Related
I believe nothing is secure in my phone including passwords, security pin and even what i'm typing now. Recently, my facebook acct got hacked too.I think my phone is being keylogged. So, I did the following things:
1.First of all, I resetted mydevice
2. Then, I even changed the rom
But, still I feel insecure. I want to know is there any way that the keylogging is kernel masked? Do I need to update the kernel? I need to know about the things I should do to make sure that my phone is completely keylogger free. Please help!
dreamer04 said:
I believe nothing is secure in my phone including passwords, security pin and even what i'm typing now. Recently, my facebook acct got hacked too.I think my phone is being keylogged. So, I did the following things:
1.First of all, I resetted mydevice
2. Then, I even changed the rom
But, still I feel insecure. I want to know is there any way that the keylogging is kernel masked? Do I need to update the kernel? I need to know about the things I should do to make sure that my phone is completely keylogger free. Please help!
Click to expand...
Click to collapse
Im no expert in this subject, but what I would do is Flash a new Rom and kernel, then Monitor packets send and recieved by the phone with an app, or with a router. The rooting method also matters. So, Flash the original OEM Software first. Rooting methods that harvest IMEIs have been reported. So, dont go with the "one clickers" to root your device method, but do it the Long way.
I am curretly also using a Firewall in my phone and also my Connection goes through a router with a Firewall.
Normally, I never enter sensitive data when in a dangerous enviroment, such as an unprotected Caffe WiFi.
If you are concerned about a keylogger, then you should be more concerned on how you got your device infected.
I usually refrain from using the Google Appstore. I mostly use Open Source programs/apps that can be compiled or tested
You should look into Fdroid, which Hosts open source apps, not many, but there are some.
Tell me what to do?
My phone is over heating too. So I installed network log from play store and watched the log. I found my phone sending and receiving packets through kernel.
I have uploaded the screenshots with this. Please have a look and tell me is this normal or if it isn't, what to do?.
Also, before unlocking the lock screen shows some messages as in the screenshot. But, after unlocking there is no such messages exist.
Please help.
dreamer04 said:
My phone is over heating too. So I installed network log from play store and watched the log. I found my phone sending and receiving packets through kernel.
I have uploaded the screenshots with this. Please have a look and tell me is this normal or if it isn't, what to do?.
Also, before unlocking the lock screen shows some messages as in the screenshot. But, after unlocking there is no such messages exist.
Please help.
Click to expand...
Click to collapse
I'm not sure about the message in your lockscreen but the IP's in your kernel log seem to be corresponding with these domains:
Host 24.9.193.104.in-addr.arpa. not found: 3(NXDOMAIN)
Host 233.127.230.115.in-addr.arpa. not found: 3(NXDOMAIN)
Host 54.213.160.61.in-addr.arpa. not found: 3(NXDOMAIN)
Host 108.213.160.61.in-addr.arpa. not found: 3(NXDOMAIN)
233.24.249.123.in-addr.arpa domain name pointer error-cdnzz-com.cdnzz.net.
188.200.125.74.in-addr.arpa domain name pointer sa-in-f188.1e100.net.
As you can see, the first 4 are unresolved, hence there is no domain linked to the IP.
The last 2 do have a domain linked, but I'm have no idea if they are used for malicious stuff.
But like shadowcore said, shouldn't you be more concerned about where you got this infection from?
After resetting and reinstalling a new rom, there are little places left for a logger/malicous-app to have been hiding.
What you could do is install OSMonitor. This is yet another logging app, but it provides you with a list of all the current running processes and connections, with the option to watch it, or kill it. Maybe you can use this to filter out any loggers still on running your device. You can find it on the Play Store.
You can also restrict networktraffic with AFWall+, which is a firewall app. It takes some time to configure, but it does wonders.
Also: Unclefab has written a really good tutorial about securing your phone, in a multitude of ways.
It's here: http://forum.xda-developers.com/general/security/tuto-how-to-secure-phone-t2960077
Traffic through the kernel is normal see:
Code:
https://github.com/ukanth/afwall/wiki/FAQ#34-why-the-kernel-need-an-internet-connection-all-the-time-afwall-shows-appid--11-blocked
You should probably install afwall+ to restrict internet access to some apps.
I have just gotten my hands on a Xoom MZ602 running 4.1.2, and am having one hell of a time getting anywhere in rooting it. I keep finding useful articles, but due to the fact people don't seem to update links, I can not download any of the main tools to root it! I would like a link to the one click root, or something equally easy, but would settle for anything that's not loaded with viruses or adware, or not hosted on a shady filesharing service.
Is this basically stuck as it is, or are any of these files still out there? My Google Nexus 7 is just as old, but there are still an abundance of tools for rooting it, so there is no reason I shouldn't be able to find the files for this, other than people not updating links.
I'm really looking for the best and most reliable way to root this, and if it can be done with no PC, or on a Linux PC, that's a plus, but I do have access to winblows PC's too, if needed.
Kingo root does
You can change kingroot by supersu after.
This change require a little skills, but not much.
