Related
Hello,
I have a lg ls775 and under the user security certificates there is one called sprfw01. I have no idea why or what its for. Im on the sprint network. Is there a way i can inspect the cert or atleast figure out whats using it? Any info is greatly appreciated. Thnx guys!
Could this be from pairing my phone with some device ie. Smart watch or another phone?
Its actually under User credentials. Hope that can jog anyones memory as to what this may be.
I'm currently using the same phone as you and on the same carrier, and just noticed this user credential the other day as well. I didnt recognize it so I deleted it. I'm afraid I cant tell you if it really affected my device as it was already giving me some issues before I deleted the credential. At the time, and again today, I looked for the same answer as you and haven't found any additional information on it, so I can't be much help with exactly why it's there or what put it there.
However, I may be able to help put your mind at ease since I did happen to do a factory reset today and even though I deleted it before, it was back afterward. So my guess is that its not dangerous. (again, thats my opinion, hopefully someone can confirm if I am correct)
Some details to that lead me to think it's safe:
My LG G6 isn't rooted, and was not before the redo. (so technically nothing should have been able to reinstall it that was nefarious)
I didn't install any potentially shady apps when I did the factory reset ( at time of writing this, just a few big name apps from the play store, no random restored apks or anything like that).
I pulled my SD card out before the wipe and haven't put one back in yet, so that rules out something left over on there working itself back in somehow.
I allowed google to "restore" my most recent backup it made, but the most recent backup was AFTER I removed the credential so it shouldn't have been on there (google backups seems to restore very little anyway, and requests all backed up app downloads from the Play store) .
I have connected it to my home secured wifi.
No bluetooth connections yet.
No sharing to any devices or NFC usage, etc.
So from all of that, I believe it is either a Sprint thing, an LG UI thing, or something specific to the LG g6 model, and built into the factory settings. That's just my thoughts, but I thought maybe my experience might make you feel a little more at ease. Hopefully someone can reply with what the heck it actually is though, because little things like not being able to figure out the source of this drive me crazy even after all of that.
Just an update, I was looking through my LG V30+ and found the same credentials stored on this device too. No additional details on it's purpose were really gained from it though. Picture attached.
"User Credential" "sprfw01" also on LG ls 775
I saw the same thing and I searched "sprfw01" . I was wondering what it was. I also have this "User Credential" on an LG ls 775 on Sprint.
Passwords Saved Credential
I did some research into this and what I see is it's a credential from when you saved your passwords for an example unlock screen & any passwords like I have to specific websites.
Jusy my thoughts...
*Any good unlock or root for the ls993?
Okay so ive been battling this for sometime. I'm starting to get a little more knowledgeable but still don't know what to do with all this.I experienced this first back in 2015 then I completely made a switch. Well now I'm back to same issues.
The problems I'm experiencing is it's happening on all the devices I have. The phone I'm on now bought brand new from metropcs. and not even a day 30minutes later I get an update for the phone. I new not to install or download. But it inventively did. Now it's sitting on my storage wanting me to move files to root.
LET ME MAKE THIS CLEAR. NON OF MY DEVICES ARE ROOTED.
to make this short. My devices seem to have a Bluetooth admin. And connects to any Bluetooth device without me knowing.
So far from what I see chromium and stage fright is a big part of what I'm seeing.
I'm attaching some pictures to give more detail look. And it's not just my Android devices it's my Xbox one S as well.
looking to completely remove. I'm not trying to waste money on switching networks or completly going Mia.
Fast responses please.
Sincerly,
-Desperate androidian
BLEEDCOLORYOU said:
Okay so ive been battling this for sometime. I'm starting to get a little more knowledgeable but still don't know what to do with all this.I experienced this first back in 2015 then I completely made a switch. Well now I'm back to same issues.
The problems I'm experiencing is it's happening on all the devices I have. The phone I'm on now bought brand new from metropcs. and not even a day 30minutes later I get an update for the phone. I new not to install or download. But it inventively did. Now it's sitting on my storage wanting me to move files to root.
LET ME MAKE THIS CLEAR. NON OF MY DEVICES ARE ROOTED.
to make this short. My devices seem to have a Bluetooth admin. And connects to any Bluetooth device without me knowing.
So far from what I see chromium and stage fright is a big part of what I'm seeing.
I'm attaching some pictures to give more detail look. And it's not just my Android devices it's my Xbox one S as well.
looking to completely remove. I'm not trying to waste money on switching networks or completly going Mia.
Fast responses please.
Sincerly,
-Desperate androidian
Click to expand...
Click to collapse
The Android community isn't what it used to be that's for sure. No help, no suggestions. Just nothing.
BLEEDCOLORYOU said:
Okay so ive been battling this for sometime. I'm starting to get a little more knowledgeable but still don't know what to do with all this.I experienced this first back in 2015 then I completely made a switch. Well now I'm back to same issues.
The problems I'm experiencing is it's happening on all the devices I have. The phone I'm on now bought brand new from metropcs. and not even a day 30minutes later I get an update for the phone. I new not to install or download. But it inventively did. Now it's sitting on my storage wanting me to move files to root.
