Hello!
Two days ago I rooted my phone thanks to this forum. Everything was alright at first, but then I deleted some applications and I think one of them is causing the issue - probably Google Quick Search Box, or some other Google application (deleted a few that seemed innocent enough). I deleted also Facebook, Youtube and Twitter application (all of these were using the internet when the Internet is on and I didn't like it because it is spending me money - that's the reason I ended up rooting my phone).
The problem is when I try to add a new contact or access a new one, I see the android.process.acore ended unexpectedly error. I can see this error also when I do some other applications (Talk for example - not that I need it, just for information). Also, I cannot access the Market application - shows white screen for a second or two and then hides away.
I tried unrooting my phone, removing the battery and sd card out and then putting them in again, doing a hard reset through the buttons (I can't access the Privacy menu on settings also - same error).
I tried updating the software through LG PC Suite, but of course, I got: You have the newest version, update is not required. And of course there is no repair option, which is dumb, but who asks me.
Anyway, if I add some apk files to my sd card through the PC is there any way I could instal them on the LG Optimus Me phone? Since I wiped out my phone and have no access to Market (tried openning it through Browser and then logging in, selecting an application and click on Instal button - nothing happens), I don't have for example a Root explorer or some other type of exploring application on my phone, nor I have a Barcode scanner application.
Any ideas??
Some new info, thanks to my husband's Samsung Galaxy Gio, through bluetooth succeded to install Astro File Manager. Now I have access to the sd card. Now I am going to try to find what should be on the android 2.2.2 by default and install it. Hope this would work.
Just to say - still haven't solved the issue with the phone, but I tend to go around it. Hope I will find a solution one day, though.
Maybe you could try downgrading it or do a factory reset via recovery mode
I have been using galaxy devices after my iPhone got hacked and it was a relief since then but till now only. The threat i am going to put forth is very complicated yet true and it exists in both of my galaxy devices i.e Samsung Galaxy S8+ (Snapdragon) as well as Samsung Galaxy Note 8 (Snapdragon).
THE PROBLEM:
My both Samsung phones are remotely accessed by someone. Everything i do on screen is being monitored by someone as well as the camera and microphone are being controlled. I know this because my earlier phones(Apple iPhone 6 and VivoY91c) used to be hacked and the hacker would tell me everything i do on screen, every person i chat with, every site i visit, everything that i do on my phone was being monitored. And now same is the case with Samsung. Nothing is private. I even tried to install an app called "screensings" but it was also bypassed very soon.
THE SYMPTOMS:
Strangely, I do not have any symptoms like battery drain, ads, unknown apps or anything of that nature. My phone location changes to "Redkino, Russia" it seems to me by all aspects that I am in Russia. my weather, the ads on Youtube, the people nearby me in apps, friend suggestions on facebook and snapchat. It feels like this phone is physically in Russia. From weather to apps to everything. Even if i see things for sale of OLX it shows Russian items.
THE PROCESS:
As far as I noticed this happens through any app that runs on one device at a time i.e KIK , What's app, Snapchat, Say HI, etc NOT through apps like facebook or twitter or instagram that can run at more than a device at a time. The experts can relate later what it means may be at the end of reading this narrative. Every phone i change , my whats app number remains the same and as soon as i install whats app in new phone or SayHi or Snapchat ID. As soon as i activate my account within an hour or two my phone gets to Russia. As i searched the hacker attaches some trojan through these apps that can be used in device at a time and that trojan drops payloads. The payload gets root access and after that my phone is being monitored and controlled.
MY EFFORTS:
I started with a normal restart. Did not work. I factory reset my phone. It did not work. I flashed the firmware with new custom rom. Didn't work for me. I finally managed to extract the PIT file of my stock firmware and RE-PARTIONED and NAND ERASED my phone and then installed new firmware. IT WORKED. Which indicated that the malware had reached to system partition. (WHCIH IS WHY I AM MAKING THIS COMPLAINT) my phone was back to normal i used it for long like months and then one day again i had the same issue. So i did the same i re-partioned and NAND earsed my phone. But now it will NOT work any longer. I do not know where is the malware hiding itself now. ? Do i have to change the board of my phone to get rid of it or do i have to change my device? i even flashed verizon firmware on my sprint phone so that may be it will kill the malware but it also did not work. Soon after new firmware my phone is ok as long as it is not connceted to internet / WIFI as soon as its connected it gets to Russian like within 5-8 hrs (after firmware flashing). 5-10 mins after(After factory reset) . I have to change both of my devices for now. But i Hope and pray that Samsung fixes it soon. Something is getting into the read only system and then after its gotten there Samsung's owns security system is protecting it from deletion.