Thank you in advance. First of all I am still a beginner in knowledge here. My Alcatel fierce 4 TCL 5056N seems to have been hacked and is now being remotely accessed and controlled by an unauthorized 3rd party. I may be way off base but I think my phone may have been exposed to a R.A.T.. Temporarily rooted long enough for someone to modify the kernel and other system coding, which I cannot access myself with an unrooted phone, installing some sort of sub-OS with limited user setting options and a completely different named storage platform,( I.e. emulated, bdef55, self), and not even factory resetting my device helps because it reboots into the sub-OS they installed. They are screen overlaying buttons, and toggles are being reversed in real time before my eyes, settings and options are disappearing from one minute to the next and I've somehow found myself poking around in some windows software on a PC that is used to develop Android software, maybe sdk, not sure but was Linux coding and looked like it was meant for me. I was on the other end of this hack for a few minutes tho but my lack of knowledge made this useless to me. I have downloaded many an app trying to combat this issue but to no avail. Although unsuccessful I have seen a few thing I don't understand but could possibly be helpful for you to identify exactly what my issue is. One thing is an app I downloaded said that a trust cert has enabled a malicious trust agent and my system is being remotely accessed by a third party. The rest is beyond my understanding but I'm going to list a few tidbits you may recognize. LIB, Kinguser, kingroot, persist, unremovable/???/xxx, code Aurora, bootstrap something, libnfc, system/framework/Apache/xml, bin, user value=0 or 1/2, managed provisioning, also a .base ext. on a bunch of sytem apps below the same app without and a few of others. I don't know if that's helpful but it's all I can remember. Symptoms are apps closing on their own, microphone and camera being remotely enabled, unable to update Google play services or store and being forced to use an obviously older and modified version with possible replica apps with restrictions, unexpected reboots, in settings/apps/permissions apps like gallery, when you click battery and then the little i button for info, it says it's a system app and all of the sudden the disable and force close buttons become un-highlighted and unusable and so on and so forth. Lastly, my home wifi is infected I think as well because my roommate is having the same issues. I've tried(unsuccessfully) to root my phone so I could manually remove some of these apps and extra coding and such but it seems impossible because of a locked bootloader. Tried about 10 different ways without success so I've just about given up and smashed the damn thing but then you geniuses popped into my head so I beg of you, please help me or if nothing else, tell me to proceed with the smashing...lol! Thank you very much for your time. P. s. I'm new to XDA dev website so maybe drop me a line at [email protected] with directions back to this thread. Had a bit if trouble navigating here. Thanks again and have a great day! -Spencer
Okay so ive been battling this for sometime. I'm starting to get a little more knowledgeable but still don't know what to do with all this.I experienced this first back in 2015 then I completely made a switch. Well now I'm back to same issues.
The problems I'm experiencing is it's happening on all the devices I have. The phone I'm on now bought brand new from metropcs. and not even a day 30minutes later I get an update for the phone. I new not to install or download. But it inventively did. Now it's sitting on my storage wanting me to move files to root.
LET ME MAKE THIS CLEAR. NON OF MY DEVICES ARE ROOTED.
to make this short. My devices seem to have a Bluetooth admin. And connects to any Bluetooth device without me knowing.
So far from what I see chromium and stage fright is a big part of what I'm seeing.
I'm attaching some pictures to give more detail look. And it's not just my Android devices it's my Xbox one S as well.
looking to completely remove. I'm not trying to waste money on switching networks or completly going Mia.
Fast responses please.
Sincerly,
-Desperate androidian
BLEEDCOLORYOU said:
Okay so ive been battling this for sometime. I'm starting to get a little more knowledgeable but still don't know what to do with all this.I experienced this first back in 2015 then I completely made a switch. Well now I'm back to same issues.
The problems I'm experiencing is it's happening on all the devices I have. The phone I'm on now bought brand new from metropcs. and not even a day 30minutes later I get an update for the phone. I new not to install or download. But it inventively did. Now it's sitting on my storage wanting me to move files to root.
LET ME MAKE THIS CLEAR. NON OF MY DEVICES ARE ROOTED.
to make this short. My devices seem to have a Bluetooth admin. And connects to any Bluetooth device without me knowing.
So far from what I see chromium and stage fright is a big part of what I'm seeing.
I'm attaching some pictures to give more detail look. And it's not just my Android devices it's my Xbox one S as well.
looking to completely remove. I'm not trying to waste money on switching networks or completly going Mia.
Fast responses please.
Sincerly,
-Desperate androidian
Click to expand...
Click to collapse
The Android community isn't what it used to be that's for sure. No help, no suggestions. Just nothing.
BLEEDCOLORYOU said:
Okay so ive been battling this for sometime. I'm starting to get a little more knowledgeable but still don't know what to do with all this.I experienced this first back in 2015 then I completely made a switch. Well now I'm back to same issues.
The problems I'm experiencing is it's happening on all the devices I have. The phone I'm on now bought brand new from metropcs. and not even a day 30minutes later I get an update for the phone. I new not to install or download. But it inventively did. Now it's sitting on my storage wanting me to move files to root.
LET ME MAKE THIS CLEAR. NON OF MY DEVICES ARE ROOTED.
to make this short. My devices seem to have a Bluetooth admin. And connects to any Bluetooth device without me knowing.
So far from what I see chromium and stage fright is a big part of what I'm seeing.
I'm attaching some pictures to give more detail look. And it's not just my Android devices it's my Xbox one S as well.
looking to completely remove. I'm not trying to waste money on switching networks or completly going Mia.
Fast responses please.
Sincerly,
-Desperate androidian
Click to expand...