LET ME MAKE THIS CLEAR. NON OF MY DEVICES ARE ROOTED.
to make this short. My devices seem to have a Bluetooth admin. And connects to any Bluetooth device without me knowing.
So far from what I see chromium and stage fright is a big part of what I'm seeing.
I'm attaching some pictures to give more detail look. And it's not just my Android devices it's my Xbox one S as well.
looking to completely remove. I'm not trying to waste money on switching networks or completly going Mia.
Fast responses please.
Sincerly,
-Desperate androidian
Click to expand...
Click to collapse
I'm no expert but I'm struggling to see your exact issue you seem to think you have, is it just t your Bluetooth is switching on. All those licences, security certs, file locations etc look normal to me (without checking numbers or being able to compare to same phone os etc) though I have disabled many of those certs eg the Turkish ones etc & my Bluetooth files are different but I can find ref hill those locations online eg Xieomi phones
You appear to have a ZTE, please give model number and current OS & rev (must be stock I suppose). ZTE was found with a backdoor in older phones, sending data to China, so it's possible, & some Chinese phones also update their apps without notification. But as you say your whole network appears compromised so the source may be something else, like your router/modem, or Bluetooth as you think (though some apps require Bluetooth admin permission legitimately, you can disable it as an Admin). Tell us what behaviors you are seeing that you believe are malicious. New phone update soon after you turn on is quite common, as I'm sure you know.
When I had a quick look at your log it did have a lot of activity going to the US DOD, would you expect this, as well as the usual google & Facebook connections. Though (perhaps) strangely also to a server from a small marketing company here in Australia, but I'm no expert even if I looked at your log line by line I wouldn't understand it all.
Ref his other post
https://forum.xda-developers.com/general/security/security-global-family-credientals-t3665851
Things to try. Run a reputable antivirus. Boot into safe mode, so only system apps run, is it still happening? Can you turn off anything that is listed as a device admin? Try run a root checker app. Even if it all comes back negative you may still have a problem as a port may already have been opened and malicious app self deleted or something. Use an app like Fing to see if any device you don't recognise are connected to your network.
You may be able to block some activity if it's not going through root with a firewall eg NetGuard no root firewall, start with everything blocked.
Above are just some general hints, without knowing specifics I can only suggest you backup any stuff you want to keep then factory reset everything & change ALL passwords to strong ones (no good just adding a number on the end of your old ones!), better still reflash all firmware (updates if available) to overwrite everything. This incl your internet access points eg router, and only reconnect to the net/networks after you have done them all (one at a time preferably then you may be able to identify source of problems)
That turned out a lot longer than I intended!
IronRoo said:
I'm no expert but I'm struggling to see your exact issue you seem to think you have, is it just t your Bluetooth is switching on. All those licences, security certs, file locations etc look normal to me (without checking numbers or being able to compare to same phone os etc) though I have disabled many of those certs eg the Turkish ones etc & my Bluetooth files are different but I can find ref hill those locations online eg Xieomi phones
You appear to have a ZTE, please give model number and current OS & rev (must be stock I suppose). ZTE was found with a backdoor in older phones, sending data to China, so it's possible, & some Chinese phones also update their apps without notification. But as you say your whole network appears compromised so the source may be something else, like your router/modem, or Bluetooth as you think (though some apps require Bluetooth admin permission legitimately, you can disable it as an Admin). Tell us what behaviors you are seeing that you believe are malicious. New phone update soon after you turn on is quite common, as I'm sure you know.
When I had a quick look at your log it did have a lot of activity going to the US DOD, would you expect this, as well as the usual google & Facebook connections. Though (perhaps) strangely also to a server from a small marketing company here in Australia, but I'm no expert even if I looked at your log line by line I wouldn't understand it all.
Things to try. Run a reputable antivirus. Boot into safe mode, so only system apps run, is it still happening? Can you turn off anything that is listed as a device admin? Try run a root checker app. Even if it all comes back negative you may still have a problem as a port may already have been opened and malicious app self deleted or something. Use an app like Fing to see if any device you don't recognise are connected to your network.
You may be able to block some activity if it's not going through root with a firewall eg NetGuard no root firewall, start with everything blocked.
Above are just some general hints, without knowing specifics I can only suggest you backup any stuff you want to keep then factory reset everything & change ALL passwords to strong ones (no good just adding a number on the end of your old ones!), better still reflash all firmware (updates if available) to overwrite everything. This incl your internet access points eg router, and only reconnect to the net/networks after you have done them all (one at a time preferably then you may be able to identify source of problems)
That turned out a lot longer than I intended!
Click to expand...
Click to collapse
Thank-you. Now for a better visual. There's to many apps.
And if u can give me links to apps that will help.
And on my oneplus one the Bluetooth thing says :1002 sharing or midi or something.
BLEEDCOLORYOU said:
Thank-you. Now for a better visual. There's to many apps.
And if u can give me links to apps that will help.
And on my oneplus one the Bluetooth thing says :1002 sharing or midi or something.
Click to expand...
Click to collapse
And code.auroa? What is this
BLEEDCOLORYOU said:
Thank-you. Now for a better visual. There's to many apps.
And if u can give me links to apps that will help.
And on my oneplus one the Bluetooth thing says :1002 sharing or midi or something.
Click to expand...