ATTACHMENTS:
My attachments show clearly that i am at KDA KOHAT PK and REDKINO RUSSIA at the same time which is not possible. I even get the location of Russia house where my samsung devices are being monitored or cloned. This is the only sign or symptom but the problem is there for sure as i the whoever the hacker is selling my info is after me and everything i do on my phone is reaching him as it is as if she is watching me right from behind my shoulder. Please look into the matter and find out where lies the vulnerability from where a malware can access phone through an app over wifi and hides in system partition that is immue to factroy reset and afterwards some place where its immue to even flasing firmware NAND erase and re-parition.
I think it would have occurred to you after having both an Apple and an Android hacked that the problem is most likely you.
Or perhaps you have Dr No's grandson for a mortal enemy.
A social butterfly with all kinds of messaging apps running (none that I leave run on my phone), what could go wrong?
More than likely it's something you downloaded or loaded...
If the OS you flashed is earlier then Pie it's vulnerable to that type of attack.
A custom rom... built by who?
Here's the kicker; did the malware(s) slip by you onto all your data backups?
blackhawk said:
I think it would have occurred to you after having both an Apple and an Android hacked that the problem is most likely you.
Or perhaps you have Dr No's grandson for a mortal enemy.
A social butterfly with all kinds of messaging apps running (none that I leave run on my phone), what could go wrong?
More than likely it's something you downloaded or loaded...
If the OS you flashed is earlier then Pie it's vulnerable to that type of attack.
A custom rom... built by who?
Here's the kicker; did the malware(s) slip by you onto all your data backups?
Click to expand...
Click to collapse
Yes , my ex she is after me no matter how many phones i change as soon as i log in to my snap chat or whats app my phone gets hacked. the malware then makes it way to the bootloader earlier a firmware with re partition would do the job but now that is not working . soon after that like an hour or so my phone goes to russia. i am thinking to switch back to new iphone may be it will solve the hacking issue for me or andriod new device like samsung galaxy a32. what do u suggest. i am all fed up and exhausted.
waqassikander said:
Yes , my ex she is after me no matter how many phones i change as soon as i log in to my snap chat or whats app my phone gets hacked. the malware then makes it way to the bootloader earlier a firmware with re partition would do the job but now that is not working . soon after that like an hour or so my phone goes to russia. i am thinking to switch back to new iphone may be it will solve the hacking issue for me or andriod new device like samsung galaxy a32. what do u suggest. i am all fed up and exhausted.
Click to expand...
Click to collapse
Ditch the social apps... for starters.
People use to meet in the streets; the streets are fields that never die.
I'm actually in a very serious problem as I have a problem with restoring my whatsapp messages please help me asap I uninstalled my whatsapp on 16th July and last I backed up it on 7th July. Now when I try to restore the messages after reinstalling it shows my google account but it doesn't show the size of backup and also it says no Internet connection please help me. Also my whatsapp images and whatsapp videos folders have disappeared. I really want to get back my chats. Hope someone will really help me as it means alot to me now
Connect to a wifi or a hotspot, or get better signal then H+
Kenora_I said:
Connect to a wifi or a hotspot, or get better signal then H+
Click to expand...
Click to collapse
I'm already using WiFi and I tried using mobile data as well both didn't help and I tried reseting network settings and all still it didn't work out
ruinaaaa said:
I'm already using WiFi and I tried using mobile data as well both didn't help and I tried reseting network settings and all still it didn't work out
Click to expand...
Click to collapse
Did you check your google account the backup.
It could be app problem, try resetting and other stuff.
Kenora_I said:
Did you check your google account the backup.
It could be app problem, try resetting and other stuff.
Click to expand...
Click to collapse
Hey yes I checked it as well in google drive it shows the backup I can't restore it locally because I deleted the whatsapp databases like or two months ago will it affect this
Try clearing the data and cache of whatsapp or reinstall it.
Kenora_I said:
Try clearing the data and cache of whatsapp or reinstall it.
Click to expand...
Click to collapse
I tried this too and tried so many things.I watched so many youtube videos and searched a lot in google as well still couldn't find any possible way to recover
Albert83BCN said:
Hi guys!
