting thst I have Verizon files loading on at & t phones and sprint loading on Verizon. Whatever this is has managed to infiltrate my computers as well. Its relentless. Its impressive and sophisticated. Please please help.
Click to expand...
Click to collapse
I'm having the same issmy ues. Did anyone ever resolve or figure out what is happening? I think I'm under investigation by the DOD and they own my devices. My uploads/downloads are blocked, internet searches filtered, pics/screenshots of evidence deleted off my phone, etc.

One purpose device with one app only - custom rom

Hi,
I would like to flash few android devices with very basic operating system and one app only - like vPos system.
What will be ideal is:
Replace starting screen of the oem device with my own graphics.
Start my own app when the device is fully booted.
Have ability to change wifi network within the app.
Use 3g/4g connection within the app.
I know about locking device for one app only (kiosk mode), but this is now what I'm asking for here.
I will really appreciate any kind of help.
Many thanks...
FlexRoad

If u want to replace OS of ur phone with another one, you may try miracle box.

Run One App or Few Selected Apps with ease!
Absolutely, all that you have mentioned under the "ideal" part can be done easily with a kiosk lockdown software that needs no technical skills to set the device with one app or few selected apps from a web-based dashboard using a laptop or a desktop.

flexroad said:
Hi,
I would like to flash few android devices with very basic operating system and one app only - like vPos system.
What will be ideal is:
Replace starting screen of the oem device with my own graphics.
Start my own app when the device is fully booted.
Have ability to change wifi network within the app.
Use 3g/4g connection within the app.
I know about locking device for one app only (kiosk mode), but this is now what I'm asking for here.
I will really appreciate any kind of help.
Many thanks...
FlexRoad
Click to expand...
Click to collapse
This is a pretty common thing to do, actually.
What I would recommend you do is start with an AOSP build for the devices you want use, either by building one yourself (as in this tutorial, which has a similar goal), or by finding a pre-built AOSP-based rom around on these forums. (AOSP is kind of the closest one gets "just installing the OS"). After that, you could consider tweaking the build or modifying the image, but another alternative is just to use some type of MDM (mobile device management) solution for deploying your app, customizing the available options, locking things down, etc. (There are other MDM vendors beside Google as well.) This might be a good idea for something like a vPOS, because it inherently also gives you some amount of traceability and a "paper trail".
---------- Post added at 12:13 AM ---------- Previous post was at 12:08 AM ----------
geoff-codes said:
This is a pretty common thing to do, actually.
What I would recommend you do is start with an AOSP build for the devices you want use, either by building one yourself (as in this tutorial, which has a similar goal), or by finding a pre-built AOSP-based rom around on these forums. (AOSP is kind of the closest one gets "just installing the OS"). After that, you could consider tweaking the build or modifying the image, but another alternative is just to use some type of MDM (mobile device management) solution for deploying your app, customizing the available options, locking things down, etc. (There are other MDM vendors beside Google as well.) This might be a good idea for something like a vPOS, because it inherently also gives you some amount of traceability and a "paper trail".
Click to expand...
Click to collapse
This was going to be a much more helpful response, but apparently I can't link outside this site. So maybe Google search:
"intellectsoft blog build and run android from aosp source code to a nexus 7", "g suite manage your organization's mobile devices", and "G Suite Compare mobile management features"