Click to collapse
I don't have that phone so can't really tell what is a suspect app or not, especially just from screen shots.
Here use this app to run on demand scans against the virustotal database (this is not an "antivirus app" like Avast so offers no protection, it only scans apps on demand, so you should run a good antivirus also)
https://play.google.com/store/apps/details?id=com.funnycat.virustotal
it should flag any suspect apps and you can submit any unknown ones you are worried about.
---------- Post added at 05:12 AM ---------- Previous post was at 05:02 AM ----------
BLEEDCOLORYOU said:
And code.auroa? What is this
Click to expand...
Click to collapse
edit: not Firefox then.
org.codeaurora.bluetooth is a legit part of Bluetooth .... Well unless it's flagged by virustotal then it probably is a malicious app just given a common name to try and hide
IronRoo said:
I don't have that phone so can't really tell what is a suspect app or not, especially just from screen shots.
Here use this app to run on demand scans against the virustotal database (this is not an "antivirus app" like Avast so offers no protection)
https://play.google.com/store/apps/details?id=com.funnycat.virustotal
it should flag any suspect apps and you can submit any unknown ones you are worried about.
Click to expand...
Click to collapse
Okay but what is provisioning? Code auroa smartcard services googleplay for instance apps and
And IV never encrypted this phone.
BLEEDCOLORYOU said:
Okay but what is provisioning? Code auroa smartcard services googleplay for instance apps and
And IV never encrypted this phone.
Click to expand...
Click to collapse
And alot of the overlay apps n simtoolkit are all questionmarked
BLEEDCOLORYOU said:
And alot of the overlay apps n simtoolkit are all questionmarked
Click to expand...
Click to collapse
ser my edit above re aurora
sometimes virustotal will have 2 or 3 antiivirus companies flag a file, these are probably false positives so probably nothing to worry about (though could just be a new submission, other companies should soon update if real malicious code, check back in a day or two). If lots of companies flag an apk then you haven a problem.
It looks like you have a problem whit overlays (unless it's an app your phone company installs for that function, not sure what you mean). You should install a proper antivirus app like Avast, malwarebytes etc as a first step, hopefully it can remove malicious apk
---------- Post added at 05:51 AM ---------- Previous post was at 05:37 AM ----------
BLEEDCOLORYOU said:
And IV never encrypted this phone.
Click to expand...
Click to collapse
Doesn't matter, encrypting phone only protects unauthorised access to your data. Once it is unlocked anyone can view your stuff. And once a malicious app is on your system it can shall read all your data even if you had encrypted it as it's unencrypted when you use it
IronRoo said:
ser my edit above re aurora
sometimes virustotal will have 2 or 3 antiivirus companies flag a file, these are probably false positives so probably nothing to worry about (though could just be a new submission, other companies should soon update if real malicious code, check back in a day or two). If lots of companies flag an apk then you haven a problem.
It looks like you have a problem whit overlays (unless it's an app your phone company installs for that function). You should install a proper antivirus app like Avast, malwarebytes etc as a first step, hopefully it can remove malicious apk
---------- Post added at 05:51 AM ---------- Previous post was at 05:37 AM ----------
Doesn't matter, encrypting phone only protects unauthorised access to your data. Once it is unlocked anyone can view your stuff. And once a malicious app is on your system it can shall read all your data even if you had encrypted it as it's unencrypted when you use it
Click to expand...
Click to collapse
Okay so now I'm trying to post screenshots of when I'm connected to wifi and it's not letting me
Pairwise cyphers and
Group cyphers
Sim_num
?
BLEEDCOLORYOU said:
And alot of the overlay apps n simtoolkit are all questionmarked
Click to expand...
Click to collapse
Tap those with question marks to submit to virustotal for analysis
IronRoo said:
Tap those with question marks to submit to virustotal for analysis
Click to expand...
Click to collapse
/sys/fs/selinux/class/appletalk_socket/perms
Not suspious?
BLEEDCOLORYOU said:
/sys/fs/selinux/class/appletalk_socket/perms
Not suspious?
Click to expand...
Click to collapse
Now I'm not stupid, this is facts. I just need defined and solution!!!
No these are normal library files. Stagefright "the malicious exploits" were called this as it was the stagefright framework it exploited. Everyone has these files, here are mine below.
You need to use tools like antivirus to identify bad files but even that is no guarantee as there is the possibility the original malicious file could have self deleted and, for example, just left open ports which would not be found as a "virus" but still allow remote access to your device.
If you cannot identify the actual exploit on your phone then the best solution is probably to just reflash the stock rom as this will wipe & overwrite everything. But if a malicious file is left on your SD card or another networked device you could soon be infected/compromised again. That is why I said before if you can't identify the source of your infection you really need to factory reset or reinstall all OS on all devices affected including your home router etc (or maybe it's your work or public network) and change all passwords.
IronRoo said:
No these are normal library files. Stagefright "the malicious exploits" were called this as it was the stagefright framework it exploited. Everyone has these files, here are mine below.
You need to use tools like antivirus to identify bad files but even that is no guarantee as there is the possibility the original malicious file could have self deleted and, for example, just left open ports which would not be found as a "virus" but still allow remote access to your device.