Click to collapse
I'm no expert but I'm struggling to see your exact issue you seem to think you have, is it just t your Bluetooth is switching on. All those licences, security certs, file locations etc look normal to me (without checking numbers or being able to compare to same phone os etc) though I have disabled many of those certs eg the Turkish ones etc & my Bluetooth files are different but I can find ref hill those locations online eg Xieomi phones
You appear to have a ZTE, please give model number and current OS & rev (must be stock I suppose). ZTE was found with a backdoor in older phones, sending data to China, so it's possible, & some Chinese phones also update their apps without notification. But as you say your whole network appears compromised so the source may be something else, like your router/modem, or Bluetooth as you think (though some apps require Bluetooth admin permission legitimately, you can disable it as an Admin). Tell us what behaviors you are seeing that you believe are malicious. New phone update soon after you turn on is quite common, as I'm sure you know.
When I had a quick look at your log it did have a lot of activity going to the US DOD, would you expect this, as well as the usual google & Facebook connections. Though (perhaps) strangely also to a server from a small marketing company here in Australia, but I'm no expert even if I looked at your log line by line I wouldn't understand it all.
Ref his other post
https://forum.xda-developers.com/general/security/security-global-family-credientals-t3665851
Things to try. Run a reputable antivirus. Boot into safe mode, so only system apps run, is it still happening? Can you turn off anything that is listed as a device admin? Try run a root checker app. Even if it all comes back negative you may still have a problem as a port may already have been opened and malicious app self deleted or something. Use an app like Fing to see if any device you don't recognise are connected to your network.
You may be able to block some activity if it's not going through root with a firewall eg NetGuard no root firewall, start with everything blocked.
Above are just some general hints, without knowing specifics I can only suggest you backup any stuff you want to keep then factory reset everything & change ALL passwords to strong ones (no good just adding a number on the end of your old ones!), better still reflash all firmware (updates if available) to overwrite everything. This incl your internet access points eg router, and only reconnect to the net/networks after you have done them all (one at a time preferably then you may be able to identify source of problems)
That turned out a lot longer than I intended!
IronRoo said:
I'm no expert but I'm struggling to see your exact issue you seem to think you have, is it just t your Bluetooth is switching on. All those licences, security certs, file locations etc look normal to me (without checking numbers or being able to compare to same phone os etc) though I have disabled many of those certs eg the Turkish ones etc & my Bluetooth files are different but I can find ref hill those locations online eg Xieomi phones
You appear to have a ZTE, please give model number and current OS & rev (must be stock I suppose). ZTE was found with a backdoor in older phones, sending data to China, so it's possible, & some Chinese phones also update their apps without notification. But as you say your whole network appears compromised so the source may be something else, like your router/modem, or Bluetooth as you think (though some apps require Bluetooth admin permission legitimately, you can disable it as an Admin). Tell us what behaviors you are seeing that you believe are malicious. New phone update soon after you turn on is quite common, as I'm sure you know.
When I had a quick look at your log it did have a lot of activity going to the US DOD, would you expect this, as well as the usual google & Facebook connections. Though (perhaps) strangely also to a server from a small marketing company here in Australia, but I'm no expert even if I looked at your log line by line I wouldn't understand it all.
Things to try. Run a reputable antivirus. Boot into safe mode, so only system apps run, is it still happening? Can you turn off anything that is listed as a device admin? Try run a root checker app. Even if it all comes back negative you may still have a problem as a port may already have been opened and malicious app self deleted or something. Use an app like Fing to see if any device you don't recognise are connected to your network.
You may be able to block some activity if it's not going through root with a firewall eg NetGuard no root firewall, start with everything blocked.
Above are just some general hints, without knowing specifics I can only suggest you backup any stuff you want to keep then factory reset everything & change ALL passwords to strong ones (no good just adding a number on the end of your old ones!), better still reflash all firmware (updates if available) to overwrite everything. This incl your internet access points eg router, and only reconnect to the net/networks after you have done them all (one at a time preferably then you may be able to identify source of problems)
That turned out a lot longer than I intended!
Click to expand...
Click to collapse
Thank-you. Now for a better visual. There's to many apps.
And if u can give me links to apps that will help.
And on my oneplus one the Bluetooth thing says :1002 sharing or midi or something.
BLEEDCOLORYOU said:
Thank-you. Now for a better visual. There's to many apps.
And if u can give me links to apps that will help.
And on my oneplus one the Bluetooth thing says :1002 sharing or midi or something.
Click to expand...
Click to collapse
And code.auroa? What is this
BLEEDCOLORYOU said:
Thank-you. Now for a better visual. There's to many apps.
And if u can give me links to apps that will help.
And on my oneplus one the Bluetooth thing says :1002 sharing or midi or something.
Click to expand...
Click to collapse
I don't have that phone so can't really tell what is a suspect app or not, especially just from screen shots.
Here use this app to run on demand scans against the virustotal database (this is not an "antivirus app" like Avast so offers no protection, it only scans apps on demand, so you should run a good antivirus also)
https://play.google.com/store/apps/details?id=com.funnycat.virustotal
it should flag any suspect apps and you can submit any unknown ones you are worried about.
---------- Post added at 05:12 AM ---------- Previous post was at 05:02 AM ----------
BLEEDCOLORYOU said:
And code.auroa? What is this
Click to expand...
