IoT Cloud Software/Hardware MDM assistance - General Questions and Answers

Hi There,
I want to start off by saying I hope I am not crazy and I apologize from the get go if I misrepresent my issue in error. :angel:
I believe someone has flashed MDM software to my android device. I would like to know if I am either going crazy over nothing or would like some assistance in diagnosing what the possible issue could be. I believe it to be something similar to Murata Ayla Cloud software kit. This person would have had access to all of my Cell phones, Raspberry Pi's and Computers.
I started to suspect something when applications would become installed on my device(ones I did not install obviously). I Started to notice XML /*.SH files appearing, Samsung Knox (which I have been on a custom rom such as AICP, DU, literally the day I get any new device so I have never had Knox or any Samsung apps). My device also started to download apps for another mobile carrier and in my CSC information now shows the incorrect carrier code. My root seems to always stop working (literally just locks up when I open it, even if I remove and reinstall it works briefly) and my Wi-Fi mac address suddenly became 00:02:00:00. So I decided to flash back to stock firmware and try a different rom. Long story short, I compared the Rom files and original backup to the files on my device several days later after minimal use. I noticed a lot of .sh files loaded in the root DIR as well as container agents, MDM agent running, MDM enrollment app.
I then noticed odd things on my PC's, like windows firewall always allowing Xbox service, media server, Miricast and a bunch of other things. I can see UPNP is enabled on the routers and is what is configuring my win RM. So I did some wiresharking and found a Fortinet server with a Murata mac oui on layer 3. I also ran some logs to see devices plugged in to my USB ports and found several samsung CSC/Modem drivers + a log that implied something about serial port /EMMC programming. I also found several apps that I have never used or even heard of. (QLAtool, ReadnWrite tool, GN Qcom download tool). I also checked several of my other phones and it appears that they all have the same serial number and device name. I have never flashed my devices with the incorrect backups. The home network is not mine but I asked the other people wthin the house but they state they do not know anything........
No matter what I do (flash/factory reset etc), the XML files/sh files slowly download after I leave my device connected to the internet. Several of them reference open sim alliance/virtual usb-BT proxies/media server and virtual devices. There are so many MDM apps/embedded controllers/KVM's/Hypervisor/HCE - Knox dev kits I can't determine which it is.
I would desperately like to have my privacy back or know that I am not crazy. Is there anyone who could help me identify what is happening or how to better investigate.
Thank you very much,

Related

I can no longer view networked PCs using ESFile Explorer???

Can someone help me out? I've been using this setup for years on several machines w/o a single problem. Now, all of a sudden, I try to view a networked PC to move some files over (like I've done thousands of times) and it says that the server can't be reached. It gives me some bogus ideas like firewal is on, IP address is out of range, SMB is off, yadda yadda yadda but none of these are true so far as I can tell. I tried deleting the server and scanning via the 'search' again and them same PC shows up. When I click it it gives the same error. So I attempt to manually edit the login credentials or manually create a new server and after I enter all the credentials it just sits on 'Adding Server, Please wait a minute...' Indefinitely. I tried rebooting the PC (Wind7 64-bit) as well as my device (unrooted SGS4 v4.3) and I'm not able to solve this issue. The only changes I can think of is the recent update to v4.3 but I also updated to v4.2.2 previously and had no issues. I've also done this for years on several devices and countless firmware versions & ROMs. I know some have been having issues with the addition of KNOX to 4.3 but I haven't even installed that nor do I plan on doing it. I checked by opening KNOX from the app tray to verify and it indeed still wants me to INSTALL. I am also getting weird warning pop-ups since 4.3 about something or another trying to access part of my phone that it's not authorized to which sounds like a KNOX/WiFi bug from what I'm hearing. This seems strange to me that I would be getting this warning when I haven't even installed it yet. Could this networking issues also be related and how can I correct this? This is SUPER annoying!

