Diagnosis of a (probably) compromised Pixel XL 2 Android 10, 1/2020 - General Questions and Answers

TLDR:
- Pixel XL 2 unrooted, Android 10 security patch 1/2020 probably compromised
- Where can I find the recent's calls aside the Phone app's history?
- Any other recommendation to identify the malware app?
Hello everyone.
Yesterday I was playing "Dropdom - Jewel Blast" and the Phone app splashed for a second and then back to the game. Was really fast, but the game forces an Ad every time it get focus again, so I'm sure that the game lost focus and then regained it.
I immediately opened the Phone app and saw a "tell why you called" link, but didn't follow (I know, I should, but thought I will find the phone number somewhere else). Looking at the calls history I don't see that entry.
Is there another place where I could find which phone was dialed? I would like to search that number for security reports to identify which app compromised my phone (if so).
I don't use out-of-the-store apps (except DNS66, but I trust it) nor browse shady sites.
It looks like a malware served by ADvertising, but I would like to learn about it. I'm afraid that reinstalling OS and same apps will lead me to the same security issue.
After this unique incident, I installed and run Avast antivirus, but nothing found.
Thanks everyone and any other forensic/wiping recommendation is welcome in advance.
Luigi

Related

[Q] Lost/Stolen Phone - track after the fact?

I did some search and didn't find anything, this may not be possible since it's a security risk but...
Now that installing apps remotely is available through the web browser android market. Are there any phone tracking apps that automatically work with default information?
So I remotely install it from the app market web page, and then track it instantly without having to set anything up on the phone itself. Any Ideas?
Try this one: market.android.com/details?id=com.lookout.labs.planb
I do not thave OT's problem yet...but i downloaded and gave it a try.
Amazing app, even turned my GPS on automaticaly and located the very exact position of my phone. (HTC Desire)
Well all good android anti virus software come with this feature
Like plan b available only from the market website
Some can even sound loud alarms!
Try avg and lookout
Both are nice
Great App.
Although I tested it first on my phone which is not lost and it did not work, but then tried it on the lost G2 and it worked well.
That's one thing Apple will always lack, an environment where developers can create applications quickly when an opportunity arises, such as the android web app market.