I have been facing this issue this whole week while trying to move all my chats to a new phone I just bought as with the old one the charging port was dying and I could not bear it anymore. So almost everything restored smoothly from Google Backup and it was like being in my phone again with a few wizard steps but then I Installed WhatsApp (WA) and gone through the typical activation and restoring process and. as many, I got stuck at the 24% sometimes, some others 31% and 39%, and never got past the 39%.
I Tried almost everything: restoring from Google Drive, transfer all WhatsApp directory to internal storage and trying to restore from there, etc. Going back to the old phone to create fresh backups just in case they were corrupted as many people suggests, getting every time more delay to be able to activate WhatsApp again up to 12h for both SMS and call activation... just to mess again and feel back at square one, I guess you all feel the pain.
Well, the good news is that I finally managed to restore all the chat history!!! (well, cannot be certain that 100% was restored but I do not miss anything ATM and I can go back up to 2012 chats so I guess that qualifies as "everything" hehe).
So, I'm posting here because I've been searching a lot on the forums and the reddit and for all the people that is having this issue recently, almost no body came back to report success and I know it feels really discouraging It certainly gives the impression that this issue has no fix at all, and that you should accept losing all the chat history and starting from the start again. But from all the data I've been gathering during this week, at least two or three people reported to eventually being able to restore the chat; they fell in one of these two categories: they either transferred to a different phone where the backup seemed to restore okay, and then exported and restored in the target phone with success (something like a "bridge" restore mode, most of the cases I've read did it this way) or they finally succeeded by sheer brute force by trying again and again and again.
I fall in this 2nd category. In the most recent attempt I was doing what I've been doing again and again and again with just minor variations in the workflow and finally succeeded. TL; DR; I think in reality in many cases attempts could succeed by just letting the phone restore the backup endlessly, by not giving up and assuming the restore process went wrong when it has been stuck forever at either 24, 31 or 39% and force closing..
But I know in the midst of desperation OCD kicks in and you want step-by-step success case scenario reproduction so I will tell you all the steps that I followed that I can remember that got me to finally have the backup to end successfully:
0. First of all, in the winning attempt I had already uninstalled WA from the new phone and removed totally the WA folder in the internal storage / sdcard storage. Not sure this is mandatory but just to tell this was the case.
1. Since I got WA working perfectly on the old phone at every moment, I backed up locally for the Nth f%!?&ยท( time. This left me with the latest local backup plus a few others in the databases folder as a result of keep messing up.
2. I copied the full WhatsApp directory from the internal storage of the old phone to a safe place. This could be the PC or whatever, but PC transfer via USB seems too sloppy. You maybe could do it via ADB, whatever, I went by the route of coping it to the external SD with some random explorer utility like ES File Explorer. It does not matter, the point is to be able to backup the full WhatsApp folder in order to restore it as similar as possible as the original. What we are more interested right now is in the database folder but having all images, videos etc in place will help in getting it like before the easiest way. (Disclaimer: Ok guys sorry if some steps are too obvious to XDA users which usually are highly educated in the matter, but I was thinking of sharing/linking this text on the reddit and others, so please bear with it).
3. I installed latest WA in the new phone, opened the app (I intended to not open but I somewhat forgot) and got to the welcome screen, immediately closed the app at that step.
3. I restored the full folder to the new phone internal storage, pure copy/paste style (as said, in my case via the SD since both phones have SD slot and was very convenient, but via USB, cloud, etc. can be done).
4. I went to the databases folder and only kept the msgstore.db.crypt12 file and the latest backup with a date (ie: msgstore-2019-11-21.db.crypt12), deleted the rest. Honestly I do not think this is crucial but I somewhat wanted to make it easier for WA to know which one to target, I thought about keeping only the msgstore.db.crypt12 but some random dude pointed that the one with the date was needed. I was under the assumption that file structure is identical in both but just wanted to get done with this and keep both, just in case.
5. Before opening again the WA to try to activate and restore with this full local copy, I opened the Android settings app and went to applications > whatasapp > storage, as suggested by user redweaver, thanks for the tip! by keeping looking at the storage usage of the app during the restore process we could get insight about if it was really doing something or the app was really stuck. Keep open for now. In my case, I saw also on the old phone that my data used for the app was 780+ MB, so I had an idea of what should be on the new phone by the time it finished (if it did!).
5b. I don't think this is really necessary but I did it just in case. I was planning to go to work and let the thing running as long as it would need, and I would make sure that the process would get maximum uptime and nothing would get in the way. So I went to Applications > WhatsApp > Battery usage (or something like it) and disabled the battery optimizations for this app. I also went to the developer mode settings and enabled do not lock the phone while it is charging and everything that looked like it might be relevant. Again, most likely this has nothing to do, but reproducible steps, right?