If you cannot identify the actual exploit on your phone then the best solution is probably to just reflash the stock rom as this will wipe & overwrite everything. But if a malicious file is left on your SD card or another networked device you could soon be infected/compromised again. That is why I said before if you can't identify the source of your infection you really need to factory reset or reinstall all OS on all devices affected including your home router etc (or maybe it's your work or public network) and change all passwords.
Click to expand...
Click to collapse
I'm on a video bridge network I got the direct TV setup with 2 wireless setups. Both secure from what I know.
BLEEDCOLORYOU said:
Pairwise cyphers and
Group cyphers
Sim_num
?
Click to expand...
Click to collapse
These are for encryption of your connection, not your phone
BLEEDCOLORYOU said:
I'm on a video bridge network I got the direct TV setup with 2 wireless setups. Both secure from what I know.
Click to expand...
Click to collapse
I'm no coding/security guru, but I have worked on telecoms, military electronics, etc but my coding & network security knowledge is limited.
I would run this app Fing to check your local network, are there any unknown devices connected?
https://play.google.com/store/apps/details?id=com.overlook.android.fing
note: this only finds currently connected devices, so you'd want to do this several times & especially when you see suspect behavior.
Also check for open ports, easiest way is probably this site, it will scan the first 1000 ports or so (select all)
https://www.grc.com/
go to shields up
but you really need to scan ALL possible ports with a tool like Zenmap (for PC) if you think you are compromised
https://nmap.org/zenmap/
However it's not clear to me if you ever installed a proper antivirus and whether it found and deleted anything? Virustotal seemed to find some suspect apks, I had a quick look at Trendmicro database but it didn't list details of the one it found in your screenshot, but the fact some of those antivirus companies called the suspect apk names with "joke" in it may suggest it's just a joke app your mate has installed, though probably not a joke app if your other devices are really also compromised, from memory there is also real malware with that name which may be able to infect other devices. Running a proper antivirus should easily find and clean any "joke" app on your phone & hopefully any real malware. If you've done this and still seeing indications you are compromised then do what I suggested above. (Also repeat malware checks on other devices and removable storage media)
You should also log into your router as admin and check settings, are you using a secure router password? Is firmware up to date. Is firewall set up correctly? Also close any open ports that you don't use. Turn off remote admin, if router has it. Etc etc what do your router logs show (turn on more detailed logging if necessary) Factory reset or reinstall firmware if you think changes have been made to your router by someone else.
Hi I am having same issues. Exact same behaviors regardless of new phones new carrier and all accounts being unconnected in name. Google etc. This is extreme. Its via bluetooth I agree something with esims or virtual sims for use of wifi access and or signal piracy for media. The DOD files are also something I am familier with seeing. Code Aurora was also a govt project way back. Its Interesting thst I have Verizon files loading on at & t phones and sprint loading on Verizon. Whatever this is has managed to infiltrate my computers as well. Its relentless. Its impressive and sophisticated. Please please help.
Spidder77 said:
Hi I am having same issues. Exact same behaviors regardless of new phones new carrier and all accounts being unconnected in name. Google etc. This is extreme. Its via bluetooth I agree something with esims or virtual sims for use of wifi access and or signal piracy for media. The DOD files are also something I am familier with seeing. Code Aurora was also a govt project way back. Its Interesting thst I have Verizon files loading on at & t phones and sprint loading on Verizon. Whatever this is has managed to infiltrate my computers as well. Its relentless. Its impressive and sophisticated. Please please help.
Click to expand...
Click to collapse
I'm having the same issmy ues. Did anyone ever resolve or figure out what is happening? I think I'm under investigation by the DOD and they own my devices. My uploads/downloads are blocked, internet searches filtered, pics/screenshots of evidence deleted off my phone, etc.
Hello guys, as you probably see I'm new at this forums, there's only one reason I joined and is because I own the BLU STUDIO X5 (S390U) since while ago.
I noticed that this phone has built-in somewhat thing of malware on the system APKs of it. What do I mean? Don't matter how many times you do a clean, use anti-malware apps, hard-reset, even flashing to a new stock ROM or a CROM made from the original one: The problem is going to persist.
So... Tell us, which would be the solution? Well I was analysing all the possibilities, even evolving a CROM of it, however this infection it seems to be part of other APKs components, as it is visible through Anti-MalwareBytes, that Settings.APK is corrupted with it.
The solution it seems to be easy but it could be complex, even knowing that other APKs could be infected but are not listed on the scanns: Erasing Settings.APK and try to replace it with a non-infected one, but this is complex as I said.
Before I continue I need to explain what this infection does: After you use the smartphone for first time (counting resets, flashes, etc.) the smartphone is just good, even if your not using internet.
After sometime you will notice some new apps installed on your smartphone, what this infection does is to install them under what it could be called a "Silence mode", PlayStore is not needed to download such apps, either a Web Browser.
But, hey, this doesn't sound bad as it just sounds annoying lad... Aye, this sounds as if the problem is only something redundantly annoying, but not is only that, this malware is found as a Hijack and doesn't sound bad too, however, if someone with enough knowledge knows how to manage a Hijack it can even steal info from your smartphone.
But probably you're thinking, well you can fix it not allowing Unknown Sources APKs to install on it, well...
