Hi guys!
Tried the search but came up with nothing so here goes...
I must admit I'm not very tech savvy but I can follow instructions no worries
I joined mainly because my Samsung Galaxy S8+ (un-rooted) started to behave very strangely early this year.
(and I want to trick it up after warranty expires in August ?)
Short story is that my Samsung account got hacked (or it at least seems like it) and the perp was then able to control my phone remotely. It was incredible watching my phone do as it pleased and all I could do was sit back and watch. Funny thing is that I've never actually toggled the RC switch (find my phone)...
My local carrier (Telstra Bigpond - Australia) account as well as my Google account got taken over shortly after. This would have given whoever it was access to my 3 cloud accounts which add you can appreciate would contain some sensitive material.
Whoever is responsible could well be a member on here so "Hi, there!! "
I pulled my sim and sd card and switched the phone off so I could decide what to do next.
I got a password manager app, changed all passwords (lucky my partner had a spare iPhone 5S sitting around up I could get online) and factory reset the phone.
All seemed to be going well until a few days ago...
I got "timed out" on my Samsung account (is that even possible?!) and while I was putting the password in (on the Samsung website - silly mistake!) just as I hit next I noticed a few dots in a square pattern that did a spinning type of graphic over the password entry box.
Continuing onto the next screen where the two step verification was, which was to send a text to my phone to receive a code and bang! Before I even received the text a six digit code appears in the fill box on the screen (same spinning dots in a square pattern) right before my eyes and then I receive the text afterwards! The numbers matched!!
I’ve also been asked to enter my Google credentials on more than one occasion lately from being “signed out”...
I don't know what to do!
I've tried all of the popular virus type apps and a few file managers to no avail. More like I've been hacked than a virus?
I've removed apps and shut down almost all of them as well as toggling between mobile data and WiFi and restored the phone twice back to earlier backups from over 6 months ago.
I've only ever downloaded from the Play Store apart from just the once getting your better version of the Play Store XDA (LABS) app.
What might be noteworthy is when I was using Google's help function it said that I had a "modified Android" and to contact manufacturer. I can guarantee the phone has never been cracked open.
I can provide screen shots from DevCheck (FLAR2) but I really don't know what I'm looking at. I also don't have any unknown apps etc...
I really don't know what to do next...
Any advice please??
Sorry about the long post.
All the best,
Crackles
Took phone to Samsung and they wiped the device and installed current (Android Pie 9 w. Feb 01 security update) so was looking forward to having a play with the new os until I went to add my Samsung account details...
Entered the password then the 2-step security kicked in to send a text to my number.
The earlier 4 circling dots dropped the 6 digit code into the fill box before I even received the sms! Device (on it's own jumped straight to the remote control button in the Find my Device security section) then attempted to change the password!
Only thing that prevented that from being carried out was I had biometrics activated and stopped the action using my fingerprint.
Seriously no one has any idea on what to do?!
I also had installed a replacement sim card.
I also can't uninstall updates on certain apps like Google Play Services etc, and some apps either have a dead link (press it and nothing happens) or Play Store can't find the app when I hit the downloaded from Play Store thingy at the bottom of the app description page. Hope that makes sense.
As you said, they wiped the phone, which means they most likely flashed the whole firmware, so there's no way for any malware to remain installed. But for what it's worth, you can try to re-flash the firmware yourself using Oding to make sure the whole flash is clean.
If your phone really was infected with any kind of malware, it must have been a 3-rd party app you have (repeatedly) installed. Some apps like Google Play Services cannot be uninstalled because they are vital for system's (or rather apps installed from Play Store) propper functioning.
Also, even if you had infected your device, it would not be able to take control of your device to the extent you described because of app sandboxing, which cannot be broken unless the app constitutes itself as a system app (because every part of the system has to be cryptographically signed, this would break the boot and brick your device) or the user (you) would have to allow the app the necessary permissions to carry out these tasks.
Hey Kernel thanks for the reply ?
