HELP ME!! ive been infected with a serious RAT/virus - Security Discussion

my phone is infected with a virus that has imbedded itself in my system settings, any anti malware apps used do not detect it. when plugging my phone into my computer (for developer access) it began to install the device driver. once the "device driver" installed it took all administrative use away from me and locked all drives. I do not have ABD access or any computer access at this point. this phone has killed 3 laptops and a desktop. the only way ive been able to partially stop the virus is using a firewall to block it. since my phone is NOT rooted I cannot delete system files containing the virus. I noticed the virus will edit apps and system functions to try and hide itself (Google play services) for example. someone is using a form of remote access to control things and change settings. it is possible that someone (close family or friend) may have gotten their hands on it to install the virus. factory reset does nothing as the virus is stored in system settings. phone cannot be hooked to Pc without severe repercussions. I cannot gain root access through any rooting apps for some reason. only tried to access system settings. I believe the virus may be using KNOX for execution but that is just a theory. Sanding galaxy S6. I HAVE TRIED EVERYTHING. please please help me. -jesse

Pretty hard for an android to get infected by any kind of virus, especially if not rooted.
Maybe it's made specifically to deal and block access from Windows, so maybe try Linux to deal with it?

Defeated01 said:
my phone is infected with a virus that has imbedded itself in my system settings, any anti malware apps used do not detect it. when plugging my phone into my computer (for developer access) it began to install the device driver. once the "device driver" installed it took all administrative use away from me and locked all drives. I do not have ABD access or any computer access at this point. this phone has killed 3 laptops and a desktop. the only way ive been able to partially stop the virus is using a firewall to block it. since my phone is NOT rooted I cannot delete system files containing the virus. I noticed the virus will edit apps and system functions to try and hide itself (Google play services) for example. someone is using a form of remote access to control things and change settings. it is possible that someone (close family or friend) may have gotten their hands on it to install the virus. factory reset does nothing as the virus is stored in system settings. phone cannot be hooked to Pc without severe repercussions. I cannot gain root access through any rooting apps for some reason. only tried to access system settings. I believe the virus may be using KNOX for execution but that is just a theory. Sanding galaxy S6. I HAVE TRIED EVERYTHING. please please help me. -jesse
Click to expand...
Click to collapse
Sounds like a nasty one! Yes "friends" & family could have installed it, physical access makes it easier, but maybe more likely you downloaded a dodgy app (some have been known to wait weeks before acting), or a website tricked you with an overlay to install a malicious file .... or benign app may have downloaded something worse ....
Did all your computers get compromised over your network or did you plug phone in individually to each? Isolate each from each other and try to recover individually, but first check your router & reflash that with new password if required as it's a possible route for reinfection so to usb etc
You may have to reflash stock Samsung ROM (will loose all photos etc) as CLEAN install. But before that look at settings>apps>burger menu>special access and disable any apps that have given themselves special rights eg in "device admin apps". Also look at other special settings and disable any suspicions apps (or most even eg in "apps that can appear on top" if you are still getting issues), repeat for other sections in special access eg install unknown apps, data access etc etc (I don't have an S6 but it should be similar to above on S6 depending on software version)
Also try boot phone into "safe mode" hopefully that will stop malicious app running.
Submit any suspect files to virustotal and/or any virus company for analysis if not identified yet. (logs might given you some clues as to source depending on cache)
Then you should be able to root to fix or just flash latest stock (maybe install Lineage OS if S6 not getting regular security updates anymore)

Delete RAT From Your Device Easily
The appearances of RAT on your phone is really a bad sign for you because it is not only capable to ruin your device badly but also endangers privacy. RAT is also capable to cause various serious damages, so you must opt RAT removal tricks after noticing it's any symptom on your device.

Related

[Q] Password protect the device administrators in security settings?

Phone is a Droid Incredible running the latest stable CM7 (7.0.3)
----------------------------
I recently installed seek droid and a few other applications meant to protect my phone in the event of malware download or the phone is stolen. I noticed though that if someone goes in and removes these devices from the admin group that they can just be uninstalled. I realize the lock screen is there to protect the phone but if they do get in they can very easily uninstall the programs I would be depending on to get my phone back.
Now I know someone could just wipe the device using the factory reset in clockwork mod but yeah ... anyway I am looking to see if there is a way to secure the security settings or the device administrators section with a separate password of some sort? Or maybe there is a program that will do it? I tried Seal but it only seems to do app locks and it doesn't require administrator privileges so it can just be uninstalled anyway.
Thanks for any help. I have been looking around for awhile and come up with nothing so I am not expecting much but figured this would be the place to ask.
There are such tracking apps that require root but will be installed into /system and thus even survive a factory reset.
I think you can install any app to /system through a bit tinkering.
Some allow to change the icon and app name to hide its true purpose.
In the end, if the person knows what he is doing, you can't stop him.
Thanks for the advice. I realize if they know what they are doing they can get it off somehow but would be nice to not have an obvious app sitting in the drwaer called 'seek droid' that can then just be easily uninstalled.
Thanks again.