File Manager Bloatware Removal

Has anybody deleted some of the bloatware apps, more specifically the stock File Manager?
com.jrdcom.filemanager
/data/app/com.jrdcom.filemanager-2/base.apk
Wondering if anybody tried and had any ramifications from it.
This thing just all of a sudden activated itself and runs in memory, and there is no Disable for it. I could install an app to freeze it, but that defeats the purpose.
Moscow Desire said:
Has anybody deleted some of the bloatware apps, more specifically the stock File Manager?
com.jrdcom.filemanager
/data/app/com.jrdcom.filemanager-2/base.apk
Wondering if anybody tried and had any ramifications from it.
This thing just all of a sudden activated itself and runs in memory, and there is no Disable for it. I could install an app to freeze it, but that defeats the purpose.
Click to expand...
Click to collapse
Im runnin lineage on mine and doesnt even have it on there.
I would freeze it. Make sure your downloads and such still work ok.
Give it a few days if good then remove.
TheMadScientist said:
Im runnin lineage on mine and doesnt even have it on there.
I would freeze it. Make sure your downloads and such still work ok.
Give it a few days if good then remove.
Click to expand...
Click to collapse
Thanks, I deleted the culprit. No issues so far.
LOL...after 3 or 4 days the lovely File Manager App magically installed itself. Looks like a more indepth investigation is forthcoming.
Obviously there is another app that re-installs it.
Stinkin thing.
I switched over to the xperia rom on idol 3 And it got rid of a load of crap, Bunch of xposed is working.
I just dont care for the stock rom on this thing at all, Even debloated it runs like crap,
Ive had this device now over a week and cant find any sort of setup I like, I am used to lgs UI.
Even tried t get touchwiz ui and grace to run but nogo.
Did you remove the system update apps too by chance?
TheMadScientist said:
Stinkin thing.
I switched over to the xperia rom on idol 3 And it got rid of a load of crap, Bunch of xposed is working.
I just dont care for the stock rom on this thing at all, Even debloated it runs like crap,
Ive had this device now over a week and cant find any sort of setup I like, I am used to lgs UI.
Even tried t get touchwiz ui and grace to run but nogo.
Did you remove the system update apps too by chance?
Click to expand...
Click to collapse
Haven't really had a chance to look deep into it yet. I've disabled auto updates, so pretty sure it's not getting it from the netz.
Funny thing, I tried running a 100mb system update and i failed to completely install. Havent thot about it much since then, But I suspect it was in that update somewhere, as I had never seen nor had an issue with it before.
Will strip down that update and see when I get a chance.
It comes pre installed as 'files' app, auto updates to "file manager" to then run this 'boost' branded adware. I call it adware because it does not adhere to the android force stop, disable peeking or any other android OS settings and automatically regenerates itself despite the OS not allowing auto updates.
Android should never allow provider apps to have a higher privelage that renders the OS setting useless, bundled apps should also not disable the uninstall and disable functionality of the OS.
I have spent weeks in settings to find out it is allowed to act like a virus and do what ever it wants being rewarded with ad revenue.
Thanks Google for allowing me to purchase hardware pre loaded with junk ads by default with no way of opting out, it's not only a privacy and security concern, it's a consumer complaint.
adware/spyware
Not happy said:
It comes pre installed as 'files' app, auto updates to "file manager" to then run this 'boost' branded adware. I call it adware because it does not adhere to the android force stop, disable peeking or any other android OS settings and automatically regenerates itself despite the OS not allowing auto updates.
Android should never allow provider apps to have a higher privelage that renders the OS setting useless, bundled apps should also not disable the uninstall and disable functionality of the OS.
I have spent weeks in settings to find out it is allowed to act like a virus and do what ever it wants being rewarded with ad revenue.
Thanks Google for allowing me to purchase hardware pre loaded with junk ads by default with no way of opting out, it's not only a privacy and security concern, it's a consumer complaint.
Click to expand...
Click to collapse
Yes , this lovely new addition to the file manager is actually the "Hawk Super Cleaner/ antivirus" seen here: https://play.google.com/store/apps/details?id=com.apps.go.clean.boost.master&hl=en
You can see my complaint(s) here: https://forum.xda-developers.com/idol-3/help/joy-launcher-joy-t3628670
I just installed TWRP and SuperSU on the stock Marshmallow following this guide:https://forum.xda-developers.com/idol-3/general/twrp-custom-recovery-idol3-6045-t3162608 and will be removing this cancer for good!
Cheers, I might have a look at rooting (pain seeing I bought 4 of these for myself and fam). I have reported the appin the playstore for being installed with root permissions bypassing the expected android user settings and will be following up with a complaint to the consumer watchdog.
I never bought hardware with the knowledge an innocent bloatware provider app would turn rouge with root permissions for ad revenue.
My phone will most likely be thrown at the wall so "File Manager" doesn't get another 1000 or so false positive downloads in the playstore from me.
Had 3 myself
Not happy said:
Cheers, I might have a look at rooting (pain seeing I bought 4 of these for myself and fam). I have reported the appin the playstore for being installed with root permissions bypassing the expected android user settings and will be following up with a complaint to the consumer watchdog.
I never bought hardware with the knowledge an innocent bloatware provider app would turn rouge with root permissions for ad revenue.
My phone will most likely be thrown at the wall so "File Manager" doesn't get another 1000 or so false positive downloads in the playstore from me.
Click to expand...
Click to collapse
I hear ya, I bought 3 of these.
I am very careful what I install on my device and read the manifest files on EVERYTHING so you can imagine how angry I was when my own phone manufacturer pushed unwanted adware/possible-probable spyware on to my device with no warnings or asking my permission.
Another odd thing is that after I uninstalled the Facebook app I had 2 apps appear (or were left over?) com.facebook.appmanager.apk and com.facebook.system.apk that were using up data and could not be removed until tonight after rooting.
Interesting article here: https://forum.xda-developers.com/tmobile-lg-v10/help/suspicious-apps-apps-section-facebook-t3415876