This is what it takes me to the second point of it: This malware changes the settings of your smartphone whatever the times it wants by itself, don't matter which app you use to not allow this change by itself, it is going to do it anyway.
But why? It seems that the infection has Root Access, what this mean is that it has a higher level access (is running under an Administrator mode).
And we're back again to the solution, you'll think: Maybe if I root it and replace the Settings.APK is going to be fixed, well is not that easy, apart of wasting your time, the smartphone can be even more vulnerable and unstable.
The best solution that is going to work and that's why I posted this here:
To fix this the Stock ROM must be re-built from zero. I'd do this on my own, the problem is that I'm not an advanced user, and I still learning programming and coding at my degree, every help with this would be flawlessly.
Hi,
I'm new to XDA. I think I'm in the right forum for my issue. My phone was infected with what I think is a type of auto rooting trojan. I was looking for info on an app I'm using called Duraspeed. I came across this website that started throwing popups at me saying my phone had tons of viruses, which was a lie. By the time I could break free from the drive by attacks, it was too late. I started getting sluggish performance on my phone and popup ads randomly. Even though it somehow gained root access, my phone is not rooted. Never was. Its still not! Because I checked with several apps off the playstore to confirm this. Long story short:
It put a file called "ads_popup-release.apk"
in my root folder /system/priv-app/
And modified a file called "8e710bb7.0"
in root folder /system/etc/security/cacerts/
or put (installed) the file there I'm not sure.
The file running on the phone as a system app is called "ad_surface"
I can only force stop and disable ad_surface without the ability to uninstall. I have to repeat this process every time I reboot. This stops the ads from popping up. Funny thing is, even though the force stop button in app settings is greyed meaning it was stopped and disabled, my OS Monitor app that shows running processes shows ad_surface is still running. Yet, it does stop the random popup ads by doing it this way. I've tried 360 AV, Avast, AVG, Malwarebytea, Kaspers, stubborn rootkit remover, a lot of antivirus programs but nothing detects it. I'm using Total Commander File Manager to view the device system partitions. I even copied the two trojan files to a folder on the user partition to see if any of the antivirus programs could check them there away from the root areas. But nothing. My guess is that I need to root my phone so I can gain access to the apk file and delete it. I haven't done a factory reset because I realize that apk file is in the recovery partition in order to reinstall itself. I've never rooted a phone before, but I have Kingroot installed. I downloaded it from XDA. I just don't have the guts to use it in fear of bricking. Do you think it would work with my phone? Does it abort the root procedure if it can't do it? Here are my phone specs:
Vortex Beat 8
Software build: 8_V1.5_20171011
Chipset: MT6580M Cortex-A7
CPU Architecture: ARMv7 Processor Rev 3(V71)
Cores: 4 1300MHz
Kernal Version: 3.18.19
Total Ram: 459MB
Internal ROM: 8GB (4GB for user)
That's about it. If there's anything anybody who could recommend how to go about this I would greatly appreciate the help. Thank you...
Go try factory resetting it, doesn't hurt to try.
If the "virus" is still there you can always re-flash the phones os. Here is the link to the stock ROM ---> http://www.needrom.com/wp-content/uploads/2017/04/BEAT-8_V1.06_20170413.rar
The below link is a tutorial on how to flash the phones ROM.
https://www.getdroidtips.com/stock-rom-vortex-beat-8/#How_to_Download_Stock_ROM_on_VORTEX_Beat_8
In mtkdroid tools, Have all the boxes unchecked, and make sure you only have "ANDRIOD" and "RECOVERY" checked marked. The other boxes are just about the phones information and properties. Theses shouldn't be checked because it might erase your imei/drivers or other stuff. After flashing the rom make sure you do a complete factory rest + cache. Erase whatever you have on ur sd cards or micro sd cards.
Just do this and call it a day
Good luck
Cool
Hi, thank you! I will try this. I will have to borrow someone's computer like my nephews. I did try Kingroot and OneClickRoot but they both failed. Perhaps due to a locked bootloader. Or the evil trojan that made itself super user blocking them. I did do a factory reset, but the trojan persist. My mistake was forgetting to turn off unknown sources in security settings. I think that's how it got in... I'll keep checking back on this thread in the meantime to see if someone knows a tool that can kill the trojan, but I doubt it. Cheers!
SecretSociety68 said:
Hi, thank you! I will try this. I will have to borrow someone's computer like my nephews. I did try Kingroot and OneClickRoot but they both failed. Perhaps due to a locked bootloader. Or the evil trojan that made itself super user blocking them. I did do a factory reset, but the trojan persist. My mistake was forgetting to turn off unknown sources in security settings. I think that's how it got in... I'll keep checking back on this thread in the meantime to see if someone knows a tool that can kill the trojan, but I doubt it. Cheers!
Click to expand...