Trojan infected recovery phone partition

Hi,
I'm new to XDA. I think I'm in the right forum for my issue. My phone was infected with what I think is a type of auto rooting trojan. I was looking for info on an app I'm using called Duraspeed. I came across this website that started throwing popups at me saying my phone had tons of viruses, which was a lie. By the time I could break free from the drive by attacks, it was too late. I started getting sluggish performance on my phone and popup ads randomly. Even though it somehow gained root access, my phone is not rooted. Never was. Its still not! Because I checked with several apps off the playstore to confirm this. Long story short:
It put a file called "ads_popup-release.apk"
in my root folder /system/priv-app/
And modified a file called "8e710bb7.0"
in root folder /system/etc/security/cacerts/
or put (installed) the file there I'm not sure.
The file running on the phone as a system app is called "ad_surface"
I can only force stop and disable ad_surface without the ability to uninstall. I have to repeat this process every time I reboot. This stops the ads from popping up. Funny thing is, even though the force stop button in app settings is greyed meaning it was stopped and disabled, my OS Monitor app that shows running processes shows ad_surface is still running. Yet, it does stop the random popup ads by doing it this way. I've tried 360 AV, Avast, AVG, Malwarebytea, Kaspers, stubborn rootkit remover, a lot of antivirus programs but nothing detects it. I'm using Total Commander File Manager to view the device system partitions. I even copied the two trojan files to a folder on the user partition to see if any of the antivirus programs could check them there away from the root areas. But nothing. My guess is that I need to root my phone so I can gain access to the apk file and delete it. I haven't done a factory reset because I realize that apk file is in the recovery partition in order to reinstall itself. I've never rooted a phone before, but I have Kingroot installed. I downloaded it from XDA. I just don't have the guts to use it in fear of bricking. Do you think it would work with my phone? Does it abort the root procedure if it can't do it? Here are my phone specs:
Vortex Beat 8
Software build: 8_V1.5_20171011
Chipset: MT6580M Cortex-A7
CPU Architecture: ARMv7 Processor Rev 3(V71)
Cores: 4 1300MHz
Kernal Version: 3.18.19
Total Ram: 459MB
Internal ROM: 8GB (4GB for user)
That's about it. If there's anything anybody who could recommend how to go about this I would greatly appreciate the help. Thank you...

Go try factory resetting it, doesn't hurt to try.
If the "virus" is still there you can always re-flash the phones os. Here is the link to the stock ROM ---> http://www.needrom.com/wp-content/uploads/2017/04/BEAT-8_V1.06_20170413.rar
The below link is a tutorial on how to flash the phones ROM.
https://www.getdroidtips.com/stock-rom-vortex-beat-8/#How_to_Download_Stock_ROM_on_VORTEX_Beat_8
In mtkdroid tools, Have all the boxes unchecked, and make sure you only have "ANDRIOD" and "RECOVERY" checked marked. The other boxes are just about the phones information and properties. Theses shouldn't be checked because it might erase your imei/drivers or other stuff. After flashing the rom make sure you do a complete factory rest + cache. Erase whatever you have on ur sd cards or micro sd cards.
Just do this and call it a day
Good luck

Cool
Hi, thank you! I will try this. I will have to borrow someone's computer like my nephews. I did try Kingroot and OneClickRoot but they both failed. Perhaps due to a locked bootloader. Or the evil trojan that made itself super user blocking them. I did do a factory reset, but the trojan persist. My mistake was forgetting to turn off unknown sources in security settings. I think that's how it got in... I'll keep checking back on this thread in the meantime to see if someone knows a tool that can kill the trojan, but I doubt it. Cheers!

SecretSociety68 said:
Hi, thank you! I will try this. I will have to borrow someone's computer like my nephews. I did try Kingroot and OneClickRoot but they both failed. Perhaps due to a locked bootloader. Or the evil trojan that made itself super user blocking them. I did do a factory reset, but the trojan persist. My mistake was forgetting to turn off unknown sources in security settings. I think that's how it got in... I'll keep checking back on this thread in the meantime to see if someone knows a tool that can kill the trojan, but I doubt it. Cheers!
Click to expand...
Click to collapse
I'm having similar troubles I somehow believe I have an entire infected Network from Windows 10 to iOS and all the cell phones even two 3-g flip even the Smart car has been recognized I communicated with the virus / hacker Network I have no idea how to get rid of it I give his self super user privileges without quite rooting the phone and hides itself in system apps so it's virtually impossible to get rid of at least for me it is I have post here called wading deep Waters please do check it out