6. Now open WA and activate it as usual, but when it seems that the activation step ended and you go to the next screen, immediately put the phone in air plane mode or disable data/WiFi, whatever. The goal is that it cannot reach Google Drive to look for the online backup. Honestly maybe in the end is not the culprit of GDrive but many people states that the GD backup is broken at this time and suggests going the local route, so we will do it like this.
7. WA should tell you that looking for the backup is going too slow and to skip this step (sorry to not have exact message, I have it in Spanish, but something in these lines, BTW excuse my somewhat limited English ). The point here is to click on the link that says skip the step and when you are prompted with a popup, click also on Skip.
8. WA will display the typical restore / transfer-like screen where the process starts. At this point you have to enable again data plan / WiFi at least or exit air plane mode, don't know really but even if restoring from local it complains about not having internet connection, maybe needs it to encrypt with the key or something? don't know.
9. Now is the feared moment! Even this time, I got somewhat stuck at 31% again. I left it do its thing, and some time later, it prompted for the popup that has a progress-bar from 0 to 100 (honestly, what is the difference between both?!) which also got stuck at 31%. If you let it be, it starts going back and forth many times, I guess maybe its going chat per chat and the progress-bar represents each one? Dunno. Thing is, even in the prior attempts I got at this point and the backup did not finish successfully. But this time I was decided to let it do its thing as much time as it would take, until the end. In the process the phone might display a pop up saying that WA does not respond. I clicked a few times in the 'keep waiting' option, then I just forgot because I did not have time to mess with it and hoped that it was still working on the background, which bring us to step 10.
10. While we are contemplating the backup process, we can go to the settings app again and look how the internal data is going for the WA. In my case, after some time under the restore process, when I went there I saw WA had occupied 0.91 GB of data space. After going back and forth again between WA and settings, the usage keep growing: 0.96, 1.03, 1.10... I thought it was on the right track, and encouraged me to keep waiting. Maybe in the end the process is too slow for old databases. Note that some people speculates that having messages from very long ago might be the culprit here due to changes in the table structure and that this might be the reason breaking the restore process. And maybe it is the case, but even if it is, in my case I finally succeeded where previously I didn't and without deleting anything, so this does not seem to be a deal-breaker or I would have never succeeded. I say it because some people reported that deleting old conversations and trying again finally made them succeed. Now I suspect the true reason was simply that by making the database smaller the process finished earlier, but YMMV.
11. Cannot be totally sure, but in my case, I noticed that leaving WA on the background and clicking on the WA icon again might stop the process for true and bring a message about not being able to recover the chats, I got this previously, do not try to open the WA normally, only leave it temporally to look to the space usage in the settings to get back to it by swyping between recent apps to keep the same instance open and working, this was a key point in my success trial that did not happen during the previous ones.
12. And finally, while I kept switching between WA and the settings and when I last saw like 1.30GB of space used (almost twice the space compared to the old phone, maybe it leaves a lot of temp data) I don't know if I either messed with the app-switching or it really finished, but then I got prompted to the screen where you enter your name or nickname. And when I completed this step, I finally got to the chats screen and everything was like in the old phone! Where previously I would get to a lot of empty chat rooms with maybe 40 total messages restored according to WA. Hurray!
Notice that in my case it was still reporting 31% on the WA background screen under the progress bar popup when it finished!! so it seems that is not really mandatory to experience the 100% complete to have it work in the end, but YMMV.
OK, maybe not the most elegant "guide" out there but I wrote it in a hurry and my english sucks, I just hope it might help someone to not lose their WA chats forever.
Good luck!
Edit: I almost forgot but, for the sake of completeness. I also tried a certain script that can backup WA from the phone and retrieve the encryption key, it will also leave an unencrypted copy of the chats database that can later be viewed with a WhatsApp viewer like this. The script is called WhatsApp Key/DB Extractor, and it still works as of 2019, just look at the latest posts in the thread. Guys here on XDA most likely know about it but if not, you might give it a try. I tried it because I assumed that maybe I could circumvent the restore issues by going that route and pushing the backup via ADB, but turns out the legacy WA won't prepare the database due to the time out of sync issue, or at least the data seemed to be lost after performing the restore process, and the unencrypted database on the PC cannot be digested by WA latest versions by just putting it into the internal storage directly according to what other users commented. But, if you finally give up trying the restore process, it still could be relieving to know that you keep a local copy in the PC that can be viewed with another PC tool, at least you get a backup and the conversations are there, in a different way though. Maybe in the future there's a process that can restore them again to a different phone, and you could then merge the new chat database with the older backup with tools like Merjeapp.