Click to collapse
I'm having similar troubles I somehow believe I have an entire infected Network from Windows 10 to iOS and all the cell phones even two 3-g flip even the Smart car has been recognized I communicated with the virus / hacker Network I have no idea how to get rid of it I give his self super user privileges without quite rooting the phone and hides itself in system apps so it's virtually impossible to get rid of at least for me it is I have post here called wading deep Waters please do check it out
sassyfrassy said:
I'm having similar troubles I somehow believe I have an entire infected Network from Windows 10 to iOS and all the cell phones even two 3-g flip even the Smart car has been recognized I communicated with the virus / hacker Network I have no idea how to get rid of it I give his self super user privileges without quite rooting the phone and hides itself in system apps so it's virtually impossible to get rid of at least for me it is I have post here called wading deep Waters please do check it out
Click to expand...
Click to collapse
It isn't unheard of for a router to get infected with a virus/malware, rare, but not exactly impossible. I've run across others here over the years that have discussed this issue. I don't remember any specifics, tools or methods to fix the issue though, but you can probably find info on removing malware from a router.
Sent from my LGL84VL using Tapatalk
Droidriven said:
It isn't unheard of for a router to get infected with a virus/malware, rare, but not exactly impossible. I've run across others here over the years that have discussed this issue. I don't remember any specifics, tools or methods to fix the issue though, but you can probably find info on removing malware from a router.
Click to expand...
Click to collapse
Thank you for your prompt response I'm not positive that the router and modem are infected more or less they are overloaded from the amount of leeches in hitchhiker's I have from this awful network of hackers and code running through my TV's my cars for god sakes I read one of their lauder's I got in somehow and I could see that they were logging how many seconds it took me from getting out of the car to getting in my home that was just one scary example they could tell when my phone was in my pocket and if I was walking and how many people were with me this is just my cell phone not to mention my TV's the laptops I have no idea what to do
sassyfrassy said:
Thank you for your prompt response I'm not positive that the router and modem are infected more or less they are overloaded from the amount of leeches in hitchhiker's I have from this awful network of hackers and code running through my TV's my cars for god sakes I read one of their lauder's I got in somehow and I could see that they were logging how many seconds it took me from getting out of the car to getting in my home that was just one scary example they could tell when my phone was in my pocket and if I was walking and how many people were with me this is just my cell phone not to mention my TV's the laptops I have no idea what to do
Click to expand...
Click to collapse
It sounds to me like their hold over you has more to do with your personal information than with your devices. With certain pieces of your info, they can gain access to any device that you sign into, login to or even just enter information in while using, even if it isn't yours.
If your network provider randomly cycles IP addresses among its users, it could be that the hacker has previously hijacked that IP address while another user was using it and his access carried over to you when the IP was assigned to you. If this is so, a new IP and changing all of your account info among all of the various accounts you have would cut him off, maybe?
I'm not the best at network security issues that go that deep. My network management/LAN Admin days were a very long time ago, too many things have changed.
Sent from my LGL84VL using Tapatalk
Droidriven said:
It sounds to me like their hold over you has more to do with your personal information than with your devices. With certain pieces of your info, they can gain access to any device that you sign into, login to or even just enter information in while using, even if it isn't yours.
If your network provider randomly cycles IP addresses among its users, it could be that the hacker has previously hijacked that IP address while another user was using it and his access carried over to you when the IP was assigned to you. If this is so, a new IP and changing all of your account info among all of the various accounts you have would cut him off, maybe?
I'm not the best at network security issues that go that deep. My network management/LAN Admin days were a very long time ago, too many things have changed.
Click to expand...
Click to collapse
Thank you I really appreciate you taking the time to think about my situation I have had no one to talk to about this for 2 months
sassyfrassy said:
Thank you I really appreciate you taking the time to think about my situation I have had no one to talk to about this for 2 months
Click to expand...
Click to collapse
Not sure how much help I'll be to you. I'm no expert in what you're dealing with. I'm just telling you some possibilities that I've seen others dealing with over the years.
Sent from my LGL84VL using Tapatalk
Droidriven said:
It sounds to me like their hold over you has more to do with your personal information than with your devices. With certain pieces of your info, they can gain access to any device that you sign into, login to or even just enter information in while using, even if it isn't yours.
If your network provider randomly cycles IP addresses among its users, it could be that the hacker has previously hijacked that IP address while another user was using it and his access carried over to you when the IP was assigned to you. If this is so, a new IP and changing all of your account info among all of the various accounts you have would cut him off, maybe?
I'm not the best at network security issues that go that deep. My network management/LAN Admin days were a very long time ago, too many things have changed.
Click to expand...
Click to collapse
You hit the nail on the head! Told me "unfortunately we have met"
Sent from my LGE LGL158VL using XDA Labs
SecretSociety68 said:
It put a file called "ads_popup-release.apk"
in my root folder /system/priv-app/
Click to expand...
Click to collapse
translation it installed itself to the privilege app section on your phone which does not delete with a reset (new rom does) this also gives the app more power
it can only be done with root so the app rooted your phone (at least temp) here is a app that removes it but it needs root
https://f-droid.org/en/packages/de.j4velin.systemappmover/
And a system priv app has AFAIK full power however as of Oreo thier is another file to give it permisions so says google https://source.android.com/devices/tech/config/perms-whitelist namely
/etc/permissions/privapp-permissions-OEM_NAME.xml
/etc/permissions/privapp-permissions-DEVICE_NAME.xml
check these files and see what you find
SecretSociety68 said:
And modified a file called "8e710bb7.0"
in root folder /system/etc/security/cacerts/
or put (installed) the file there I'm not sure.