sassyfrassy said:
I'm having similar troubles I somehow believe I have an entire infected Network from Windows 10 to iOS and all the cell phones even two 3-g flip even the Smart car has been recognized I communicated with the virus / hacker Network I have no idea how to get rid of it I give his self super user privileges without quite rooting the phone and hides itself in system apps so it's virtually impossible to get rid of at least for me it is I have post here called wading deep Waters please do check it out
Click to expand...
Click to collapse
It isn't unheard of for a router to get infected with a virus/malware, rare, but not exactly impossible. I've run across others here over the years that have discussed this issue. I don't remember any specifics, tools or methods to fix the issue though, but you can probably find info on removing malware from a router.
Sent from my LGL84VL using Tapatalk

Droidriven said:
It isn't unheard of for a router to get infected with a virus/malware, rare, but not exactly impossible. I've run across others here over the years that have discussed this issue. I don't remember any specifics, tools or methods to fix the issue though, but you can probably find info on removing malware from a router.
Click to expand...
Click to collapse
Thank you for your prompt response I'm not positive that the router and modem are infected more or less they are overloaded from the amount of leeches in hitchhiker's I have from this awful network of hackers and code running through my TV's my cars for god sakes I read one of their lauder's I got in somehow and I could see that they were logging how many seconds it took me from getting out of the car to getting in my home that was just one scary example they could tell when my phone was in my pocket and if I was walking and how many people were with me this is just my cell phone not to mention my TV's the laptops I have no idea what to do

sassyfrassy said:
Thank you for your prompt response I'm not positive that the router and modem are infected more or less they are overloaded from the amount of leeches in hitchhiker's I have from this awful network of hackers and code running through my TV's my cars for god sakes I read one of their lauder's I got in somehow and I could see that they were logging how many seconds it took me from getting out of the car to getting in my home that was just one scary example they could tell when my phone was in my pocket and if I was walking and how many people were with me this is just my cell phone not to mention my TV's the laptops I have no idea what to do
Click to expand...
Click to collapse
It sounds to me like their hold over you has more to do with your personal information than with your devices. With certain pieces of your info, they can gain access to any device that you sign into, login to or even just enter information in while using, even if it isn't yours.
If your network provider randomly cycles IP addresses among its users, it could be that the hacker has previously hijacked that IP address while another user was using it and his access carried over to you when the IP was assigned to you. If this is so, a new IP and changing all of your account info among all of the various accounts you have would cut him off, maybe?
I'm not the best at network security issues that go that deep. My network management/LAN Admin days were a very long time ago, too many things have changed.
Sent from my LGL84VL using Tapatalk

Droidriven said:
It sounds to me like their hold over you has more to do with your personal information than with your devices. With certain pieces of your info, they can gain access to any device that you sign into, login to or even just enter information in while using, even if it isn't yours.
If your network provider randomly cycles IP addresses among its users, it could be that the hacker has previously hijacked that IP address while another user was using it and his access carried over to you when the IP was assigned to you. If this is so, a new IP and changing all of your account info among all of the various accounts you have would cut him off, maybe?
I'm not the best at network security issues that go that deep. My network management/LAN Admin days were a very long time ago, too many things have changed.
Click to expand...
Click to collapse
Thank you I really appreciate you taking the time to think about my situation I have had no one to talk to about this for 2 months

sassyfrassy said:
Thank you I really appreciate you taking the time to think about my situation I have had no one to talk to about this for 2 months
Click to expand...
Click to collapse
Not sure how much help I'll be to you. I'm no expert in what you're dealing with. I'm just telling you some possibilities that I've seen others dealing with over the years.
Sent from my LGL84VL using Tapatalk