Yes I know what I'm saying sounds crazy and even the missus said I was nuts till I showed her.
I can't screen record any more either...
I'm noticing odd little things like when I pull the notifications screen down for a second or so the NFC, Bluetooth and nearby icons are lit up but then revert back to a if they were off. I've switched all of these items off in the settings so are they being sneaky?
So far nothing really bad has happened apart from not being able to put my credentials into the PayPal app. That's using both Last Pass auto-fill and manually entering the email and password. I've un-installed and re-installed many times and it's the same. I'm not going to add any banking apps just yet.
Facebook also got installed in the background about 4 times within a few minutes. Seemed odd to me. I think I've got a screenshot of that.
Malwarebytes found an issue with I'm guessing a theme I got from the Samsung Galaxy Store so I removed it, chose another and it seems OK.
There's still a few odd things happening like certain settings reverting back to something different from what I'd set.
I'll keep tinkering and post anything that stands out.
Is there an app or something that can check every file on my phone and tell if something isn't quite right?
I don't have a pc at the moment but when I do I'll look into Odin.
Thanks again for taking the time I know I sound like a lunatic and tbh I really wish I was haha!! :laugh:
Hmm interesting...
When I tried to upload the screenshot it stopped and said "bad request"...
Sent from my SM-G955F using XDA Labs
Could all this weird bs be happening if the home WiFi has been hijacked?
Sorry for dumb questions.
Sent from my SM-G955F using XDA Labs
Whatsapp does the same thing, autocompletes the code, before de sms is coming. This is not a malware. But, don't use password manager... Those can be hacked.
Really my password manager can be hacked?!
I'm using Last Pass.
So moving on I started to poke around the WiFi router and found the PnP enabled and my device was sharing with another device. I did not authorise this. I've since reset the router, changed the pin and access code, disabled the WPS and also factory reset the device that was "sharing" with mine... The owner of said device no longer lives with me. I'm just glad I confiscated the phone from him before he left.
When I'm researching possibilities of what could be going on with my phone the pages won't load. It's like my searches are being monitored and the data is being stopped. I tested this with my partner's phone (on mobile data) and the exact Web pages loaded right up on her's without a hitch! I tried again on mine and they just stopped. Pages would load straight away on mine if searching for something completely different like rc cars or bmx related content. Stuff to do with my phone just won't work ffs!
Like when I tried my first post on here. It simply would not post it up! I ended up having to copy/paste the draft and emailing it to another account that I made up on the spot on her phone. Hence the two usernames in this thread.
I got the 3C TOOLBOX app and in the app management section, Task Manager under service many of them are "custom entries" and I cannot un-tick, modify or reset back to the original version of any of these apps. Google Play Services was the worst. Pretty much every thing it was capable of doing had a "custom action" and I could not do anything with it.
Am I doing something wrong or do I have a serious invasion of my phone..?
Thinking about smashing this thing to bits and getting an S10+ ??
Also the Bluetooth, NFC & Nearby buttons almost any me of the day/night are on for a split second when I drag the motivation panel down. These are all set to "OFF" in settings...
What
The
F--k?!?!?!
Sent from my SM-G955F using XDA Labs
Related
Heya everyone!
Okay.
So I had a house theft where my Nexus 10 tablet was stolen.
I had Prey installed, but stupid me, disabled this from the Task Manager thingy thinking that it was eating up the battery, along with the GPS location option.
So both of those were not active at the time of the robbery.
I can go to the Google Play Store and see that it's being used every day, but it can't locate where it might be.
Two months had passed since then where suddenly I saw someone using my Pandora account and even entered in her real name.
After a simple Google search, I found her, including her address, and told a detective about this.
He stopped by to see her and she gave a good explanation, stating she no longer had it anymore.
The last time she used Pandora was the same day the detective was there.
I emailed Pandora if I could get an exact time stamp on the last song that was played and I'm waiting to hear from them.
I have a replacement tablet, another Nexus 10.