Security to phone, computers, email, entire network is compromised

My question or rather my pleed for answers does not just pertain to android os but I have relied on this site for many answers and have always found a solution just from searching around on here so I know there are very capable members on this site that can help. My problem began over 4 months ago when my home computers were compromised. I assumed it was just a simple virus but soon learned that someone had actually hacked into my home network for what I believe is or was an attempt to retrieve trade secrets. Shortly after i realized that data was being sent to someone through the fax system on my pc and data distribution software had been installed along with a large amount of .dll and legacy items, The admin rights were taken from me and the registry was completely modified which disabled me from having any permissions and kept me from doing anything on the pc. I went out and purchased a new router, got out an older pc, and I put a password of around 20 mixed numbers and letters. 5 minutes after I had set up the new router and pc I noticed through the network map that there was someone else on what I assumed was a secured network. The router was a netgear. First thing I done was change the default password and block any remote access in the network wizard. My next step was to pay the so-called experts (Geek Squad) to solve the security issue. I purchased their 1 month special that entitled me to 1 month of tech support and 3 free pc fixes. after purchasing a windows 7 restore disk I took 3 pc's to a local Geek Squad location to have them restore the Pc's and install what was suppose to be a hack proof software. They only fixed 1 pc, told me the software would keep the hacker out. 5 minutes after i logged into my network here comes all the windows updates (around 50) along with numerous programs. Needless to say I lost my admin rights within an hr. Here we are now, only using cell phones on my network and I am sure the hacker is retrieving my data off of my g vista d6301. My new email that I set up and have only used from the vista has been compromised and although no logins appear in the history but my vista, someone had enabled POP on Dec 28th. I have enabled the developer mode on my phone which allows me to view the process stats. It states that google play service runs 100% and Google Cloud Messaging runs 100%...I have never used any cloud service on this phone. Another thing is that certain system apps that I have never activated are accumulating a decent amount of data. This phone is used only for wifi and has no service plan attached. bluetooth, email, qrtunnel, near field communication all turn on from time to time. Google play also shows something called clearcutlogger running but was unable to find any info on that. I also installed a mic block that has a "spying app catcher" that logs when a app uses your phones mic while the phone is in sleep or idle mode. when the app is on block mic then there are no problems but when I unblock the mic I get countless log entries that an app with net access has gained access to my mic. Its always the same few apps that show up as a potential culprit so I cant pinpoint exactly what app is using the mic. not sure if any of this has anything to do with someone messing around with my phone, just trying to think of some of the things that could help. There is no doubt that this phone along with a pile of now useless computers have indeed been compromised. What I really need help with is how to get this bastard out of my life and secure my network before the new semester begans b/c there is no way I can have my daughter use her new pc on the network knowing its just going to end up like the rest of computers in my new pc graveyard. I know there are quite a few other sites I could have reached out to but there is something about the comradery on this site that has always drawn me to it. 1 more thing fellas, how bout that one touch root for the LG G Vista D6301's? that sure would come in handy right now lol. My apologies for the long read. Any details you need to know to try and help me figure things out, I would gladly assist as long as my knowledge permits.
I understand that the question or article that I posted is quite vast so I will start off with this simple question. Is there a server that I can disable in the LG hidden menu to stop unauthorized use of my GCM, or any other way than simply just disabling Google Play? I have read a couple of recent articles on how hackers are utilizing gcm to gain access to personal info. I just was curious about the server b/c I see many different server acc in the hidden menu such as ATTLABa, Cingular, Mformation, and Funambol. I wasnt sure if these servers or acc could possibly help or be a potential threat.
Sent from my LG-D631 using XDA Free mobile app
Pr1n6/of\Jerusalem said:
My question or rather my pleed for answers .........
Click to expand...
Click to collapse
Pr1n6/of\Jerusalem said:
I understand that the question or article ............
Click to expand...
Click to collapse
First thing you have to be sure that no one has physical access to your gadgets. Second, find a router suitable to be modified with new firmware from http://www.dd-wrt.com/site/index or https://openwrt.org/.
In case you can buy a hardware network firewall and with proper installation and settings you should be able to keep away any threat.
A good idea would be to use a good VPN service, that way you can add a layer of security on your networking habits.
Lastly, check this thread http://forum.xda-developers.com/general/security/tuto-how-to-secure-phone-t2960077 and if you have any question, ask there.
Good luck

Really old phone, trying to get pictures off for someone

Ok, so I have someone's Kyocera Kona S2151 flip phone. Now when I plug it into my pc in device manager there shows two "modems" and a serial port without a driver. Even after installing the specific driver for this phone from the Kyocera website it still says there is no driver. I tried to manually select the driver from the folder that was created during the install, not a single one of the 6 worked. Now all of this might even be a moot point as I don't even know if this device will allow me to pull the pictures off of it using a USB cable attached to a pc and everything on the web says I should be able to but there's also a Kona android smart version. I also can't find anything that says I can't either lol. Now I would Bluetooth but there are no options for sending photos via Bluetooth and whats worse is the antennae for the cell service is going out so it won't stay connected to the tower (I assume its the antennae, I'm not gonna try and fix something this old, also its sprint which just got absorbed by Tmobile which could also be the issue bc its pre sim card).