[App Idea] Plan B for data recovery on broken stock phones.

I feel this idea could be useful for a lot of us, not on our phones since we are likely rooted but on our family members and non tech friends stock phones. Which we usually end up fixing.
My idea if it is possible would be be for a "Plan B" type app for use after a broken screen, were the completely stock phone without ADB enabled needs data extracted.
My hope is that someone could make a app that is remotely installed from play.google.com that automatically turns on ADB debugging (if possible without root)
After that most data can be extracted with "adb backup" or adb pulls.
I can't count how many times this would of helped me in the past if it existed. Any dev up for the job? I am sure it would be appreciated by people.
Guess no one was interested in this idea.
shadowofdarkness said:
Guess no one was interested in this idea.
Click to expand...
Click to collapse
I think many of us are interested but one (so far) can help.
would be a good idea.... who ever was in need for something like that will be likely to pay for that... :laugh:
I could see this being a massive security risk. Sure the app could be handy, but it would also make stealing info from a phone very very easy.
So on that note, I don't think it will ever make it through, though I am sure there are ways.
Just install something like SMSBackup+: https://play.google.com/store/apps/details?id=com.zegoggles.smssync
Set it to automatically back up to their gmail, every so often, and then when it comes time to have to do repairs, you can get all of their calling/sms stuff back, since Google automatically deals with the contact infos.
it wouldn't be a security risk since the only way to install it would be from play.google.com which no one can do without your password. also pour planning with other software is not the point of this since I have been asked to recover data from devices by people that I honestly had no clue they owned the device before they broke it.usually family I don't see on s normal occurrence.
I've always been taught to keep a back up of anything you consider important.
Either way...
There are ADB backup solutions out there, there are recovery apps in the Playstore that will scan for missing or deleted files.
If you have access to the Playstore you have access to all the already available recovery apps. Why the need for an app that will basically root and unlock the device from behind their 'lock screen'?
If you have no direct GUI access, you want an app that you run on your computer that forces the phone connected via USB, to unlock and let you access whatever you want before you restore the phone. This is a massive security problem, because anyone could download that app, and use it to break into phones.
Sound like the 'prior planning' apps, are the best way to go.
I think you are missing my point. I know that prior planning is the best but it it not always possible when dealing with people so tech illiterate that even thought they own the device they barely understand it is not a iPhone because that is what a smartphone is to them.
My intended use is for physicaly broken phones (mainly screen) where I can't control any apps with the screen or turn on ADB from settings.
You thought on the security risk is wrong since out of the ways I can think of to install it via play store on the phone is would not be used since that would mean the attacker could just go into settings and do it the normal way. sideloading is impossible since it would be redundent due to that already needing ADB on.
The intended way via the web is safe enough since the attacker would need your email, password.
Do you hate the "Plan B" app that gps tracks your lost or stolen phone that is already in the play store and gave me this idea. It shows in the store as having between half a million and a million installs. Do you think those people should of went without such a app and lost their phone since they should of just pre planned since it is better.

I can no longer view networked PCs using ESFile Explorer???

Can someone help me out? I've been using this setup for years on several machines w/o a single problem. Now, all of a sudden, I try to view a networked PC to move some files over (like I've done thousands of times) and it says that the server can't be reached. It gives me some bogus ideas like firewal is on, IP address is out of range, SMB is off, yadda yadda yadda but none of these are true so far as I can tell. I tried deleting the server and scanning via the 'search' again and them same PC shows up. When I click it it gives the same error. So I attempt to manually edit the login credentials or manually create a new server and after I enter all the credentials it just sits on 'Adding Server, Please wait a minute...' Indefinitely. I tried rebooting the PC (Wind7 64-bit) as well as my device (unrooted SGS4 v4.3) and I'm not able to solve this issue. The only changes I can think of is the recent update to v4.3 but I also updated to v4.2.2 previously and had no issues. I've also done this for years on several devices and countless firmware versions & ROMs. I know some have been having issues with the addition of KNOX to 4.3 but I haven't even installed that nor do I plan on doing it. I checked by opening KNOX from the app tray to verify and it indeed still wants me to INSTALL. I am also getting weird warning pop-ups since 4.3 about something or another trying to access part of my phone that it's not authorized to which sounds like a KNOX/WiFi bug from what I'm hearing. This seems strange to me that I would be getting this warning when I haven't even installed it yet. Could this networking issues also be related and how can I correct this? This is SUPER annoying!