I can go online and ring the stolen device, lock it, or even erase it.
The tablet is still in my name even though it's gone.
Is there anything extremely smart I can do with this situation?
Thanks ahead.
-James
Since you are getting a replacement tablet, there is no need to get the original back. However, you might want to wipe it (as you stated you could) so nobody can use your Google account or take advantage of any personal info.
Change your passwords to those accounts you had on your stolen tablet.
Examples of accounts: Google, email(s), Pandora and all others which have a password.
If you had confidential information like your credit card number, etc, you might also wish to get them changed.
You should go online and disable your stolen device - erase and lock it.
Get over it bro. Buy a new one
When I woke up today to get ready for work, my rooted Z740g was on the beginning tutorial for setting up the phone. While I was asleep the phone reset itself and erased everything I had on the phone storage. When I tried setting up the phone to see what was going on, the default keyboard app was not there! I had to use google voice to download a keyboard app from a website other than the google play store. No one had physical access to my phone and I had no other device sign ins on my google account history. I didn't grant any strange programs super user permission except for android lost. I didn't see any logs in androidlost and it uses my google account to sign in and I wasn't seeing any strange devices on that log. Do you think that this is some strange fluke or some type of malicious attack? My internal storage was almost full and occasionally my phone would reboot on its own and had various small bugs like battery monitoring being inaccurate on occasion. I'm worried about security breaches on my phone because I have seen how easy it is for someone to access the microphone, camera and any files on the device. I removed my sim and had to change all my online passwords.
Would flashing a rom completely remove any malware that might be on the device?
edit: I just noticed that there were two versions of chrome on my phone when I was trying to figure out what happened earlier today. I did notice that chrome looked different. I see a version 39 from before the wipe occurred and now I have version 28.0.1500.94 I looked up release dates and version 28 was released in 2013 and the phone wasn't even released until sometime in 2014. What gives?
foolioGrimz said:
When I woke up today to get ready for work, my rooted Z740g was on the beginning tutorial for setting up the phone. While I was asleep the phone reset itself and erased everything I had on the phone storage. When I tried setting up the phone to see what was going on, the default keyboard app was not there! I had to use google voice to download a keyboard app from a website other than the google play store. No one had physical access to my phone and I had no other device sign ins on my google account history. I didn't grant any strange programs super user permission except for android lost. I didn't see any logs in androidlost and it uses my google account to sign in and I wasn't seeing any strange devices on that log. Do you think that this is some strange fluke or some type of malicious attack? My internal storage was almost full and occasionally my phone would reboot on its own and had various small bugs like battery monitoring being inaccurate on occasion. I'm worried about security breaches on my phone because I have seen how easy it is for someone to access the microphone, camera and any files on the device. I removed my sim and had to change all my online passwords.
Would flashing a rom completely remove any malware that might be on the device?
edit: I just noticed that there were two versions of chrome on my phone when I was trying to figure out what happened earlier today. I did notice that chrome looked different. I see a version 39 from before the wipe occurred and now I have version 28.0.1500.94 I looked up release dates and version 28 was released in 2013 and the phone wasn't even released until sometime in 2014. What gives?
Click to expand...
Click to collapse
Hi, thank you for using XDA assist.
There is a general forum for android here*http://forum.xda-developers.com/android/help*where you can get better help and support if you try to ask over there.*
Good luck.
The night of the 17th, I was using the Facebook app while suddenly a download in progress icon appeared in the status bar. I pulled down the notifications screen just in time to catch a glimpse of the word "attackers" followed by a bunch of symbols like $ before it disappeared. I could not find anything in the downloads folder list, ESET premium that was monitoring my phone and all downloads hadn't even detected it, and I tried in vain to search online using only the selected phrases I had managed to glimpse.
Then by sheer luck, today, I managed to find a thread on this problem with the full details. The message had been "attackers on <b>%1$s</b> might atte..." with a download in progress while using Facebook app. Which I assume is completed as "might attempt to steal your information" or something.