So, in summary, I am trying to retrieve the photos. You can't Bluetooth them, there's no SD card slot, I can't text or email them due to lack of wifi and cell service issues, Which leads to the only option left, PC USB transfer but I can't get that working either due to what I am hoping is simply driver issues. If I need to use an older Operating system that's fine I have another pc here I can mess with to my heart's desire.
I know this isn't android, rooting, modding, custom os, related but this forum is home to some of the smartest people, it's where I come to get all my instructions and files for phones. if anyone could help I'm hoping it's the community here.
Oops, just saw the "don't post questions here" my bad... sry
Update, I installed xp on an older pc I had sitting around. ALL drivers worked fine BUT it appears the only functionality this phone would have for a pc is to act as a modem. There doesn't seem to be ANY functionality in the way of file browsing or retrieving media. Furthermore, this specific phone lacks media sharing over any other connection aside from the mobile network. So if anyone has one of these old phones and it no longer has service/can no longer connect to towers your only option is going to be a data retrieval company.
Bummer, some older phones are very limited when it comes to retrieval. cheers

Question Am I hacked?

I have just received a brand newT mobile SM-A326U, Samsung galaxy A32 5G USA variant today from the mobiles website. I immediately updated to the newest security and software patch as I have been having issues with security lately imsci catcher, remote code injection, forwarding calls and texts to media servers, mItM etc.
Right away I used "Samsung My files" and enabled hidden file access within Samsung my files. I have always been aware of the need to index thumbs and thumbnail files, databases, etc in the digital camera media images or DCIM folder. Checking /storage/emulated/0 shows three NEW locations. 3 new folders titled Music, Pictures, and video. Within each of these three new folders there is a hidden ".nomedia" file and a hidden file titled "database_uuid". Attempting to delete the Music, Video,, and pictures folders from storage/emulated/0 results in them returning after a reboot. Same files within them. Performing a factory reset and flashing new factory rom and firmware provides the same result. There are those same three folders and those same files. Performing the old create a new file entitled .thumbnails as a dummy file trick didn't resolve this issue either.
I have not used the camera. I have not done anything but open a factory stock browser utilizing the providers data connection.
This has persisted through 3 new devices. A Samsung galaxy A71 5g, a Motorola G power 2021 and now this phone.
Am I being overly paranoid? Is this just a new function of the file system I am unaware of? Is the hidden "database_uuid" supposed to be there? Or have I reason to suspect the worst?
Fixes tried include
>a factory data reset or two, dalvik cache wipe included.
>Calling the provider's tech support line.
>Calling the manufacturer.
>ODIN flash of stock factory ROM and firmware.
These are fixes performed on both the Samsung Galaxy A71 5G, and the Motorola G Power 2021. This phone (Samsung galaxy A32 5G) has a locked bootloader thus far and I haven't tried a flash yet, however I have tried the aforementioned fixes.
>Creating a dummy file entitled .thumbnails.
>deleting the folders entitled Video, Music, and Picture in storage/emulated/0 followed by a reboot.
What have you done to make yourself paranoid? Those are normal hidden files.
target_relative said:
What have you done to make yourself paranoid? Those are normal hidden files.
Click to expand...
Click to collapse
Haha, I can totally see why one would assume I've done something to reach such levels of paranoia but I assure u it is because I am on my journey through the web security exams. I have had enough field experience in the security audit role to notice odd behavior and activity, but not enough experience to prevent or patch it However, I have some data siphoning neighbors so my first assumption was someone was pilfering my incoming and outgoing data during contractual gigs. Considering the data that is sometimes transmitted, one can totally assume the worst. That's how zero days occur. Anyway, thank you so much for the assurance, one thing I need to really brush up on is the android OS file system.
Wondering if a senior member would be so kind as to weigh in on this one. It's not that I don't believe the answer provided, it's that clarity can be had by the collective opinion. If others where to say the same, I'd be inclined to say, yep, those are certainly normal hidden files. However, I never noticed either folder or the database_uuid file recently until after an attack on the local network. Hence my suspicion and thought process around the data siphoning neighbors.
Factory reset. Cured... whatever it was.
Now ^that's^ being paranoid
blackhawk said:
Factory reset. Cured... whatever it was.
Now ^that's^ being paranoid
Click to expand...
Click to collapse
Not as much as you'd think. Prior to all this I had my tenth PC custom built rig go down due to persistent malware that found its way into the bios and reflashed the bios and then further flashed itself into a level between bios and boot. Still hopping from device to device. PTA or persistent threat actors aren't nearly as hard to come by in the wild when u study cyber security enough. Finding yourself in an officially sanctioned red team/ blue team op and performing well whilst also blazingly bragging about your leet skills on social media will quickly garner a few PTAs.