Droidriven said:
It sounds to me like their hold over you has more to do with your personal information than with your devices. With certain pieces of your info, they can gain access to any device that you sign into, login to or even just enter information in while using, even if it isn't yours.
If your network provider randomly cycles IP addresses among its users, it could be that the hacker has previously hijacked that IP address while another user was using it and his access carried over to you when the IP was assigned to you. If this is so, a new IP and changing all of your account info among all of the various accounts you have would cut him off, maybe?
I'm not the best at network security issues that go that deep. My network management/LAN Admin days were a very long time ago, too many things have changed.
Click to expand...
Click to collapse
You hit the nail on the head! Told me "unfortunately we have met"
Sent from my LGE LGL158VL using XDA Labs

SecretSociety68 said:
It put a file called "ads_popup-release.apk"
in my root folder /system/priv-app/
Click to expand...
Click to collapse
translation it installed itself to the privilege app section on your phone which does not delete with a reset (new rom does) this also gives the app more power
it can only be done with root so the app rooted your phone (at least temp) here is a app that removes it but it needs root
https://f-droid.org/en/packages/de.j4velin.systemappmover/
And a system priv app has AFAIK full power however as of Oreo thier is another file to give it permisions so says google https://source.android.com/devices/tech/config/perms-whitelist namely
/etc/permissions/privapp-permissions-OEM_NAME.xml
/etc/permissions/privapp-permissions-DEVICE_NAME.xml
check these files and see what you find
SecretSociety68 said:
And modified a file called "8e710bb7.0"
in root folder /system/etc/security/cacerts/
or put (installed) the file there I'm not sure.
Click to expand...
Click to collapse
translation installed a CA certificate that enables them to have a SSL connection or with this certificate can spoof websites
of course this should be deleted but again you will need root (or new Rom)
SecretSociety68 said:
The file running on the phone as a system app is called "ad_surface"
Click to expand...
Click to collapse
The app has to be running with a linux GUID so you can check with that
the apps can not find root this can be because the program used root once to get a elevated status (temporary root) and then does not need it anymore
so you cannot find it. The question still remains how they did that but right now you need to get out.

Waiting for other response. Hehe.

I had this take control of multiple devices and 2 computers. 3 android phones and an apple iphone and 2 windows computers. I countless hours going through logs and data. On my android devices it even made a cloned version of TWRP so it would reinstall itself through recovery. I spent hours on the phone with samsung and apple senior advisors. I viewed the analytic data on the apple device over and over. Extremely werid things were running. Constantly writting system wwrites on a stock apple phone. It was able to transfer from device to device over wifi hotspot. It went on for over two months. I had a roku tv also become monitored. It was the craziest **** ive ever had happen to me. It litterally almost drove me insane and I thought I was going crazy. Ive never seen anything like it. Even google reaults were completely false and fake sites. I disnt know this happened to anyone else. Ive got countless logs and screenshots saved in case I ever needed to share the info. It even remotely sipped my desktop hard drives and had me connecring to a remote server on boot.
---------- Post added at 07:48 PM ---------- Previous post was at 07:37 PM ----------
I could make a phone call and hear breathing in the background. Id make a call and touch tone sounds would go off after the first ring. I was getting constant interference through my phone. It connected all my devices to a home group I never created. I literally had to destroy the devices
---------- Post added at 08:15 PM ---------- Previous post was at 07:48 PM ----------
Applied protocal - makes sense man, in juat glad I got it off my back. On the iphone, when yyou would install a new app from the "app store" it would run a wake up over 4000 times a second to wake up an unknown app in system files . im assuming this was to clone the app or change some code in it when it was installed. The app name was ??? In the analytic logs and it was an "event write system". This was some dirty stuff man. Is this something that is common right now? This exploit across so many devices? Id love to share some of these logs and screenshots if anyone is interested.