Click to expand...
Click to collapse
translation installed a CA certificate that enables them to have a SSL connection or with this certificate can spoof websites
of course this should be deleted but again you will need root (or new Rom)
SecretSociety68 said:
The file running on the phone as a system app is called "ad_surface"
Click to expand...
Click to collapse
The app has to be running with a linux GUID so you can check with that
the apps can not find root this can be because the program used root once to get a elevated status (temporary root) and then does not need it anymore
so you cannot find it. The question still remains how they did that but right now you need to get out.
Waiting for other response. Hehe.
I had this take control of multiple devices and 2 computers. 3 android phones and an apple iphone and 2 windows computers. I countless hours going through logs and data. On my android devices it even made a cloned version of TWRP so it would reinstall itself through recovery. I spent hours on the phone with samsung and apple senior advisors. I viewed the analytic data on the apple device over and over. Extremely werid things were running. Constantly writting system wwrites on a stock apple phone. It was able to transfer from device to device over wifi hotspot. It went on for over two months. I had a roku tv also become monitored. It was the craziest **** ive ever had happen to me. It litterally almost drove me insane and I thought I was going crazy. Ive never seen anything like it. Even google reaults were completely false and fake sites. I disnt know this happened to anyone else. Ive got countless logs and screenshots saved in case I ever needed to share the info. It even remotely sipped my desktop hard drives and had me connecring to a remote server on boot.
---------- Post added at 07:48 PM ---------- Previous post was at 07:37 PM ----------
I could make a phone call and hear breathing in the background. Id make a call and touch tone sounds would go off after the first ring. I was getting constant interference through my phone. It connected all my devices to a home group I never created. I literally had to destroy the devices
---------- Post added at 08:15 PM ---------- Previous post was at 07:48 PM ----------
Applied protocal - makes sense man, in juat glad I got it off my back. On the iphone, when yyou would install a new app from the "app store" it would run a wake up over 4000 times a second to wake up an unknown app in system files . im assuming this was to clone the app or change some code in it when it was installed. The app name was ??? In the analytic logs and it was an "event write system". This was some dirty stuff man. Is this something that is common right now? This exploit across so many devices? Id love to share some of these logs and screenshots if anyone is interested.
SecretSociety68 said:
Hi,
I'm new to XDA. I think I'm in the right forum for my issue. My phone was infected with what I think is a type of auto rooting trojan. I was looking for info on an app I'm using called Duraspeed. I came across this website that started throwing popups at me saying my phone had tons of viruses, which was a lie. By the time I could break free from the drive by attacks, it was too late. I started getting sluggish performance on my phone and popup ads randomly. Even though it somehow gained root access, my phone is not rooted. Never was. Its still not! Because I checked with several apps off the playstore to confirm this. Long story short:
It put a file called "ads_popup-release.apk"
in my root folder /system/priv-app/
And modified a file called "8e710bb7.0"
in root folder /system/etc/security/cacerts/
or put (installed) the file there I'm not sure.
The file running on the phone as a system app is called "ad_surface"
I can only force stop and disable ad_surface without the ability to uninstall. I have to repeat this process every time I reboot. This stops the ads from popping up. Funny thing is, even though the force stop button in app settings is greyed meaning it was stopped and disabled, my OS Monitor app that shows running processes shows ad_surface is still running. Yet, it does stop the random popup ads by doing it this way. I've tried 360 AV, Avast, AVG, Malwarebytea, Kaspers, stubborn rootkit remover, a lot of antivirus programs but nothing detects it. I'm using Total Commander File Manager to view the device system partitions. I even copied the two trojan files to a folder on the user partition to see if any of the antivirus programs could check them there away from the root areas. But nothing. My guess is that I need to root my phone so I can gain access to the apk file and delete it. I haven't done a factory reset because I realize that apk file is in the recovery partition in order to reinstall itself. I've never rooted a phone before, but I have Kingroot installed. I downloaded it from XDA. I just don't have the guts to use it in fear of bricking. Do you think it would work with my phone? Does it abort the root procedure if it can't do it? Here are my phone specs:
Vortex Beat 8
Software build: 8_V1.5_20171011
Chipset: MT6580M Cortex-A7
CPU Architecture: ARMv7 Processor Rev 3(V71)
Cores: 4 1300MHz
Kernal Version: 3.18.19
Total Ram: 459MB
Internal ROM: 8GB (4GB for user)
That's about it. If there's anything anybody who could recommend how to go about this I would greatly appreciate the help. Thank you...
Click to expand...
Click to collapse
Definitely malmare! Mine was called "Ad-Time", like a kid's show or something, but either way, very persistent and pervasive! I have 2 roms, (v 1.5 & 1.6), in img format, easy fastboot flash. Look at this phone wrong and it's rooted. Anybody interested, hit me up, I even got the couple-line script to install SuperSU /system (beat 8 doesn't like Magisk). A simple su.d script to enable permissive selinux, build.prop changes, and you have a $30 Nexus via MTK. I also ported TWRP 3.2.1(no bugs) & Philz, but TWRP is my comfort-zone.