It's not hard to assume someone in the area could monitor the device for restarts and or factory reset on a root level and then push an injection into either the zygote or an OTA update as the device begins setup. Or even easier remote code execution targeting the "Sign in with Google account" portion of device setup.
DrRoxxo said:
Wondering if a senior member would be so kind as to weigh in on this one. It's not that I don't believe the answer provided, it's that clarity can be had by the collective opinion. If others where to say the same, I'd be inclined to say, yep, those are certainly normal hidden files. However, I never noticed either folder or the database_uuid file recently until after an attack on the local network. Hence my suspicion and thought process around the data siphoning neighbors.
Click to expand...
Click to collapse
This should help answer your question:
https://en.wikipedia.org/wiki/Hidden_file_and_hidden_directory#Android
tavella said:
This should help answer your question:
https://en.wikipedia.org/wiki/Hidden_file_and_hidden_directory#Android
Click to expand...
Click to collapse
This explains how the .nomedia file works. Which I assumed was natural after a bit of research, what concerns me is within each new folder titled Movies, Music, and video, there is a .nomedia folder. Not a big deal, but then there is a "Database_uuid" file within each of those .thumbnails folders. Which I do not currently understand the purpose or concept of. Prior, I understood the .nomedia file and the need for .thumbnails and .thumbs etc, but I had never once noticed the database_uuid file within those folders on my boredom inspired file dives.
Thank you to all the new and Senior members who helped me to understand this issue.
I truly appreciate the reassurance and responses.
I don't know if there is a way to do so as I am quite new to XDA myself, but I'd like to mark this issue as resolved.
resolution: Stop being so paranoid
tavella said:
This should help answer your question:
https://en.wikipedia.org/wiki/Hidden_file_and_hidden_directory#Android
Click to expand...
Click to collapse
Samsung file explorer can see .nomedia files if that option is enabled in its settings.
Protected backup files are sometimes "hidden" like this... so it's useful to have that option enabled especially when making backup copies.
They appear greyed out indicating they are hidden.
Hey all, Update.
I just got off the phone with a Cisco certified level 2 tech from my provider, T-mobile. They verified what was going on was indeed a sophisticated attack. The database_uuid files point to not just stealing data, but logging all activities. They are attempting a honeypot on the back end to attempt to catch the individual. They have begun monitoring the network for suspicious activity (for whatever it's worth). The technician verified that this sounds like a remote code execution taking place at the text entry field of "setup a new account" after factory reset.
Edit one of the fixes provided was a full Reroute. Data now comes as if I'm in a different location. I don't know how much of a difference it'll make but to note some of the oddities I've faced:
When browsing a random word, results display fine. When browsing search terms related to my issues, I get a "malicious traffic has been detected on this network" error from Chrome, brave, and Firefox. Clearing data on those browsers sometimes works to resolve it, other times it persists.
When attempting to stream a searched title in any streaming service, the title fails to play, yet when choosing a random stream it plays fine.
When attempting to play any chosen online game, I get internet errors; the hotspot shows internet but no connectivity. When choosing a random game, it plays fine.
When signing up for Facebook, even with a newly created email for this purpose, I get a text verification code immediately from what seems to be official FB shortcode but appended at the bottom of the text is a signature: Laz.nx.carlw
Searching this signature shows hundreds of other users whose accounts where pwnd by the same method.
Since the issue seems to be at the account creation screen after a factory reset, I've tried creating new Google accounts to setup the device with, however almost immediately, passwords are changed.
APN settings where grayed out and as a T-MOBILE customer using a strictly tmobile device purchased and provided by the provider, there is yet, a com.vzw.apnlib package or service, running in the background. Attempting to locate this service or package in every manner fails.
Banking apps have had passwords changed and purchases have been "denied by card", an error of which I've never seen before.
Amazon orders have been "canceled by the buyer" with no input or action on my end relentlessly.
While on VPN, windscribe and Lion vpn, the same happens. It rarely happens without vpn on, but does still occur. I would assume this is to encourage unencrypted traffic that has already been had due to the exploite.
I am aware that windscribe was recently exploited and pwnd. However, it doesn't seem to make a difference because the activity I'm witnessing seems to be that of a dirt box.
Could anybody weigh in on a potential fix or solution?
New update all.
So after calling again to the provider I was told that there was no way for them to monitor everything on the backend and potentially catch them. The rep I spoke to this time assured me he'd been working tech support for the provider 12 years and they've never been capable of doing so.