Click to collapse
edit: not Firefox then.
org.codeaurora.bluetooth is a legit part of Bluetooth .... Well unless it's flagged by virustotal then it probably is a malicious app just given a common name to try and hide
IronRoo said:
I don't have that phone so can't really tell what is a suspect app or not, especially just from screen shots.
Here use this app to run on demand scans against the virustotal database (this is not an "antivirus app" like Avast so offers no protection)
https://play.google.com/store/apps/details?id=com.funnycat.virustotal
it should flag any suspect apps and you can submit any unknown ones you are worried about.
Click to expand...
Click to collapse
Okay but what is provisioning? Code auroa smartcard services googleplay for instance apps and
And IV never encrypted this phone.
BLEEDCOLORYOU said:
Okay but what is provisioning? Code auroa smartcard services googleplay for instance apps and
And IV never encrypted this phone.
Click to expand...
Click to collapse
And alot of the overlay apps n simtoolkit are all questionmarked
BLEEDCOLORYOU said:
And alot of the overlay apps n simtoolkit are all questionmarked
Click to expand...
Click to collapse
ser my edit above re aurora
sometimes virustotal will have 2 or 3 antiivirus companies flag a file, these are probably false positives so probably nothing to worry about (though could just be a new submission, other companies should soon update if real malicious code, check back in a day or two). If lots of companies flag an apk then you haven a problem.
It looks like you have a problem whit overlays (unless it's an app your phone company installs for that function, not sure what you mean). You should install a proper antivirus app like Avast, malwarebytes etc as a first step, hopefully it can remove malicious apk
---------- Post added at 05:51 AM ---------- Previous post was at 05:37 AM ----------
BLEEDCOLORYOU said:
And IV never encrypted this phone.
Click to expand...
Click to collapse
Doesn't matter, encrypting phone only protects unauthorised access to your data. Once it is unlocked anyone can view your stuff. And once a malicious app is on your system it can shall read all your data even if you had encrypted it as it's unencrypted when you use it
IronRoo said:
ser my edit above re aurora
sometimes virustotal will have 2 or 3 antiivirus companies flag a file, these are probably false positives so probably nothing to worry about (though could just be a new submission, other companies should soon update if real malicious code, check back in a day or two). If lots of companies flag an apk then you haven a problem.
It looks like you have a problem whit overlays (unless it's an app your phone company installs for that function). You should install a proper antivirus app like Avast, malwarebytes etc as a first step, hopefully it can remove malicious apk
---------- Post added at 05:51 AM ---------- Previous post was at 05:37 AM ----------
Doesn't matter, encrypting phone only protects unauthorised access to your data. Once it is unlocked anyone can view your stuff. And once a malicious app is on your system it can shall read all your data even if you had encrypted it as it's unencrypted when you use it
Click to expand...
Click to collapse
Okay so now I'm trying to post screenshots of when I'm connected to wifi and it's not letting me
Pairwise cyphers and
Group cyphers
Sim_num
?
BLEEDCOLORYOU said:
And alot of the overlay apps n simtoolkit are all questionmarked
Click to expand...
Click to collapse
Tap those with question marks to submit to virustotal for analysis
IronRoo said:
Tap those with question marks to submit to virustotal for analysis
Click to expand...
Click to collapse
/sys/fs/selinux/class/appletalk_socket/perms
Not suspious?
BLEEDCOLORYOU said:
/sys/fs/selinux/class/appletalk_socket/perms
Not suspious?
Click to expand...
Click to collapse
Now I'm not stupid, this is facts. I just need defined and solution!!!
No these are normal library files. Stagefright "the malicious exploits" were called this as it was the stagefright framework it exploited. Everyone has these files, here are mine below.
You need to use tools like antivirus to identify bad files but even that is no guarantee as there is the possibility the original malicious file could have self deleted and, for example, just left open ports which would not be found as a "virus" but still allow remote access to your device.
If you cannot identify the actual exploit on your phone then the best solution is probably to just reflash the stock rom as this will wipe & overwrite everything. But if a malicious file is left on your SD card or another networked device you could soon be infected/compromised again. That is why I said before if you can't identify the source of your infection you really need to factory reset or reinstall all OS on all devices affected including your home router etc (or maybe it's your work or public network) and change all passwords.
IronRoo said:
No these are normal library files. Stagefright "the malicious exploits" were called this as it was the stagefright framework it exploited. Everyone has these files, here are mine below.
You need to use tools like antivirus to identify bad files but even that is no guarantee as there is the possibility the original malicious file could have self deleted and, for example, just left open ports which would not be found as a "virus" but still allow remote access to your device.
If you cannot identify the actual exploit on your phone then the best solution is probably to just reflash the stock rom as this will wipe & overwrite everything. But if a malicious file is left on your SD card or another networked device you could soon be infected/compromised again. That is why I said before if you can't identify the source of your infection you really need to factory reset or reinstall all OS on all devices affected including your home router etc (or maybe it's your work or public network) and change all passwords.
Click to expand...
Click to collapse
I'm on a video bridge network I got the direct TV setup with 2 wireless setups. Both secure from what I know.
BLEEDCOLORYOU said:
Pairwise cyphers and
Group cyphers
Sim_num
?
Click to expand...
Click to collapse
These are for encryption of your connection, not your phone
BLEEDCOLORYOU said:
I'm on a video bridge network I got the direct TV setup with 2 wireless setups. Both secure from what I know.