Click to expand...
Click to collapse
This has the solution
Kenora_I said:
This has the solution
Click to expand...
Click to collapse
Thank you but today I read this in the afternoon. This guy has solved it through whatsapp databases but I don't have a way go backup locally as I deleted my whatsapp databases two months ago. All I can do is recovering from google drive but the thing in this guy's scenario his chat was actually being restoring but I can't even do that since it says that I have an Internet connection problem
I have just received a brand newT mobile SM-A326U, Samsung galaxy A32 5G USA variant today from the mobiles website. I immediately updated to the newest security and software patch as I have been having issues with security lately imsci catcher, remote code injection, forwarding calls and texts to media servers, mItM etc.
Right away I used "Samsung My files" and enabled hidden file access within Samsung my files. I have always been aware of the need to index thumbs and thumbnail files, databases, etc in the digital camera media images or DCIM folder. Checking /storage/emulated/0 shows three NEW locations. 3 new folders titled Music, Pictures, and video. Within each of these three new folders there is a hidden ".nomedia" file and a hidden file titled "database_uuid". Attempting to delete the Music, Video,, and pictures folders from storage/emulated/0 results in them returning after a reboot. Same files within them. Performing a factory reset and flashing new factory rom and firmware provides the same result. There are those same three folders and those same files. Performing the old create a new file entitled .thumbnails as a dummy file trick didn't resolve this issue either.
I have not used the camera. I have not done anything but open a factory stock browser utilizing the providers data connection.
This has persisted through 3 new devices. A Samsung galaxy A71 5g, a Motorola G power 2021 and now this phone.
Am I being overly paranoid? Is this just a new function of the file system I am unaware of? Is the hidden "database_uuid" supposed to be there? Or have I reason to suspect the worst?
Fixes tried include
>a factory data reset or two, dalvik cache wipe included.
>Calling the provider's tech support line.
>Calling the manufacturer.
>ODIN flash of stock factory ROM and firmware.
These are fixes performed on both the Samsung Galaxy A71 5G, and the Motorola G Power 2021. This phone (Samsung galaxy A32 5G) has a locked bootloader thus far and I haven't tried a flash yet, however I have tried the aforementioned fixes.
>Creating a dummy file entitled .thumbnails.
>deleting the folders entitled Video, Music, and Picture in storage/emulated/0 followed by a reboot.
What have you done to make yourself paranoid? Those are normal hidden files.
target_relative said:
What have you done to make yourself paranoid? Those are normal hidden files.
Click to expand...
Click to collapse
Haha, I can totally see why one would assume I've done something to reach such levels of paranoia but I assure u it is because I am on my journey through the web security exams. I have had enough field experience in the security audit role to notice odd behavior and activity, but not enough experience to prevent or patch it However, I have some data siphoning neighbors so my first assumption was someone was pilfering my incoming and outgoing data during contractual gigs. Considering the data that is sometimes transmitted, one can totally assume the worst. That's how zero days occur. Anyway, thank you so much for the assurance, one thing I need to really brush up on is the android OS file system.
Wondering if a senior member would be so kind as to weigh in on this one. It's not that I don't believe the answer provided, it's that clarity can be had by the collective opinion. If others where to say the same, I'd be inclined to say, yep, those are certainly normal hidden files. However, I never noticed either folder or the database_uuid file recently until after an attack on the local network. Hence my suspicion and thought process around the data siphoning neighbors.
Factory reset. Cured... whatever it was.
Now ^that's^ being paranoid
blackhawk said:
Factory reset. Cured... whatever it was.
Now ^that's^ being paranoid
Click to expand...
Click to collapse
Not as much as you'd think. Prior to all this I had my tenth PC custom built rig go down due to persistent malware that found its way into the bios and reflashed the bios and then further flashed itself into a level between bios and boot. Still hopping from device to device. PTA or persistent threat actors aren't nearly as hard to come by in the wild when u study cyber security enough. Finding yourself in an officially sanctioned red team/ blue team op and performing well whilst also blazingly bragging about your leet skills on social media will quickly garner a few PTAs.
It's not hard to assume someone in the area could monitor the device for restarts and or factory reset on a root level and then push an injection into either the zygote or an OTA update as the device begins setup. Or even easier remote code execution targeting the "Sign in with Google account" portion of device setup.