Think my android phone is hacked... now asking for PIN

After buying some bluetooth tracking keyfobs, I installed the app as instructed in the manual. The app was not from the play store but direct from the chinese manufactures. After installing I was asked to grant a bunch of permissions relevant to the functions and I granted all. Shortly after, having paired the app with the keyfobs, the app was not performing as expected and kept going to a page asking for consent to allow unknown sources from the app. Stupidly I granted this. Not long after, my phone locked me out, asking for a PIN. My lockscreen had previously been a pattern lock, and indeed it still is, however after entering the pattern I now get ask for a PIN, which I dont know.
So it appears I've installed malware and stupidly granted it all the permissions it needed to **** me over. Fortunately I was using a firewall and so it may not have been able to phone home (hopefully).
I have USB debugging on and can access the phone via ADB.
What can I do to get pass the PIN request and remove the malware to restore my phone, ideally without losing my data etc?
Since you can access phone via ADB you always can try to pull out your user-data by means of ADB.
Afterwards it's recommended to re-flash phone's Stock ROM to be on the safe side.
You could try deleting the app via adb

PLEASE HELP! Unknown Trojan Destroy My Family

Hello friends and users of XDA forum. First I'm from Hong Kong and join XDA for more than 10 years, please accept my apprologize my poor english.
The story started from 6 years ago, during these days I changed over 20 phones. The first time I changed my mobile phone was image files and viedo files that I captured from IP cam some sensitive captures disappeared. Initially, I thought the problem of my LG-E988. So, I brought a new Phone LG-(forgot) DS. For the first few days. It looks perfectly fine, but the problems came back again. I beliveryed that it may caused by virus/malware/trojan, so I tried almost all different virus scanner avaliable, nothing was found. And sometimes I lost email, SMS message and GPS turned on by itself. I also saw the mobile screen changed itself, even took photos and videos. I told these to my family, because I have parkinson desease. So they believe I have organic psychosis and send me to hospital. Then I was trapped in hospital half a year because my wife lie and doctor did not believe what actually happened.
Over these 6 years, my computers all affected similar trojan (bootkit), It still there after fresh installed once infected. The mobile and computer can work offline, all photos and video files that copied in or out of computer / mobile will be damaged. These forum for mobile, so I concentrate on mobile trojan's issue, if you need solutions how I solve the problem, please feel free to ask.
I don't have much information about the trojan, but i have some clues can share.
(1) the trojan is not an apk nor zip package that installed by TWRP or any recovery.
(2) the trojan seems can be "inject" to any andriod systems and any brand, any model.
(3) the mobile seems must be opened physically. it must be injected into different partitions.
(4) Sometimes it works by root the mobile and install any ROM and the trojan will gone.
(5) I recently fixed a Samsung SM-A715F and I found an encrypted partition in adb shell.
(6) some files are set to some permissions even root can not copy, open, or chmod.
(7) the trojan will not infect other mobiles at same network or NFC, Bluetooth, Wifi.
(8) again, the trojan and see/listen using camera in realtime, see what you are doing, see your position, listen to background noise, the word you are typing or take full control of your phone, heat up your cpu and even turn your roaming on and transmit hundred of giga byte data.
I'm a programmer that I can write a little java program, root my mobile and install my favourite ROM, but not able to trace / detect / delete such trojan and where the data goes. Any expert can help me to doing that? It destory my family by capture something that my wife should not see. I still have a LG V20 and a honor 8A (JAT-L29) are infected. Please what to do next, or what you need.
Thanks for every one and sorry for my poor english.
boyfriend3088 said:
Hello friends and users of XDA forum. First I'm from Hong Kong and join XDA for more than 10 years, please accept my apprologize my poor english.
The story started from 6 years ago, during these days I changed over 20 phones. The first time I changed my mobile phone was image files and viedo files that I captured from IP cam some sensitive captures disappeared. Initially, I thought the problem of my LG-E988. So, I brought a new Phone LG-(forgot) DS. For the first few days. It looks perfectly fine, but the problems came back again. I beliveryed that it may caused by virus/malware/trojan, so I tried almost all different virus scanner avaliable, nothing was found. And sometimes I lost email, SMS message and GPS turned on by itself. I also saw the mobile screen changed itself, even took photos and videos. I told these to my family, because I have parkinson desease. So they believe I have organic psychosis and send me to hospital. Then I was trapped in hospital half a year because my wife lie and doctor did not believe what actually happened.