Sent from my ZTE Sapphire 3G using XDA Labs
---------- Post added at 02:03 AM ---------- Previous post was at 01:48 AM ----------
sameboat said:
I had this take control of multiple devices and 2 computers. 3 android phones and an apple iphone and 2 windows computers. I countless hours going through logs and data. On my android devices it even made a cloned version of TWRP so it would reinstall itself through recovery. I spent hours on the phone with samsung and apple senior advisors. I viewed the analytic data on the apple device over and over. Extremely werid things were running. Constantly writting system wwrites on a stock apple phone. It was able to transfer from device to device over wifi hotspot. It went on for over two months. I had a roku tv also become monitored. It was the craziest **** ive ever had happen to me. It litterally almost drove me insane and I thought I was going crazy. Ive never seen anything like it. Even google reaults were completely false and fake sites. I disnt know this happened to anyone else. Ive got countless logs and screenshots saved in case I ever needed to share the info. It even remotely sipped my desktop hard drives and had me connecring to a remote server on boot.
---------- Post added at 07:48 PM ---------- Previous post was at 07:37 PM ----------
I could make a phone call and hear breathing in the background. Id make a call and touch tone sounds would go off after the first ring. I was getting constant interference through my phone. It connected all my devices to a home group I never created. I literally had to destroy the devices
---------- Post added at 08:15 PM ---------- Previous post was at 07:48 PM ----------
Applied protocal - makes sense man, in juat glad I got it off my back. On the iphone, when yyou would install a new app from the "app store" it would run a wake up over 4000 times a second to wake up an unknown app in system files . im assuming this was to clone the app or change some code in it when it was installed. The app name was ??? In the analytic logs and it was an "event write system". This was some dirty stuff man. Is this something that is common right now? This exploit across so many devices? Id love to share some of these logs and screenshots if anyone is interested.
Click to expand...
Click to collapse
Typical Chinese ad/malware/surveillance. If you visit china, you turn over your devices for "inspection", so they can sideload some state-sponsored goodies. A lot of these Chinese roms have the ads baked-in, like mine. Whoever's listening and seeing my pics is gonna need therapy, because I filled the phone up with some STRANGE s*** Remove the apk, but there's several .xml's and .jar's that gotta go, too.
Sent from my ZTE Sapphire 3G using XDA Labs
What is the best way to counter this problem?
Dassote said:
What is the best way to counter this problem?
Click to expand...
Click to collapse
Root, and remove all traces of the " ad_* " app and even the duraspeed app if you want, but I didn't see anything untrustworthy about that. Duraspeed is in the default.prop (running booster), so it's in the kernel. Root uninstall just leaves you no way to control, kuz the PROCESS will go and go, unless you're willing to play with the kernel. Not for amateurs like myself My Beat 8 has been flashed or fastboot-booted more times than I can count. Good times.
Once your Chinese spyware is uninstalled, delete build.prop lines with "running booster", /system/lib's with it, and I think it was in the /system/bin, and /vendor/app had one. Clear them all, and you'll need to tweak the build.prop some more. debug.qemu.kernel=1, ro.secure_storage.support=0, ro.debuggable=1, then reboot AFTER you chmod 644 the build.prop! The "debug.qemu.kernel=1" was what made the rest stick. ADD those props, but don't change the existing ones (kernel). I just deleted the default values, replaced with "" . Fits the whole debug vibe. I should upload a copy of my final build.prop, cheap-a** phone runs like a champ.
Sent from my LG G Stylo using XDA Labs
Hi, I am not new to computers phones and development but it's been years and a lot has changed. I went to school for software design and I learned on Visual Studio 6.0. So for anyone in there 30's and older you all remember how 6.0 was. Well alot has changed since 6.0 but regardless I know when someone has been messing with my phone a s or computer. I am going to try and post all of my syslog that I have saved and any new that I see. Also ibam going to try and post what open source software that I notice my phone now has licenses for. I am on a Samsung Note 10 plus 5G. And I am almost positive that my girl is responsible for the modifications done to my phone but she screams that she only knows how to play games call and text. I need someone to review my information and any information that anyone needs and tell me if my phone has been modified and if everything could have been done remotely. My ultimate question is could this all have been done remotely or would any of it and I mean even the smallest thing have to be done locally on the phone. If every single modification could all have been done remotely then maybe she's telling the truth but if just one thing had to of been done locally then she's responsible somehow. And then I need to know how to fix all of this and set up secure to prevent it from happening again.
you claim you're developer but provide logs as screenshots... seriously, if you can't trust your girlfriend what you need help is a couble care course or psychotherapist.
I doubt your Samsung Galaxy Note10+ bootloader locked device secured by Knox is tampered in any kind at all
What i'm seeing here is you using your phone with samsung packages working. It's mostly sounds running, you unlocking the device, setting an alarm ect.
Bare in mind google and apps use location alot so the location is i would say the norm. The more apps the more times location is called.
if you are concerned get dmr checker and check security levels, has the device been rooted and displays the true code? Really worried check all your apps then disable location or use odin to fully wipe the device but from what i can tell this is possibly paranoia
Whether your girlfriend can be trusted or not is not the problem. Maybe she is really hacking your phone or maybe you are just paranoid, I can't tell. Either way you two should break up before you break each other.
.. or just a week digital detox