He also informed me that as far as getting support from the provider, the best they are going to be able to do even in level 2 tech support is verify whether the device is receiving a proper connection from the tower, and if it is and the issue still persists basic troubleshooting (which I've already done ten fold) would be the next course of action. He informed me that had those troubleshooting options not worked the next usual step taken would be to advise to speak with the manufacturer as they would have the ability to remote in and or replace the device in the event of a failure to fix the issue. However, as explained to the rep at the provider, I've already had replacements sent to me. This issue has persisted through 3 provider changes, 4 new cell phones, and multiple network changes in new Sim, new number, data rerouting etc.
My last call with the manufacture resulted in a Cisco certified level 2 remoting into the device with smart tutor and his entire fix applied was a mere opening of my Eset security app and a scan initialized. And suggesting I purchase premium eset.
That was the course of the whole fix provided by the manufacturer prior to a replacement being provided.
DrRoxxo said:
Hey all, Update.
I just got off the phone with a Cisco certified level 2 tech from my provider, T-mobile. They verified what was going on was indeed a sophisticated attack. The database_uuid files point to not just stealing data, but logging all activities. They are attempting a honeypot on the back end to attempt to catch the individual. They have begun monitoring the network for suspicious activity (for whatever it's worth). The technician verified that this sounds like a remote code execution taking place at the text entry field of "setup a new account" after factory reset.
Edit one of the fixes provided was a full Reroute. Data now comes as if I'm in a different location. I don't know how much of a difference it'll make but to note some of the oddities I've faced:
When browsing a random word, results display fine. When browsing search terms related to my issues, I get a "malicious traffic has been detected on this network" error from Chrome, brave, and Firefox. Clearing data on those browsers sometimes works to resolve it, other times it persists.
When attempting to stream a searched title in any streaming service, the title fails to play, yet when choosing a random stream it plays fine.
When attempting to play any chosen online game, I get internet errors; the hotspot shows internet but no connectivity. When choosing a random game, it plays fine.
When signing up for Facebook, even with a newly created email for this purpose, I get a text verification code immediately from what seems to be official FB shortcode but appended at the bottom of the text is a signature: Laz.nx.carlw
Searching this signature shows hundreds of other users whose accounts where pwnd by the same method.
Since the issue seems to be at the account creation screen after a factory reset, I've tried creating new Google accounts to setup the device with, however almost immediately, passwords are changed.
APN settings where grayed out and as a T-MOBILE customer using a strictly tmobile device purchased and provided by the provider, there is yet, a com.vzw.apnlib package or service, running in the background. Attempting to locate this service or package in every manner fails.
Banking apps have had passwords changed and purchases have been "denied by card", an error of which I've never seen before.
Amazon orders have been "canceled by the buyer" with no input or action on my end relentlessly.
While on VPN, windscribe and Lion vpn, the same happens. It rarely happens without vpn on, but does still occur. I would assume this is to encourage unencrypted traffic that has already been had due to the exploite.
I am aware that windscribe was recently exploited and pwnd. However, it doesn't seem to make a difference because the activity I'm witnessing seems to be that of a dirt box.
Could anybody weigh in on a potential fix or solution?
Click to expand...
Click to collapse
Sounds like a StingRay IMSI
DrRoxxo said:
Hey all, Update.
I just got off the phone with a Cisco certified level 2 tech from my provider, T-mobile. They verified what was going on was indeed a sophisticated attack. The database_uuid files point to not just stealing data, but logging all activities. They are attempting a honeypot on the back end to attempt to catch the individual. They have begun monitoring the network for suspicious activity (for whatever it's worth). The technician verified that this sounds like a remote code execution taking place at the text entry field of "setup a new account" after factory reset.
Edit one of the fixes provided was a full Reroute. Data now comes as if I'm in a different location. I don't know how much of a difference it'll make but to note some of the oddities I've faced:
When browsing a random word, results display fine. When browsing search terms related to my issues, I get a "malicious traffic has been detected on this network" error from Chrome, brave, and Firefox. Clearing data on those browsers sometimes works to resolve it, other times it persists.
When attempting to stream a searched title in any streaming service, the title fails to play, yet when choosing a random stream it plays fine.
When attempting to play any chosen online game, I get internet errors; the hotspot shows internet but no connectivity. When choosing a random game, it plays fine.
When signing up for Facebook, even with a newly created email for this purpose, I get a text verification code immediately from what seems to be official FB shortcode but appended at the bottom of the text is a signature: Laz.nx.carlw
Searching this signature shows hundreds of other users whose accounts where pwnd by the same method.
Since the issue seems to be at the account creation screen after a factory reset, I've tried creating new Google accounts to setup the device with, however almost immediately, passwords are changed.