Click to expand...
Click to collapse
I'm no coding/security guru, but I have worked on telecoms, military electronics, etc but my coding & network security knowledge is limited.
I would run this app Fing to check your local network, are there any unknown devices connected?
https://play.google.com/store/apps/details?id=com.overlook.android.fing
note: this only finds currently connected devices, so you'd want to do this several times & especially when you see suspect behavior.
Also check for open ports, easiest way is probably this site, it will scan the first 1000 ports or so (select all)
https://www.grc.com/
go to shields up
but you really need to scan ALL possible ports with a tool like Zenmap (for PC) if you think you are compromised
https://nmap.org/zenmap/
However it's not clear to me if you ever installed a proper antivirus and whether it found and deleted anything? Virustotal seemed to find some suspect apks, I had a quick look at Trendmicro database but it didn't list details of the one it found in your screenshot, but the fact some of those antivirus companies called the suspect apk names with "joke" in it may suggest it's just a joke app your mate has installed, though probably not a joke app if your other devices are really also compromised, from memory there is also real malware with that name which may be able to infect other devices. Running a proper antivirus should easily find and clean any "joke" app on your phone & hopefully any real malware. If you've done this and still seeing indications you are compromised then do what I suggested above. (Also repeat malware checks on other devices and removable storage media)
You should also log into your router as admin and check settings, are you using a secure router password? Is firmware up to date. Is firewall set up correctly? Also close any open ports that you don't use. Turn off remote admin, if router has it. Etc etc what do your router logs show (turn on more detailed logging if necessary) Factory reset or reinstall firmware if you think changes have been made to your router by someone else.
Hi I am having same issues. Exact same behaviors regardless of new phones new carrier and all accounts being unconnected in name. Google etc. This is extreme. Its via bluetooth I agree something with esims or virtual sims for use of wifi access and or signal piracy for media. The DOD files are also something I am familier with seeing. Code Aurora was also a govt project way back. Its Interesting thst I have Verizon files loading on at & t phones and sprint loading on Verizon. Whatever this is has managed to infiltrate my computers as well. Its relentless. Its impressive and sophisticated. Please please help.
Spidder77 said:
Hi I am having same issues. Exact same behaviors regardless of new phones new carrier and all accounts being unconnected in name. Google etc. This is extreme. Its via bluetooth I agree something with esims or virtual sims for use of wifi access and or signal piracy for media. The DOD files are also something I am familier with seeing. Code Aurora was also a govt project way back. Its Interesting thst I have Verizon files loading on at & t phones and sprint loading on Verizon. Whatever this is has managed to infiltrate my computers as well. Its relentless. Its impressive and sophisticated. Please please help.
Click to expand...
Click to collapse
I'm having the same issmy ues. Did anyone ever resolve or figure out what is happening? I think I'm under investigation by the DOD and they own my devices. My uploads/downloads are blocked, internet searches filtered, pics/screenshots of evidence deleted off my phone, etc.
Hi,
I'm new to XDA. I think I'm in the right forum for my issue. My phone was infected with what I think is a type of auto rooting trojan. I was looking for info on an app I'm using called Duraspeed. I came across this website that started throwing popups at me saying my phone had tons of viruses, which was a lie. By the time I could break free from the drive by attacks, it was too late. I started getting sluggish performance on my phone and popup ads randomly. Even though it somehow gained root access, my phone is not rooted. Never was. Its still not! Because I checked with several apps off the playstore to confirm this. Long story short:
It put a file called "ads_popup-release.apk"
in my root folder /system/priv-app/
And modified a file called "8e710bb7.0"
in root folder /system/etc/security/cacerts/
or put (installed) the file there I'm not sure.
The file running on the phone as a system app is called "ad_surface"
I can only force stop and disable ad_surface without the ability to uninstall. I have to repeat this process every time I reboot. This stops the ads from popping up. Funny thing is, even though the force stop button in app settings is greyed meaning it was stopped and disabled, my OS Monitor app that shows running processes shows ad_surface is still running. Yet, it does stop the random popup ads by doing it this way. I've tried 360 AV, Avast, AVG, Malwarebytea, Kaspers, stubborn rootkit remover, a lot of antivirus programs but nothing detects it. I'm using Total Commander File Manager to view the device system partitions. I even copied the two trojan files to a folder on the user partition to see if any of the antivirus programs could check them there away from the root areas. But nothing. My guess is that I need to root my phone so I can gain access to the apk file and delete it. I haven't done a factory reset because I realize that apk file is in the recovery partition in order to reinstall itself. I've never rooted a phone before, but I have Kingroot installed. I downloaded it from XDA. I just don't have the guts to use it in fear of bricking. Do you think it would work with my phone? Does it abort the root procedure if it can't do it? Here are my phone specs:
Vortex Beat 8
Software build: 8_V1.5_20171011
Chipset: MT6580M Cortex-A7
CPU Architecture: ARMv7 Processor Rev 3(V71)
Cores: 4 1300MHz
Kernal Version: 3.18.19
Total Ram: 459MB
Internal ROM: 8GB (4GB for user)
That's about it. If there's anything anybody who could recommend how to go about this I would greatly appreciate the help. Thank you...
Go try factory resetting it, doesn't hurt to try.