Over these 6 years, my computers all affected similar trojan (bootkit), It still there after fresh installed once infected. The mobile and computer can work offline, all photos and video files that copied in or out of computer / mobile will be damaged. These forum for mobile, so I concentrate on mobile trojan's issue, if you need solutions how I solve the problem, please feel free to ask.
I don't have much information about the trojan, but i have some clues can share.
(1) the trojan is not an apk nor zip package that installed by TWRP or any recovery.
(2) the trojan seems can be "inject" to any andriod systems and any brand, any model.
(3) the mobile seems must be opened physically. it must be injected into different partitions.
(4) Sometimes it works by root the mobile and install any ROM and the trojan will gone.
(5) I recently fixed a Samsung SM-A715F and I found an encrypted partition in adb shell.
(6) some files are set to some permissions even root can not copy, open, or chmod.
(7) the trojan will not infect other mobiles at same network or NFC, Bluetooth, Wifi.
(8) again, the trojan and see/listen using camera in realtime, see what you are doing, see your position, listen to background noise, the word you are typing or take full control of your phone, heat up your cpu and even turn your roaming on and transmit hundred of giga byte data.
I'm a programmer that I can write a little java program, root my mobile and install my favourite ROM, but not able to trace / detect / delete such trojan and where the data goes. Any expert can help me to doing that? It destory my family by capture something that my wife should not see. I still have a LG V20 and a honor 8A (JAT-L29) are infected. Please what to do next, or what you need.
Thanks for every one and sorry for my poor english.
Click to expand...
Click to collapse
It sounds to me that your computer is the main problem and I assume you connect the phone to it so the phone gets infected.
Regarding computer and virus the best thing to do is to format and reinstall the Operative System.
Regarding the phone, hard reset and no more problem.
mobnoob said:
It sounds to me that your computer is the main problem and I assume you connect the phone to it so the phone gets infected.
Regarding computer and virus the best thing to do is to format and reinstall the Operative System.
Regarding the phone, hard reset and no more problem.
Click to expand...
Click to collapse
Thanks for the reply. Nope, plug-in into a computer won't infect the phone, but if debug turn on, it might be ture. But I'm 100% sure hard / factory reset, wipe cache won't clean the trojan. I did it million times with no apps was installed but still clear the trojan. it's not done by install an apk. according to infected 20+ phones, 80% of the phone's cover were openned. I believe they downloaded "EEPROM" boot partition and add a small portion of code. If I root the phone, sometimes i can see an unknown encrypted partition. And administrator can't access most of the files on root. The only solution is root the phone and wipe everything then, put stock rom from other sources install, but it's risky. Any others methods or suggestion to check or verify the ROMs are original stock ROM?
Please help me! Thanks!
#The attach file is rooted phone /root_files, but most file can't be copied.
1. A Factory Reset - as its name implies - simply turns device into state when it was shipped by manufacturer, means all user-data / user-apps get wiped, system apps get reset to their original state if they got upgraded.
2. Wiping the Cache deletes only temporary system data, but not temporary user-app data.
Hence it should be obvious these 2 named actions will eliminate a trojan or other malware the Android device got infected with. But with the help of an activated Google Play Store they can re-install themselves.
Trojans ( hidden apps ) can easily get found on Android device.
FYI:
What all types of Trojans have in common is that they can only get onto the end device with the help of the user.
Trojans are not only found in email attachments. They can also piggyback on supposedly free programs. Therefore, it is once again important not to use dubious sources for software downloads such as codec packs or cracked programs, even if you might save a few bucks. The damage that can be caused by Trojans often exceeds the value of the software if it had been purchased regularly.
By the way, a Trojan should not be confused with a virus. Viruses reproduce independently, while a Trojan is merely a door opener - but with potentially devastating consequences.

Categories

Resources