DrRoxxo said:
Wondering if a senior member would be so kind as to weigh in on this one. It's not that I don't believe the answer provided, it's that clarity can be had by the collective opinion. If others where to say the same, I'd be inclined to say, yep, those are certainly normal hidden files. However, I never noticed either folder or the database_uuid file recently until after an attack on the local network. Hence my suspicion and thought process around the data siphoning neighbors.
Click to expand...
Click to collapse
This should help answer your question:
https://en.wikipedia.org/wiki/Hidden_file_and_hidden_directory#Android
tavella said:
This should help answer your question:
https://en.wikipedia.org/wiki/Hidden_file_and_hidden_directory#Android
Click to expand...
Click to collapse
This explains how the .nomedia file works. Which I assumed was natural after a bit of research, what concerns me is within each new folder titled Movies, Music, and video, there is a .nomedia folder. Not a big deal, but then there is a "Database_uuid" file within each of those .thumbnails folders. Which I do not currently understand the purpose or concept of. Prior, I understood the .nomedia file and the need for .thumbnails and .thumbs etc, but I had never once noticed the database_uuid file within those folders on my boredom inspired file dives.
Thank you to all the new and Senior members who helped me to understand this issue.
I truly appreciate the reassurance and responses.
I don't know if there is a way to do so as I am quite new to XDA myself, but I'd like to mark this issue as resolved.
resolution: Stop being so paranoid
tavella said:
This should help answer your question:
https://en.wikipedia.org/wiki/Hidden_file_and_hidden_directory#Android
Click to expand...
Click to collapse
Samsung file explorer can see .nomedia files if that option is enabled in its settings.
Protected backup files are sometimes "hidden" like this... so it's useful to have that option enabled especially when making backup copies.
They appear greyed out indicating they are hidden.
Hey all, Update.
I just got off the phone with a Cisco certified level 2 tech from my provider, T-mobile. They verified what was going on was indeed a sophisticated attack. The database_uuid files point to not just stealing data, but logging all activities. They are attempting a honeypot on the back end to attempt to catch the individual. They have begun monitoring the network for suspicious activity (for whatever it's worth). The technician verified that this sounds like a remote code execution taking place at the text entry field of "setup a new account" after factory reset.
Edit one of the fixes provided was a full Reroute. Data now comes as if I'm in a different location. I don't know how much of a difference it'll make but to note some of the oddities I've faced:
When browsing a random word, results display fine. When browsing search terms related to my issues, I get a "malicious traffic has been detected on this network" error from Chrome, brave, and Firefox. Clearing data on those browsers sometimes works to resolve it, other times it persists.
When attempting to stream a searched title in any streaming service, the title fails to play, yet when choosing a random stream it plays fine.
When attempting to play any chosen online game, I get internet errors; the hotspot shows internet but no connectivity. When choosing a random game, it plays fine.
When signing up for Facebook, even with a newly created email for this purpose, I get a text verification code immediately from what seems to be official FB shortcode but appended at the bottom of the text is a signature: Laz.nx.carlw
Searching this signature shows hundreds of other users whose accounts where pwnd by the same method.
Since the issue seems to be at the account creation screen after a factory reset, I've tried creating new Google accounts to setup the device with, however almost immediately, passwords are changed.
APN settings where grayed out and as a T-MOBILE customer using a strictly tmobile device purchased and provided by the provider, there is yet, a com.vzw.apnlib package or service, running in the background. Attempting to locate this service or package in every manner fails.
Banking apps have had passwords changed and purchases have been "denied by card", an error of which I've never seen before.
Amazon orders have been "canceled by the buyer" with no input or action on my end relentlessly.
While on VPN, windscribe and Lion vpn, the same happens. It rarely happens without vpn on, but does still occur. I would assume this is to encourage unencrypted traffic that has already been had due to the exploite.
I am aware that windscribe was recently exploited and pwnd. However, it doesn't seem to make a difference because the activity I'm witnessing seems to be that of a dirt box.
Could anybody weigh in on a potential fix or solution?
New update all.
So after calling again to the provider I was told that there was no way for them to monitor everything on the backend and potentially catch them. The rep I spoke to this time assured me he'd been working tech support for the provider 12 years and they've never been capable of doing so.