I tried using this phrase to search about it on Google, and while nothing specific to this problem came up, a list of generic information results on various types of network attacks, DDos, man in the middle and zero day attacks came up, which has me really worried.
I am still using the phone as is, I really don't know much about technology related things. Please advise me what I should do now, if I should just turn off the phone or something. The person in the other thread said he had reset his phone and the problem had reappeared when he had signed into Facebook again, so now I'm not sure if a simple factory reset will help and I will probably need to install a custom ROM or something.
I'm using Android 7.0 in a Samsung Galaxy J7 Prime. I got a software update to Oreo just an hour earlier and I wonder if updating the software will help remove whatever malware/spyware/hacking application got installed.
Please help, I am logged into all my accounts through this phone and it's already been like 4 days since the message first appeared damage control is needed.
Thank you very much. If you know anything, anything, please let me know it's very urgent.
SeaMonster26 said:
The night of the 17th, I was using the Facebook app while suddenly a download in progress icon appeared in the status bar. I pulled down the notifications screen just in time to catch a glimpse of the word "attackers" followed by a bunch of symbols like $ before it disappeared. I could not find anything in the downloads folder list, ESET premium that was monitoring my phone and all downloads hadn't even detected it, and I tried in vain to search online using only the selected phrases I had managed to glimpse.
Then by sheer luck, today, I managed to find a thread on this problem with the full details. The message had been "attackers on <b>%1$s</b> might atte..." with a download in progress while using Facebook app. Which I assume is completed as "might attempt to steal your information" or something.
I tried using this phrase to search about it on Google, and while nothing specific to this problem came up, a list of generic information results on various types of network attacks, DDos, man in the middle and zero day attacks came up, which has me really worried.
I am still using the phone as is, I really don't know much about technology related things. Please advise me what I should do now, if I should just turn off the phone or something. The person in the other thread said he had reset his phone and the problem had reappeared when he had signed into Facebook again, so now I'm not sure if a simple factory reset will help and I will probably need to install a custom ROM or something.
I'm using Android 7.0 in a Samsung Galaxy J7 Prime. I got a software update to Oreo just an hour earlier and I wonder if updating the software will help remove whatever malware/spyware/hacking application got installed.
Please help, I am logged into all my accounts through this phone and it's already been like 4 days since the message first appeared damage control is needed.
Thank you very much. If you know anything, anything, please let me know it's very urgent.
Click to expand...
Click to collapse
sounds like the warning message chrome gives. The <b>%1$s</b> is variable for the website name.
https://security.googleblog.com/2015/02/more-protection-from-unwanted-software.html?m=1
found a couple of other mentions of this
see image in following thread, seems like download manager shows warning so must be Facebook downloading something from a suspect url as you say it happens using Facebook. I don't use Facebook app, you say it downloaded something by itself, without you initialising, seems dodgy, but it's a monster app as I recall, must be even bigger white more permission these days!
https://m.imgur.com/a/31Pds5y
ref
https://www.reddit.com/r/FacebookHelp/comments/9vtne6/attackers_on_b_1s_b_download/
been hampering for at least 4mths
https://www.reddit.com/r/androidapps/comments/8zq0fw/mystery_app_update_on_lg_g5_help/
see you have seen this thread also
https://forum.xda-developers.com/android/help/ineed-help-message-attackers-1s-atte-t3868724
Hi Guys,
I got a strange email in my emails, when looking at the email from / to it looked spoofed and I was about to click back but I accidentally clicked 'Download images', the ones that are usually blocked when opening an email, not actual attachments. Can JPEGs etc... contain anything malicious?
I factory reset my phone after that happened but that didn't stop my getting 3 calls from Africa this morning, 2 within one minute.
phoneNoob2020 said:
Hi Guys,
I got a strange email in my emails, when looking at the email from / to it looked spoofed and I was about to click back but I accidentally clicked 'Download images', the ones that are usually blocked when opening an email, not actual attachments. Can JPEGs etc... contain anything malicious?