SecretSociety68 said:
Hi,
I'm new to XDA. I think I'm in the right forum for my issue. My phone was infected with what I think is a type of auto rooting trojan. I was looking for info on an app I'm using called Duraspeed. I came across this website that started throwing popups at me saying my phone had tons of viruses, which was a lie. By the time I could break free from the drive by attacks, it was too late. I started getting sluggish performance on my phone and popup ads randomly. Even though it somehow gained root access, my phone is not rooted. Never was. Its still not! Because I checked with several apps off the playstore to confirm this. Long story short:
It put a file called "ads_popup-release.apk"
in my root folder /system/priv-app/
And modified a file called "8e710bb7.0"
in root folder /system/etc/security/cacerts/
or put (installed) the file there I'm not sure.
The file running on the phone as a system app is called "ad_surface"
I can only force stop and disable ad_surface without the ability to uninstall. I have to repeat this process every time I reboot. This stops the ads from popping up. Funny thing is, even though the force stop button in app settings is greyed meaning it was stopped and disabled, my OS Monitor app that shows running processes shows ad_surface is still running. Yet, it does stop the random popup ads by doing it this way. I've tried 360 AV, Avast, AVG, Malwarebytea, Kaspers, stubborn rootkit remover, a lot of antivirus programs but nothing detects it. I'm using Total Commander File Manager to view the device system partitions. I even copied the two trojan files to a folder on the user partition to see if any of the antivirus programs could check them there away from the root areas. But nothing. My guess is that I need to root my phone so I can gain access to the apk file and delete it. I haven't done a factory reset because I realize that apk file is in the recovery partition in order to reinstall itself. I've never rooted a phone before, but I have Kingroot installed. I downloaded it from XDA. I just don't have the guts to use it in fear of bricking. Do you think it would work with my phone? Does it abort the root procedure if it can't do it? Here are my phone specs:
Vortex Beat 8
Software build: 8_V1.5_20171011
Chipset: MT6580M Cortex-A7
CPU Architecture: ARMv7 Processor Rev 3(V71)
Cores: 4 1300MHz
Kernal Version: 3.18.19
Total Ram: 459MB
Internal ROM: 8GB (4GB for user)
That's about it. If there's anything anybody who could recommend how to go about this I would greatly appreciate the help. Thank you...
Click to expand...
Click to collapse
Definitely malmare! Mine was called "Ad-Time", like a kid's show or something, but either way, very persistent and pervasive! I have 2 roms, (v 1.5 & 1.6), in img format, easy fastboot flash. Look at this phone wrong and it's rooted. Anybody interested, hit me up, I even got the couple-line script to install SuperSU /system (beat 8 doesn't like Magisk). A simple su.d script to enable permissive selinux, build.prop changes, and you have a $30 Nexus via MTK. I also ported TWRP 3.2.1(no bugs) & Philz, but TWRP is my comfort-zone.
Sent from my ZTE Sapphire 3G using XDA Labs
---------- Post added at 02:03 AM ---------- Previous post was at 01:48 AM ----------
sameboat said:
I had this take control of multiple devices and 2 computers. 3 android phones and an apple iphone and 2 windows computers. I countless hours going through logs and data. On my android devices it even made a cloned version of TWRP so it would reinstall itself through recovery. I spent hours on the phone with samsung and apple senior advisors. I viewed the analytic data on the apple device over and over. Extremely werid things were running. Constantly writting system wwrites on a stock apple phone. It was able to transfer from device to device over wifi hotspot. It went on for over two months. I had a roku tv also become monitored. It was the craziest **** ive ever had happen to me. It litterally almost drove me insane and I thought I was going crazy. Ive never seen anything like it. Even google reaults were completely false and fake sites. I disnt know this happened to anyone else. Ive got countless logs and screenshots saved in case I ever needed to share the info. It even remotely sipped my desktop hard drives and had me connecring to a remote server on boot.
---------- Post added at 07:48 PM ---------- Previous post was at 07:37 PM ----------
I could make a phone call and hear breathing in the background. Id make a call and touch tone sounds would go off after the first ring. I was getting constant interference through my phone. It connected all my devices to a home group I never created. I literally had to destroy the devices
---------- Post added at 08:15 PM ---------- Previous post was at 07:48 PM ----------
Applied protocal - makes sense man, in juat glad I got it off my back. On the iphone, when yyou would install a new app from the "app store" it would run a wake up over 4000 times a second to wake up an unknown app in system files . im assuming this was to clone the app or change some code in it when it was installed. The app name was ??? In the analytic logs and it was an "event write system". This was some dirty stuff man. Is this something that is common right now? This exploit across so many devices? Id love to share some of these logs and screenshots if anyone is interested.
Click to expand...
Click to collapse
Typical Chinese ad/malware/surveillance. If you visit china, you turn over your devices for "inspection", so they can sideload some state-sponsored goodies. A lot of these Chinese roms have the ads baked-in, like mine. Whoever's listening and seeing my pics is gonna need therapy, because I filled the phone up with some STRANGE s*** Remove the apk, but there's several .xml's and .jar's that gotta go, too.
Sent from my ZTE Sapphire 3G using XDA Labs