If the "virus" is still there you can always re-flash the phones os. Here is the link to the stock ROM ---> http://www.needrom.com/wp-content/uploads/2017/04/BEAT-8_V1.06_20170413.rar
The below link is a tutorial on how to flash the phones ROM.
https://www.getdroidtips.com/stock-rom-vortex-beat-8/#How_to_Download_Stock_ROM_on_VORTEX_Beat_8
In mtkdroid tools, Have all the boxes unchecked, and make sure you only have "ANDRIOD" and "RECOVERY" checked marked. The other boxes are just about the phones information and properties. Theses shouldn't be checked because it might erase your imei/drivers or other stuff. After flashing the rom make sure you do a complete factory rest + cache. Erase whatever you have on ur sd cards or micro sd cards.
Just do this and call it a day
Good luck
Cool
Hi, thank you! I will try this. I will have to borrow someone's computer like my nephews. I did try Kingroot and OneClickRoot but they both failed. Perhaps due to a locked bootloader. Or the evil trojan that made itself super user blocking them. I did do a factory reset, but the trojan persist. My mistake was forgetting to turn off unknown sources in security settings. I think that's how it got in... I'll keep checking back on this thread in the meantime to see if someone knows a tool that can kill the trojan, but I doubt it. Cheers!
SecretSociety68 said:
Hi, thank you! I will try this. I will have to borrow someone's computer like my nephews. I did try Kingroot and OneClickRoot but they both failed. Perhaps due to a locked bootloader. Or the evil trojan that made itself super user blocking them. I did do a factory reset, but the trojan persist. My mistake was forgetting to turn off unknown sources in security settings. I think that's how it got in... I'll keep checking back on this thread in the meantime to see if someone knows a tool that can kill the trojan, but I doubt it. Cheers!
Click to expand...
Click to collapse
I'm having similar troubles I somehow believe I have an entire infected Network from Windows 10 to iOS and all the cell phones even two 3-g flip even the Smart car has been recognized I communicated with the virus / hacker Network I have no idea how to get rid of it I give his self super user privileges without quite rooting the phone and hides itself in system apps so it's virtually impossible to get rid of at least for me it is I have post here called wading deep Waters please do check it out
sassyfrassy said:
I'm having similar troubles I somehow believe I have an entire infected Network from Windows 10 to iOS and all the cell phones even two 3-g flip even the Smart car has been recognized I communicated with the virus / hacker Network I have no idea how to get rid of it I give his self super user privileges without quite rooting the phone and hides itself in system apps so it's virtually impossible to get rid of at least for me it is I have post here called wading deep Waters please do check it out
Click to expand...
Click to collapse
It isn't unheard of for a router to get infected with a virus/malware, rare, but not exactly impossible. I've run across others here over the years that have discussed this issue. I don't remember any specifics, tools or methods to fix the issue though, but you can probably find info on removing malware from a router.
Sent from my LGL84VL using Tapatalk
Droidriven said:
It isn't unheard of for a router to get infected with a virus/malware, rare, but not exactly impossible. I've run across others here over the years that have discussed this issue. I don't remember any specifics, tools or methods to fix the issue though, but you can probably find info on removing malware from a router.
Click to expand...
Click to collapse
Thank you for your prompt response I'm not positive that the router and modem are infected more or less they are overloaded from the amount of leeches in hitchhiker's I have from this awful network of hackers and code running through my TV's my cars for god sakes I read one of their lauder's I got in somehow and I could see that they were logging how many seconds it took me from getting out of the car to getting in my home that was just one scary example they could tell when my phone was in my pocket and if I was walking and how many people were with me this is just my cell phone not to mention my TV's the laptops I have no idea what to do
sassyfrassy said:
Thank you for your prompt response I'm not positive that the router and modem are infected more or less they are overloaded from the amount of leeches in hitchhiker's I have from this awful network of hackers and code running through my TV's my cars for god sakes I read one of their lauder's I got in somehow and I could see that they were logging how many seconds it took me from getting out of the car to getting in my home that was just one scary example they could tell when my phone was in my pocket and if I was walking and how many people were with me this is just my cell phone not to mention my TV's the laptops I have no idea what to do
Click to expand...
Click to collapse
It sounds to me like their hold over you has more to do with your personal information than with your devices. With certain pieces of your info, they can gain access to any device that you sign into, login to or even just enter information in while using, even if it isn't yours.
If your network provider randomly cycles IP addresses among its users, it could be that the hacker has previously hijacked that IP address while another user was using it and his access carried over to you when the IP was assigned to you. If this is so, a new IP and changing all of your account info among all of the various accounts you have would cut him off, maybe?
I'm not the best at network security issues that go that deep. My network management/LAN Admin days were a very long time ago, too many things have changed.
Sent from my LGL84VL using Tapatalk
Droidriven said:
It sounds to me like their hold over you has more to do with your personal information than with your devices. With certain pieces of your info, they can gain access to any device that you sign into, login to or even just enter information in while using, even if it isn't yours.
If your network provider randomly cycles IP addresses among its users, it could be that the hacker has previously hijacked that IP address while another user was using it and his access carried over to you when the IP was assigned to you. If this is so, a new IP and changing all of your account info among all of the various accounts you have would cut him off, maybe?
I'm not the best at network security issues that go that deep. My network management/LAN Admin days were a very long time ago, too many things have changed.