He also informed me that as far as getting support from the provider, the best they are going to be able to do even in level 2 tech support is verify whether the device is receiving a proper connection from the tower, and if it is and the issue still persists basic troubleshooting (which I've already done ten fold) would be the next course of action. He informed me that had those troubleshooting options not worked the next usual step taken would be to advise to speak with the manufacturer as they would have the ability to remote in and or replace the device in the event of a failure to fix the issue. However, as explained to the rep at the provider, I've already had replacements sent to me. This issue has persisted through 3 provider changes, 4 new cell phones, and multiple network changes in new Sim, new number, data rerouting etc.
My last call with the manufacture resulted in a Cisco certified level 2 remoting into the device with smart tutor and his entire fix applied was a mere opening of my Eset security app and a scan initialized. And suggesting I purchase premium eset.
That was the course of the whole fix provided by the manufacturer prior to a replacement being provided.
DrRoxxo said:
Hey all, Update.
I just got off the phone with a Cisco certified level 2 tech from my provider, T-mobile. They verified what was going on was indeed a sophisticated attack. The database_uuid files point to not just stealing data, but logging all activities. They are attempting a honeypot on the back end to attempt to catch the individual. They have begun monitoring the network for suspicious activity (for whatever it's worth). The technician verified that this sounds like a remote code execution taking place at the text entry field of "setup a new account" after factory reset.
Edit one of the fixes provided was a full Reroute. Data now comes as if I'm in a different location. I don't know how much of a difference it'll make but to note some of the oddities I've faced:
When browsing a random word, results display fine. When browsing search terms related to my issues, I get a "malicious traffic has been detected on this network" error from Chrome, brave, and Firefox. Clearing data on those browsers sometimes works to resolve it, other times it persists.
When attempting to stream a searched title in any streaming service, the title fails to play, yet when choosing a random stream it plays fine.
When attempting to play any chosen online game, I get internet errors; the hotspot shows internet but no connectivity. When choosing a random game, it plays fine.
When signing up for Facebook, even with a newly created email for this purpose, I get a text verification code immediately from what seems to be official FB shortcode but appended at the bottom of the text is a signature: Laz.nx.carlw
Searching this signature shows hundreds of other users whose accounts where pwnd by the same method.
Since the issue seems to be at the account creation screen after a factory reset, I've tried creating new Google accounts to setup the device with, however almost immediately, passwords are changed.
APN settings where grayed out and as a T-MOBILE customer using a strictly tmobile device purchased and provided by the provider, there is yet, a com.vzw.apnlib package or service, running in the background. Attempting to locate this service or package in every manner fails.
Banking apps have had passwords changed and purchases have been "denied by card", an error of which I've never seen before.
Amazon orders have been "canceled by the buyer" with no input or action on my end relentlessly.
While on VPN, windscribe and Lion vpn, the same happens. It rarely happens without vpn on, but does still occur. I would assume this is to encourage unencrypted traffic that has already been had due to the exploite.
I am aware that windscribe was recently exploited and pwnd. However, it doesn't seem to make a difference because the activity I'm witnessing seems to be that of a dirt box.
Could anybody weigh in on a potential fix or solution?
Click to expand...
Click to collapse
Sounds like a StingRay IMSI
DrRoxxo said:
Hey all, Update.
I just got off the phone with a Cisco certified level 2 tech from my provider, T-mobile. They verified what was going on was indeed a sophisticated attack. The database_uuid files point to not just stealing data, but logging all activities. They are attempting a honeypot on the back end to attempt to catch the individual. They have begun monitoring the network for suspicious activity (for whatever it's worth). The technician verified that this sounds like a remote code execution taking place at the text entry field of "setup a new account" after factory reset.
Edit one of the fixes provided was a full Reroute. Data now comes as if I'm in a different location. I don't know how much of a difference it'll make but to note some of the oddities I've faced:
When browsing a random word, results display fine. When browsing search terms related to my issues, I get a "malicious traffic has been detected on this network" error from Chrome, brave, and Firefox. Clearing data on those browsers sometimes works to resolve it, other times it persists.
When attempting to stream a searched title in any streaming service, the title fails to play, yet when choosing a random stream it plays fine.
When attempting to play any chosen online game, I get internet errors; the hotspot shows internet but no connectivity. When choosing a random game, it plays fine.
When signing up for Facebook, even with a newly created email for this purpose, I get a text verification code immediately from what seems to be official FB shortcode but appended at the bottom of the text is a signature: Laz.nx.carlw
Searching this signature shows hundreds of other users whose accounts where pwnd by the same method.