What is the best way to counter this problem?

Dassote said:
What is the best way to counter this problem?
Click to expand...
Click to collapse
Root, and remove all traces of the " ad_* " app and even the duraspeed app if you want, but I didn't see anything untrustworthy about that. Duraspeed is in the default.prop (running booster), so it's in the kernel. Root uninstall just leaves you no way to control, kuz the PROCESS will go and go, unless you're willing to play with the kernel. Not for amateurs like myself My Beat 8 has been flashed or fastboot-booted more times than I can count. Good times.
Once your Chinese spyware is uninstalled, delete build.prop lines with "running booster", /system/lib's with it, and I think it was in the /system/bin, and /vendor/app had one. Clear them all, and you'll need to tweak the build.prop some more. debug.qemu.kernel=1, ro.secure_storage.support=0, ro.debuggable=1, then reboot AFTER you chmod 644 the build.prop! The "debug.qemu.kernel=1" was what made the rest stick. ADD those props, but don't change the existing ones (kernel). I just deleted the default values, replaced with "" . Fits the whole debug vibe. I should upload a copy of my final build.prop, cheap-a** phone runs like a champ.
Sent from my LG G Stylo using XDA Labs

I have VTech Kidibuzz that I want to root to Android... is it possible?

The VTech Kidibuzz is a faux smartphone device that apparently is meant to be a kid's first "smartphone" while still being safe I guess. From what I can gather though, it's just an Android wifi-enabled tablet running some specific VTech stuff on it. I want to try to root it to see if I can flash custom firmware on it. Does anyone know if this would be possible, or if it's done before?
I haven't been able to find a way to access dev mode or any hidden settings, but it does interface with computers via USP or apparently SD card?

Alkalinology said:
The VTech Kidibuzz is a faux smartphone device that apparently is meant to be a kid's first "smartphone" while still being safe I guess. From what I can gather though, it's just an Android wifi-enabled tablet running some specific VTech stuff on it. I want to try to root it to see if I can flash custom firmware on it. Does anyone know if this would be possible, or if it's done before?
I haven't been able to find a way to access dev mode or any hidden settings, but it does interface with computers via USP or apparently SD card?
Click to expand...
Click to collapse
You can "enable custom apps" which basically means install the amazon appstore from the "Parents" account -> Device Settings -> Get More Apps but more importantly you can enable unknown sources from More Apps settings and from there you can download an APK Downloader or use the built in web browser to download any app you want. You can get a hidden settings apk and view the normal android settings menus but when I tried to enable developer settings in there it didn't work , I 'm still trying to figure out how to get the Play Store to work properly on it. You can read/write user files over USB. . I'm still ****ing around with it though.

I think it is definitely rootable and easily exploitable, the OS (atleast on my model) was signed using test keys, meaning you can replace any system apk's with your own, I unfortunately cannot test this as curious as I am because the one I am playing around with right now is a Christmas present and I cannot afford to take the risk of bricking/breaking it. I was just trying to get things like Google Play and Hulu working.