Click to expand...
Click to collapse
Thank you I really appreciate you taking the time to think about my situation I have had no one to talk to about this for 2 months
sassyfrassy said:
Thank you I really appreciate you taking the time to think about my situation I have had no one to talk to about this for 2 months
Click to expand...
Click to collapse
Not sure how much help I'll be to you. I'm no expert in what you're dealing with. I'm just telling you some possibilities that I've seen others dealing with over the years.
Sent from my LGL84VL using Tapatalk
Droidriven said:
It sounds to me like their hold over you has more to do with your personal information than with your devices. With certain pieces of your info, they can gain access to any device that you sign into, login to or even just enter information in while using, even if it isn't yours.
If your network provider randomly cycles IP addresses among its users, it could be that the hacker has previously hijacked that IP address while another user was using it and his access carried over to you when the IP was assigned to you. If this is so, a new IP and changing all of your account info among all of the various accounts you have would cut him off, maybe?
I'm not the best at network security issues that go that deep. My network management/LAN Admin days were a very long time ago, too many things have changed.
Click to expand...
Click to collapse
You hit the nail on the head! Told me "unfortunately we have met"
Sent from my LGE LGL158VL using XDA Labs
SecretSociety68 said:
It put a file called "ads_popup-release.apk"
in my root folder /system/priv-app/
Click to expand...
Click to collapse
translation it installed itself to the privilege app section on your phone which does not delete with a reset (new rom does) this also gives the app more power
it can only be done with root so the app rooted your phone (at least temp) here is a app that removes it but it needs root
https://f-droid.org/en/packages/de.j4velin.systemappmover/
And a system priv app has AFAIK full power however as of Oreo thier is another file to give it permisions so says google https://source.android.com/devices/tech/config/perms-whitelist namely
/etc/permissions/privapp-permissions-OEM_NAME.xml
/etc/permissions/privapp-permissions-DEVICE_NAME.xml
check these files and see what you find
SecretSociety68 said:
And modified a file called "8e710bb7.0"
in root folder /system/etc/security/cacerts/
or put (installed) the file there I'm not sure.
Click to expand...
Click to collapse
translation installed a CA certificate that enables them to have a SSL connection or with this certificate can spoof websites
of course this should be deleted but again you will need root (or new Rom)
SecretSociety68 said:
The file running on the phone as a system app is called "ad_surface"
Click to expand...
Click to collapse
The app has to be running with a linux GUID so you can check with that
the apps can not find root this can be because the program used root once to get a elevated status (temporary root) and then does not need it anymore
so you cannot find it. The question still remains how they did that but right now you need to get out.
Waiting for other response. Hehe.
I had this take control of multiple devices and 2 computers. 3 android phones and an apple iphone and 2 windows computers. I countless hours going through logs and data. On my android devices it even made a cloned version of TWRP so it would reinstall itself through recovery. I spent hours on the phone with samsung and apple senior advisors. I viewed the analytic data on the apple device over and over. Extremely werid things were running. Constantly writting system wwrites on a stock apple phone. It was able to transfer from device to device over wifi hotspot. It went on for over two months. I had a roku tv also become monitored. It was the craziest **** ive ever had happen to me. It litterally almost drove me insane and I thought I was going crazy. Ive never seen anything like it. Even google reaults were completely false and fake sites. I disnt know this happened to anyone else. Ive got countless logs and screenshots saved in case I ever needed to share the info. It even remotely sipped my desktop hard drives and had me connecring to a remote server on boot.
---------- Post added at 07:48 PM ---------- Previous post was at 07:37 PM ----------
I could make a phone call and hear breathing in the background. Id make a call and touch tone sounds would go off after the first ring. I was getting constant interference through my phone. It connected all my devices to a home group I never created. I literally had to destroy the devices
---------- Post added at 08:15 PM ---------- Previous post was at 07:48 PM ----------
Applied protocal - makes sense man, in juat glad I got it off my back. On the iphone, when yyou would install a new app from the "app store" it would run a wake up over 4000 times a second to wake up an unknown app in system files . im assuming this was to clone the app or change some code in it when it was installed. The app name was ??? In the analytic logs and it was an "event write system". This was some dirty stuff man. Is this something that is common right now? This exploit across so many devices? Id love to share some of these logs and screenshots if anyone is interested.
SecretSociety68 said:
Hi,
I'm new to XDA. I think I'm in the right forum for my issue. My phone was infected with what I think is a type of auto rooting trojan. I was looking for info on an app I'm using called Duraspeed. I came across this website that started throwing popups at me saying my phone had tons of viruses, which was a lie. By the time I could break free from the drive by attacks, it was too late. I started getting sluggish performance on my phone and popup ads randomly. Even though it somehow gained root access, my phone is not rooted. Never was. Its still not! Because I checked with several apps off the playstore to confirm this. Long story short:
It put a file called "ads_popup-release.apk"
in my root folder /system/priv-app/
And modified a file called "8e710bb7.0"
in root folder /system/etc/security/cacerts/
or put (installed) the file there I'm not sure.