Since the issue seems to be at the account creation screen after a factory reset, I've tried creating new Google accounts to setup the device with, however almost immediately, passwords are changed.
APN settings where grayed out and as a T-MOBILE customer using a strictly tmobile device purchased and provided by the provider, there is yet, a com.vzw.apnlib package or service, running in the background. Attempting to locate this service or package in every manner fails.
Banking apps have had passwords changed and purchases have been "denied by card", an error of which I've never seen before.
Amazon orders have been "canceled by the buyer" with no input or action on my end relentlessly.
While on VPN, windscribe and Lion vpn, the same happens. It rarely happens without vpn on, but does still occur. I would assume this is to encourage unencrypted traffic that has already been had due to the exploite.
I am aware that windscribe was recently exploited and pwnd. However, it doesn't seem to make a difference because the activity I'm witnessing seems to be that of a dirt box.
Could anybody weigh in on a potential fix or solution?
Click to expand...
Click to collapse
APN settings where grayed out and as a T-MOBILE customer using a strictly tmobile device purchased and provided by the provider, there is yet, a com.vzw.apnlib package or service, running in the background.
This is normal.
Banking apps have had passwords changed and purchases have been "denied by card", an error of which I've never seen before.
Amazon orders have been "canceled by the buyer" with no input or action on my end relentlessly.
Probably because orders where placed whilst running ****ty VPN.
have you flashed Stock firmware tru Odin ?
DrRoxxo said:
I have just received a brand newT mobile SM-A326U, Samsung galaxy A32 5G USA variant today from the mobiles website. I immediately updated to the newest security and software patch as I have been having issues with security lately imsci catcher, remote code injection, forwarding calls and texts to media servers, mItM etc.
Right away I used "Samsung My files" and enabled hidden file access within Samsung my files. I have always been aware of the need to index thumbs and thumbnail files, databases, etc in the digital camera media images or DCIM folder. Checking /storage/emulated/0 shows three NEW locations. 3 new folders titled Music, Pictures, and video. Within each of these three new folders there is a hidden ".nomedia" file and a hidden file titled "database_uuid". Attempting to delete the Music, Video,, and pictures folders from storage/emulated/0 results in them returning after a reboot. Same files within them. Performing a factory reset and flashing new factory rom and firmware provides the same result. There are those same three folders and those same files. Performing the old create a new file entitled .thumbnails as a dummy file trick didn't resolve this issue either.
I have not used the camera. I have not done anything but open a factory stock browser utilizing the providers data connection.
This has persisted through 3 new devices. A Samsung galaxy A71 5g, a Motorola G power 2021 and now this phone.
Am I being overly paranoid? Is this just a new function of the file system I am unaware of? Is the hidden "database_uuid" supposed to be there? Or have I reason to suspect the worst?
Click to expand...
Click to collapse
Is the hidden "database_uuid" supposed to be there?
Yes its part of android system.
? Is this just a new function of the file system I am unaware of?
Probably, Android 11 has big changes and so will Android 12
financeledger said:
APN settings where grayed out and as a T-MOBILE customer using a strictly tmobile device purchased and provided by the provider, there is yet, a com.vzw.apnlib package or service, running in the background.
This is normal.
Banking apps have had passwords changed and purchases have been "denied by card", an error of which I've never seen before.
Amazon orders have been "canceled by the buyer" with no input or action on my end relentlessly.
Probably because orders where placed whilst running ****ty VPN.
have you flashed Stock firmware tru Odin ?
Click to expand...
Click to collapse
I did try flashing through odin luckily all went well, however the flaw and some of the suspicious activity continued. I managed to flash stock on 3 of the 4 phones affected and it persisted sadly. However, u are correct about the VPN, turns out, windscribe had recently been exploited.
financeledger said:
Is the hidden "database_uuid" supposed to be there?
Yes its part of android system.
? Is this just a new function of the file system I am unaware of?
Probably, Android 11 has big changes and so will Android 12
Click to expand...
Click to collapse
I am certainly not trying to be argumentative but I did want to note for the sake of those that may have the same concern, my provider and a few level 2 tech support individuals where able to confirm the database_uuid files are not supposed to be there and are evidence of logging activity.
financeledger said:
Sounds like a StingRay IMSI
Click to expand...
Click to collapse
I would have to agree. However a stingray would only route traffic through their IMSI catcher. Like a false tower. It's surely a possibility, but it wouldn't account for the suspicious behavior consistent with that of pta malware. This truly seems like a custom exploit someone created. It certainly isn't a Metasploit module.