APN settings where grayed out and as a T-MOBILE customer using a strictly tmobile device purchased and provided by the provider, there is yet, a com.vzw.apnlib package or service, running in the background. Attempting to locate this service or package in every manner fails.
Banking apps have had passwords changed and purchases have been "denied by card", an error of which I've never seen before.
Amazon orders have been "canceled by the buyer" with no input or action on my end relentlessly.
While on VPN, windscribe and Lion vpn, the same happens. It rarely happens without vpn on, but does still occur. I would assume this is to encourage unencrypted traffic that has already been had due to the exploite.
I am aware that windscribe was recently exploited and pwnd. However, it doesn't seem to make a difference because the activity I'm witnessing seems to be that of a dirt box.
Could anybody weigh in on a potential fix or solution?
Click to expand...
Click to collapse
APN settings where grayed out and as a T-MOBILE customer using a strictly tmobile device purchased and provided by the provider, there is yet, a com.vzw.apnlib package or service, running in the background.
This is normal.
Banking apps have had passwords changed and purchases have been "denied by card", an error of which I've never seen before.
Amazon orders have been "canceled by the buyer" with no input or action on my end relentlessly.
Probably because orders where placed whilst running ****ty VPN.
have you flashed Stock firmware tru Odin ?
DrRoxxo said:
I have just received a brand newT mobile SM-A326U, Samsung galaxy A32 5G USA variant today from the mobiles website. I immediately updated to the newest security and software patch as I have been having issues with security lately imsci catcher, remote code injection, forwarding calls and texts to media servers, mItM etc.
Right away I used "Samsung My files" and enabled hidden file access within Samsung my files. I have always been aware of the need to index thumbs and thumbnail files, databases, etc in the digital camera media images or DCIM folder. Checking /storage/emulated/0 shows three NEW locations. 3 new folders titled Music, Pictures, and video. Within each of these three new folders there is a hidden ".nomedia" file and a hidden file titled "database_uuid". Attempting to delete the Music, Video,, and pictures folders from storage/emulated/0 results in them returning after a reboot. Same files within them. Performing a factory reset and flashing new factory rom and firmware provides the same result. There are those same three folders and those same files. Performing the old create a new file entitled .thumbnails as a dummy file trick didn't resolve this issue either.
I have not used the camera. I have not done anything but open a factory stock browser utilizing the providers data connection.
This has persisted through 3 new devices. A Samsung galaxy A71 5g, a Motorola G power 2021 and now this phone.
Am I being overly paranoid? Is this just a new function of the file system I am unaware of? Is the hidden "database_uuid" supposed to be there? Or have I reason to suspect the worst?
Click to expand...
Click to collapse
Is the hidden "database_uuid" supposed to be there?
Yes its part of android system.
? Is this just a new function of the file system I am unaware of?
Probably, Android 11 has big changes and so will Android 12
financeledger said:
APN settings where grayed out and as a T-MOBILE customer using a strictly tmobile device purchased and provided by the provider, there is yet, a com.vzw.apnlib package or service, running in the background.
This is normal.
Banking apps have had passwords changed and purchases have been "denied by card", an error of which I've never seen before.
Amazon orders have been "canceled by the buyer" with no input or action on my end relentlessly.
Probably because orders where placed whilst running ****ty VPN.
have you flashed Stock firmware tru Odin ?
Click to expand...
Click to collapse
I did try flashing through odin luckily all went well, however the flaw and some of the suspicious activity continued. I managed to flash stock on 3 of the 4 phones affected and it persisted sadly. However, u are correct about the VPN, turns out, windscribe had recently been exploited.
financeledger said:
Is the hidden "database_uuid" supposed to be there?
Yes its part of android system.
? Is this just a new function of the file system I am unaware of?
Probably, Android 11 has big changes and so will Android 12
Click to expand...
Click to collapse
I am certainly not trying to be argumentative but I did want to note for the sake of those that may have the same concern, my provider and a few level 2 tech support individuals where able to confirm the database_uuid files are not supposed to be there and are evidence of logging activity.
financeledger said:
Sounds like a StingRay IMSI
Click to expand...
Click to collapse
I would have to agree. However a stingray would only route traffic through their IMSI catcher. Like a false tower. It's surely a possibility, but it wouldn't account for the suspicious behavior consistent with that of pta malware. This truly seems like a custom exploit someone created. It certainly isn't a Metasploit module.