The file running on the phone as a system app is called "ad_surface"
I can only force stop and disable ad_surface without the ability to uninstall. I have to repeat this process every time I reboot. This stops the ads from popping up. Funny thing is, even though the force stop button in app settings is greyed meaning it was stopped and disabled, my OS Monitor app that shows running processes shows ad_surface is still running. Yet, it does stop the random popup ads by doing it this way. I've tried 360 AV, Avast, AVG, Malwarebytea, Kaspers, stubborn rootkit remover, a lot of antivirus programs but nothing detects it. I'm using Total Commander File Manager to view the device system partitions. I even copied the two trojan files to a folder on the user partition to see if any of the antivirus programs could check them there away from the root areas. But nothing. My guess is that I need to root my phone so I can gain access to the apk file and delete it. I haven't done a factory reset because I realize that apk file is in the recovery partition in order to reinstall itself. I've never rooted a phone before, but I have Kingroot installed. I downloaded it from XDA. I just don't have the guts to use it in fear of bricking. Do you think it would work with my phone? Does it abort the root procedure if it can't do it? Here are my phone specs:
Vortex Beat 8
Software build: 8_V1.5_20171011
Chipset: MT6580M Cortex-A7
CPU Architecture: ARMv7 Processor Rev 3(V71)
Cores: 4 1300MHz
Kernal Version: 3.18.19
Total Ram: 459MB
Internal ROM: 8GB (4GB for user)
That's about it. If there's anything anybody who could recommend how to go about this I would greatly appreciate the help. Thank you...
Click to expand...
Click to collapse
Definitely malmare! Mine was called "Ad-Time", like a kid's show or something, but either way, very persistent and pervasive! I have 2 roms, (v 1.5 & 1.6), in img format, easy fastboot flash. Look at this phone wrong and it's rooted. Anybody interested, hit me up, I even got the couple-line script to install SuperSU /system (beat 8 doesn't like Magisk). A simple su.d script to enable permissive selinux, build.prop changes, and you have a $30 Nexus via MTK. I also ported TWRP 3.2.1(no bugs) & Philz, but TWRP is my comfort-zone.
Sent from my ZTE Sapphire 3G using XDA Labs
---------- Post added at 02:03 AM ---------- Previous post was at 01:48 AM ----------
sameboat said:
I had this take control of multiple devices and 2 computers. 3 android phones and an apple iphone and 2 windows computers. I countless hours going through logs and data. On my android devices it even made a cloned version of TWRP so it would reinstall itself through recovery. I spent hours on the phone with samsung and apple senior advisors. I viewed the analytic data on the apple device over and over. Extremely werid things were running. Constantly writting system wwrites on a stock apple phone. It was able to transfer from device to device over wifi hotspot. It went on for over two months. I had a roku tv also become monitored. It was the craziest **** ive ever had happen to me. It litterally almost drove me insane and I thought I was going crazy. Ive never seen anything like it. Even google reaults were completely false and fake sites. I disnt know this happened to anyone else. Ive got countless logs and screenshots saved in case I ever needed to share the info. It even remotely sipped my desktop hard drives and had me connecring to a remote server on boot.
---------- Post added at 07:48 PM ---------- Previous post was at 07:37 PM ----------
I could make a phone call and hear breathing in the background. Id make a call and touch tone sounds would go off after the first ring. I was getting constant interference through my phone. It connected all my devices to a home group I never created. I literally had to destroy the devices
---------- Post added at 08:15 PM ---------- Previous post was at 07:48 PM ----------
Applied protocal - makes sense man, in juat glad I got it off my back. On the iphone, when yyou would install a new app from the "app store" it would run a wake up over 4000 times a second to wake up an unknown app in system files . im assuming this was to clone the app or change some code in it when it was installed. The app name was ??? In the analytic logs and it was an "event write system". This was some dirty stuff man. Is this something that is common right now? This exploit across so many devices? Id love to share some of these logs and screenshots if anyone is interested.
Click to expand...
Click to collapse
Typical Chinese ad/malware/surveillance. If you visit china, you turn over your devices for "inspection", so they can sideload some state-sponsored goodies. A lot of these Chinese roms have the ads baked-in, like mine. Whoever's listening and seeing my pics is gonna need therapy, because I filled the phone up with some STRANGE s*** Remove the apk, but there's several .xml's and .jar's that gotta go, too.
Sent from my ZTE Sapphire 3G using XDA Labs
What is the best way to counter this problem?
Dassote said:
What is the best way to counter this problem?
Click to expand...
Click to collapse
Root, and remove all traces of the " ad_* " app and even the duraspeed app if you want, but I didn't see anything untrustworthy about that. Duraspeed is in the default.prop (running booster), so it's in the kernel. Root uninstall just leaves you no way to control, kuz the PROCESS will go and go, unless you're willing to play with the kernel. Not for amateurs like myself My Beat 8 has been flashed or fastboot-booted more times than I can count. Good times.
Once your Chinese spyware is uninstalled, delete build.prop lines with "running booster", /system/lib's with it, and I think it was in the /system/bin, and /vendor/app had one. Clear them all, and you'll need to tweak the build.prop some more. debug.qemu.kernel=1, ro.secure_storage.support=0, ro.debuggable=1, then reboot AFTER you chmod 644 the build.prop! The "debug.qemu.kernel=1" was what made the rest stick. ADD those props, but don't change the existing ones (kernel). I just deleted the default values, replaced with "" . Fits the whole debug vibe. I should upload a copy of my final build.prop, cheap-a** phone runs like a champ.
Sent from my LG G Stylo using XDA Labs