I factory reset my phone after that happened but that didn't stop my getting 3 calls from Africa this morning, 2 within one minute.
Click to expand...
Click to collapse
They can, eg Stagefright or later in 2016 this
https://www.forbes.com/sites/thomasbrewster/2016/09/06/google-android-one-photo-hack/
or just last year
https://www.komando.com/security-pr...e-over-an-android-phone-with-an-image/543634/
which you phone may be vulnerable to if not still getting regular updates
and just this month patch also has media framework bug allowing possible escalation of privileges
https://9to5google.com/2020/06/01/pixel-june-20-security-patch/
however it could just be a coincidence you got a storm call, they just use computers to call from a number list or random numbers.
A factory reset may not get rid of malware that has been able to install itself in the system partition. You need to reflash the full factory image again. Or if your phone not getting updates any more from manufacturer you should ALSO flash a trusted custom rom ie Lineage OS from official source (hopefully there is one for your EXACT model) after you have clean flashed the most recent manufacturer ROM.
I use Android 10 with security patch from April.
Would I be right in assuming that the phone needs to be rooted for anything to be installed on the system partition? I don't have mine rooted.
Last time I reflashed a device, even with official firmware it stopped me getting updates.
It is quite annoying since pretty much everybody keeps saying it is safe to open a spam email as long as a link is not clicked or attachment downloaded but that appears to be rubbish since the images rendering within an email seem to be enough for a phone to be hijacked.
phoneNoob2020 said:
I use Android 10 with security patch from April.
Would I be right in assuming that the phone needs to be rooted for anything to be installed on the system partition? I don't have mine rooted.
Last time I reflashed a device, even with official firmware it stopped me getting updates.
It is quite annoying since pretty much everybody keeps saying it is safe to open a spam email as long as a link is not clicked or attachment downloaded but that appears to be rubbish since the images rendering within an email seem to be enough for a phone to be hijacked.
Click to expand...
Click to collapse
You should be pretty much covered for known security issues as you are on April security patch. Though there are of course likely be other unpublished vulnerabilities. You can try submit suspect images to virustotal.com see if it's already known.
Unfortunately malware can install into system partition even if you have not rooted your phone in some cases eg if vulnerability is in already privileged process. (note: I'm not security expert)
Given you are pretty much up to date with known patches I think the phone calls likely just a coincidence, unless you have more indications of hacked phone or other accounts etc.
Edit: PS even if those images were malicious you may be OK as you have recent security patch so they might not have been able to compromise your phone.
IronRoo said:
You should be pretty much covered for known security issues as you are on April security patch. Though there are of course likely be other unpublished vulnerabilities. You can try submit suspect images to virustotal.com see if it's already known.
Unfortunately malware can install into system partition even if you have not rooted your phone in some cases eg if vulnerability is in already privileged process. (note: I'm not security expert)
Given you are pretty much up to date with known patches I think the phone calls likely just a coincidence, unless you have more indications of hacked phone or other accounts etc.
Edit: PS even if those images were malicious you may be OK as you have recent security patch so they might not have been able to compromise your phone.
Click to expand...
Click to collapse
Strange thing is Tuesday night before this, I got a reset password email for Netflix... i didn't think too much of it and don't know why they would do that.
That is before Thursday when I accidentally opened a spam mail then later on Thursday got a few calls from an African Number.
Then today I got 3 password reset emails from my other email account, of course the reset requests went to my email.
Microsoft really suck too because I cannot get on my email account from a browser since when I put my phone number in it says, try again later. I am already logged in through the app though.
phoneNoob2020 said:
Strange thing is Tuesday night before this, I got a reset password email for Netflix... i didn't think too much of it and don't know why they would do that.
That is before Thursday when I accidentally opened a spam mail then later on Thursday got a few calls from an African Number.
Then today I got 3 password reset emails from my other email account, of course the reset requests went to my email.