Question Active hacker in my phone and this computer Help me

So far he has deleted all the bookmarks that I saved from this site. The phone RCS doesn't work anymore. They can listen to phone call and terminate them and spoof incoming calls. I sent one phone to Samsung to be reviewed. At the end of 3 week review they sent me a check for the phone and I bought another one from ATT and I still have this problem. So I would appreciate it if someone could give me some direction for this Flip 3. I like the phone. I am a engineer and designed a few devices using ESP32's. So I know how to flash. I just need to lock this phone down and I will deal with the computer problem later...
Infections across multiple platforms is almost unheard of... what did Samsung find?
It isn't an infection. They are exploiting both devices. I run Norton 360 on both systems. It only slowed them down. And they are 24/7 on me like ex NSA. They haven't stolen anything but they are malicious. Samsung never said. The only thing that said is to buy a different phone. ATT has a open fraud case open because they saw the Tag phone and I changed the phone number several times like some drug dealer with different sim cards.
I feel like I am in the movie Enemy of the State except I am Will Smith and Gene Hackman rolled up into one.
cjdee1 said:
It isn't an infection. They are exploiting both devices. I run Norton 360 on both systems. It only slowed them down. And they are 24/7 on me like ex NSA. They haven't stolen anything but they are malicious. Samsung never said. The only thing that said is to buy a different phone. ATT has a open fraud case open because they saw the Tag phone and I changed the phone number several times like some drug dealer with different sim cards.
Click to expand...
Click to collapse
AT&T has an open fraud case on you... or "them"?
Did malicious things? Losing bookmarks is pretty common and usually has nothing to do with being hacked.
Change Google account and password.
Reset all other accounts the same way on a clean Android. Allow no one physical access to the device and most importantly be careful what you install and download.
Most users don't need a hacker to stalk them; they do it themselves by careless installs and downloads. I'll remind you that XDA is a site filled with hackers... mostly peaceful.
I'm sorry for your troubles, most days hacking isn't needed. Really to get into someone's account these days you need personal information which is freely givin on social media and whatnot. You should get with Google and do a massive security checkup. Change password turn on 2FA...the whole swizzle. If all else fails, create a new account completely separate from the affected account/device and start fresh
I opened the Fraud case. They provided the documentation. This has been going on since last year. There was a white paper that came out in November how the media player was being use to hack in. I deal with this problem every day. One would think they would give up. I have another 20 computers in my office that I am replacing once I get my end under control.
Hmm... maybe move all your info to a new account (make the account on a different IP address so like have a friend make it maybe) cuz from my understanding- the hacker finds you on even a new phone? delete the accounts that are being hacked and uh- idk what else really
delete the apps that are being infected
Purge everything from everywhere and start fresh. Honestly Norton and other programs for virus protection aren't really helpful anymore. I do not see a point in using them when Microsoft does a great job just on their own. It's possible that it could be the cause most of the time anti-virus programs that aren't part of the main OS are the problem
Also another note, anything with a Snapdragon and made for the US is locked down. Means no flashing no anything. Best bet for a device us find a good old phone that has a lot of support and flash anything on it
Dr.Lost said:
Also another note, anything with a Snapdragon and made for the US is locked down. Means no flashing no anything. Best bet for a device us find a good old phone that has a lot of support and flash anything on it
Click to expand...
Click to collapse
If you go below Android 9 you will introduce a slew of high risk vulnerabilities including some the worst rootkits. If you're really concerned use the latest version of 12 with fully active scoped storage and the mess that it is...
In general don't use wifi on Androids.
Keep bluetooth off if not using.
Install only vetted apps. Scan with online Virustotal.
Keep all downloads in the download folder until vetted. Scripted malware jpegs, pngs are real and may evaded conventional detection. If they get into a database they will raise hell until deleted; open all jpegs in download folder before transferring them and check for changes in that folder
Keep all email in the cloud, avoid downloading any attachments unless absolutely necessary.
If malware is suspected, delete it or factory reset within 2 hours. Reset passwords.
Time stagger backups so they don't all get infected if there is an incident. Backup redundantly to 2 or more hdds that are physically and electronically isolated from each other and the PC. Use only a known clean PC to access those backups... cross platform malware jumping is rare, cross drive jumping is not.
blackhawk said:
Infections across multiple platforms is almost unheard of... what did Samsung find?
Click to expand...
Click to collapse
Unheard of? Absolutely not, rare on a cell phone, maybe? I don't know really but it is possible especially if OP pissed off the government
Good luck OP
When it comes time to switch to a new phone, ATT should be moving you to a new account with a fresh SIM. Don't transfer anything. Install anything you had fresh and set it up fresh. If they are giving you a new SIM or attaching the new phone to the same account and someone gained access to the account, they're still being fed every new number and IMEI.
As for pictures and stuff, get a USB-C compatible hard drive. Move it to that. Make sure your virus scanner on the computer is updated and either yank the LAN cable or turn off the router before connecting and scanning it. Once it's clean, connect the drive to the new phone and not the computer.
Sounds like someone cloned your ESN and SIM based on what they were doing. Synced items could be manipulated through a PC hack and one good run of the right software with your phone on the same network made it a phone issue.
Oh, and if they didn't or don't already do it, make sure ATT logs your previous devices "lost or stolen" to blacklist the IMEI. That should also make a clone useless for as long as it's a clone.
if you are suspecting a hack, then report to samsung members app > get help > error report asap for help from samsung's hacking issue team
luigi90210 said:
Unheard of? Absolutely not, rare on a cell phone, maybe? I don't know really but it is possible especially if OP pissed off the government
Good luck OP
Click to expand...
Click to collapse
If you download malware files a PC is suspectable to, yes, but generally an infection on an Android doesn't cross platform infect a PC.
It's important to nip any malware in the bud and to isolate that device immediately to limit damage. Any device with malware that I can't erraticate completely within 1 to 2 hours gets nuked, data and all, factory reset. Data is restored then via offline backups.
My PC never has internet access and that's one less huge vector for infection. Even then my backup data drives are isolated from the PC unless in use... multilayered security.
If the DOD, AEC, FBI etc are interested in you, you'll never know it unless they want you to know. When on stake out they always operate as teams. One team is high exposure to gain maximum information and maybe detected but a second picket fence approach team is already in place if the primary team is exposed. Of course they share all knowledge gleaned. The second team you will likely never detect.
Fun fact; field FBI Agents blend in, can be wearing blue jeans, orange vest, 3 piece, anything but low key and drive midrange priced cars that are slightly dirty. The way you ID them is by their behavior and at times location.
If you're not on their menu they may even have a benign friendly conversation with you. They are interesting to chat with.
There is an app on the phone com.qualcomm.atfwd Is that a valid program for this phone. I got my old CDMA phone up on t mobile I had the data turned off because it was useless to me. I came back home and I saw the 2 forks moving. The data was turned on and Norton firewall blocked entry and I had the wifi in airplane mode on the computer. Now I have skills, the average person would never know. This is why I need a phone that I can lock down.
I believe it started with the phone and then I used samsung pc software which hacked the computers that I used. I have all the 25 zip files from one phone before it got a change to load. Anybody interested in them?
The phones have 422 files installed.
cjdee1 said:
There is an app on the phone com.qualcomm.atfwd Is that a valid program for this phone. I got my old CDMA phone up on t mobile I had the data turned off because it was useless to me. I came back home and I saw the 2 forks moving. The data was turned on and Norton firewall blocked entry and I had the wifi in airplane mode on the computer. Now I have skills, the average person would never know. This is why I need a phone that I can lock down.
Click to expand...
Click to collapse
WiFi Screen mirroring.
cjdee1 said:
There is an app on the phone com.qualcomm.atfwd Is that a valid program for this phone. I got my old CDMA phone up on t mobile I had the data turned off because it was useless to me. I came back home and I saw the 2 forks moving. The data was turned on and Norton firewall blocked entry and I had the wifi in airplane mode on the computer. Now I have skills, the average person would never know. This is why I need a phone that I can lock down.
I believe it started with the phone and then I used samsung pc software which hacked the computers that I used. I have all the 25 zip files from one phone before it got a change to load. Anybody interested in them?
The phones have 422 files installed.
Click to expand...
Click to collapse
Interested in potentiality infected files?
Wanna do malware jpeg swap?
Seriously... scan them with online Virustotal.
I guess that could start over as a last resort. The funny thing is I don't do anything illegal. Who ever it is will be wasting time and costing me time. I am sure they are getting screenshots but I don't think that they do it live. On the PC I have zero'd out the drive but the bios is another way. It started when I backup the phone using different computers on my network.
cjdee1 said:
I guess that could start over as a last resort. The funny thing is I don't do anything illegal. Who ever it is will be wasting time and costing me time. I am sure they are getting screenshots but I don't think that they do it live. On the PC I have zero'd out the drive but the bios is another way. It started when I backup the phone using different computers on my network.
Click to expand...
Click to collapse
Is the router updated and secured? Lock it down even if you need help to set it up.
On the PC you should try to ID what the malware is and make sure the databases are clean of it before reloading. Protect all backup drives until the PC is known clean.
The bios can easily be reflashed.

Categories

Resources