Microsoft really suck too because I cannot get on my email account from a browser since when I put my phone number in it says, try again later. I am already logged in through the app though.
Click to expand...
Click to collapse
so many reset password requests suggests something is going on, possibly your phone but maybe more likely just one of your online accounts passwords leaked, there were a couple of big ones recently, check haveibeenpwnd or is it just that you reset your phone?
Yeah, I always need to change my browser to old IE to log in to MS cause of my settings/addons
IronRoo said:
so many reset password requests suggests something is going on, possibly your phone but maybe more likely just one of your online accounts passwords leaked, there were a couple of big ones recently, check haveibeenpwnd or is it just that you reset your phone?
Yeah, I always need to change my browser to old IE to log in to MS cause of my settings/addons
Click to expand...
Click to collapse
Well I got myself an Iphone SE for now, heard that they are sandboxed as long as they are not jailbroken.. however I removed the native mail app since that has a vulnerability now which is quite famous.
I know it iPhone is a bit of a swear word around here, but it is the best option until re-installing the OS on Xioami mi 8 pro.
Hopefully there is a way to set mi 8 into recovery without using third party tools, XZ1 had a feature to re-install android but that was pretty rare. It is a shame the storage space is so awful on it or I wouldn't have wanted to change phone
Im keep being hacked by my genius software engineering malignant narcissistic. I've bought over 15 different phones from different carriers and used fake registration info. However, they get hack in 30 mins. I know the fontserver app was remotely downloaded Over the Air because of other apps that are installed to help that process. For ex; GNSS Air Test, Gnss Test 1.2, fused location, gnss log level setting, LAOP test. V1.93, entitlement checkservice , FOTA update, secure ui service, teeservice, dynamic syatem update, hidden menu, hidden operator, G-DEC, GCUV, etc...mobile service apps to install the spyware. From my understanding, all is needed is a phone number to where app is downloaded OTA. Here's the kicker... With every new phone I dont even setup a google acct or call anyone and it get hacked.
So please anyone share your theories or anything about this . i need to stop this bs. Theyve gang stalked me broke in my house numerous time vandalized, hacked my friends and their families threatening them with death threats and non stop harassing calls to my cell and house phones.
So i just need some kind of inkling how this can happen. Sincerely yours truly
Sorry to hear this is happening to you. It is also happening to me by my soon to be ex who is already by ex. I keep being told to buy another phone and I don't because I figure the same would happen to me and the new phone will just get hacked as well by whomever she got to do this to me. I created a post today asking for help, but due to the lack of replies to your post I guess I better not hold my breath that anything can be done. Did you find a resolution to stop from being hacked?
Better check yourself...
Burgrio said:
Hacking attacks are on the rise, and it doesn't seem like there is any way to protect yourself from them.
Click to expand...
Click to collapse
There's plenty you can do. Most devices get compromised because the user did something stupid.
Not always but part of not being stupid is acting as soon as unusual behavior is noticed. Find the cause asap.
Factory reset if you highly suspect being hacked and reset all passwords.
I've been running outdated and unpatched stock Androids for years with no breaches that ever required a factory reset or reflash to purge. It could happen but in practice if you don't do stupid things... it doesn't happen.
Downloading any unvetted files or apks even a jpeg can do it. Do not side load anything unless completely vetted. Lock down install unknown files globally and locally for all apps especially browsers unless you need to sideload. Check those settings at least once a month... and enable them as soon as a sideload is done.
I don't use wifi and keep bt off when not being used. I check my download folder daily for crap I didn't download and for any strange behavior.
All email is kept in the cloud... email and texts are prime perpetrators.
Don't click on anything unknown, delete or close the window. Keep all trashware apps off the device including FB, Twitter, WhatsApp etc.
Scan app permissions, know what's running at startup and why/what's accessing the internet.
Listed System Administrators, who's your daddy?
The list goes on but you get the idea...
♤There's no saving dumb bunnies