I have been studying computer and mobile security as a hobby for some time and have found that these "antivirus" and 'cleaner" apps on Android are the worst offenders of privacy of them all.
Scanning all your files, installed apps, contacts etc etc and sending all that data back to God knows where!
I have found that almost every single app that I have downloaded from the Play Store has some form of data mining and/or analytics.
Unfortunately, it's a catch 22 in Android..rooting your device breaks what little security is built into the system but it's the only way to remove pre-installed crapware.
---------- Post added at 06:02 AM ---------- Previous post was at 05:53 AM ----------
Also, good luck trying to get anything done with Google or Alcatel.
I battled with Google for almost 8 months straight trying to stop an unscrupulous advertiser that was using FAKE virus warnings to trick users into installing an "antivirus" app on the Play store and just got sent around in circles.
Google is complicit!
I was finally successful in stopping the fraudulent activity after I contacted the Federal Trade Commission.
http://smisecurity.altervista.org/DFNDR.html
Data mining is a given these days which is why I have Pi-hole for my home dns and ubuntu for my home box, gotta do what you can. As for this phone I wouldn't do much on it unless I re flash it which is why I am angry with it.
As for Android taking the normal software stance of do nothing unless legally required, this time is interesting to me because they are effectively allowing the bypassing of the playstore agree feature to Install an app, being side loaded from Alcatel like this one would think breaks the playstore terms so knowledge should be enough for action in this case from the android or playstore devs. Doubt it but.
Also apon sale did not mention android as being adapted software that over rides expected android and playstore behaviour but did advertise android and use their logo so most likely a trademark vialation also.
The problem is Alcatel are adapting android and side loading apps to bypass security and privacy user settings to double dip on the customer for income despite the final result, android and the playstore can bury their heads in the sand all they want but they have been made aware of the risks.
Went over it again for peace of mind (sorry) but I wish you the best in your education as we need more people shinning the light on privacy simply because we are in the rise of the machines, not long before people worldwide ask what happened to all the jobs and when did the need for conventional ID actually dissapear.
Not happy said:
The problem is Alcatel are adapting android and side loading apps to bypass security and privacy user settings to double dip on the customer for income despite the final result, android and the playstore can bury their heads in the sand all they want but they have been made aware of the risks.
.
Click to expand...
Click to collapse
Very well said!
The supervisor I spoke to at Alcatel tried to say that I/we agreed to the terms by using their devices which allowed them to push this on to our phones but I disagreed with him.
At one point I even thought of ditching my phone and getting an iPhone or an Android device that is compatible with the Replicant OS https://www.replicant.us/
I have a few Raspberry PI's laying around but never used one as an access point. (I'm assuming that's what your doing?)
I just sent a very nasty email to the developer "[email protected]" and referenced this thread.
Keep us updated if you get anywhere and I will be fighting this from my end and posting any updates as well.
Will do, I don't plan on not continuing with this one because my hardware and android do not operate as advertised.
The day I can rely on Linux for a phone OS is the day android gets ditched but will definatly check out your link also.
Pi-hole is basically a collection of hosts files that block ads and known bad domains on the DNS level, point the home router to it and bam the whole household gets an adblocker by default. Runs smooth but added a few commands to auto upgrade the lists with a Cron job.
Not happy said:
Pi-hole is basically a collection of hosts files that block ads and known bad domains on the DNS level, point the home router to it and bam the whole household gets an adblocker by default. Runs smooth but added a few commands to auto upgrade the lists with a Cron job.
Click to expand...
Click to collapse
Very cool!
I'll have to check that out.
I altered the hosts file on both my laptop and my other rooted phone to block ads and apps I used to have.
This is a small sample of IP's I blocked in the hosts file after running NETSTAT scans, there are a TON more that I added from MVP hosts (it is against MVP's EULA to post their blocked IP's)
http://winhelp2002.mvps.org/hosts.htm
127.0.0.1 localhost
127.0.0.1 search.vip.gq1.yahoo.com
127.0.0.1 a96-6-122-162.deploy.akamaitechnologies.com
127.0.0.1 a-0001.a-msedge.net
127.0.0.1 yahoo.com
127.0.0.1 rtr3.l7.search.vip.gq1.yahoo.com
127.0.0.1 c.amazon-adsystem.com
127.0.0.1 yandex.st
127.0.0.1 mc.yandex.ru
127.0.0.1 c1.popads.net
127.0.0.1 c1.popads.net/pop.js
127.0.0.1 google-analytics.com
127.0.0.1 google-analytics.com/analytics.js
::1 localhost #[IPv6]
---------- Post added at 01:40 PM ---------- Previous post was at 12:54 PM ----------
Wow! that PI-hole block list on Git Hub is a LOT larger than the one I was using!
Him guys and thanks again for the thread. Anyone found a solution? This app is wasting 20 percent of my battery, which does not last me a whole day anymore, it's outrageous. I also sent a report to Google and the app developers.
Cheers
Guys, I found someone with a solution, just see this post: https://forum.xda-developers.com/showpost.php?p=73642381&postcount=4
Cheers
That is not much of a solution unfortunately. The REAL solution is to install TWRP recovery on the adware/spyware infested Alcatel phone and flash to a different operating system. There is an (unofficial) ROM of Lineage 14 Nougat that is pretty decent that can be found on the XDA site.
sloshnmosh said:
That is not much of a solution unfortunately. The REAL solution is to install TWRP recovery on the adware/spyware infested Alcatel phone and flash to a different operating system. There is an (unofficial) ROM of Lineage 14 Nougat that is pretty decent that can be found on the XDA site.
Click to expand...
Click to collapse
It solved my problems
It's easy to solve the problem. Just go to applications. Select file manager uninstall upgrades, it will revert it back to factory version, no more spam !
I was getting really annoyed by the app that stealthily installed itself and called itself File Manager for my Alcatel POP 4. It constantly wanted to clean, boost, virus-protect, be a flashlight and camera app with it’s own toolbar and playing an ad whenever you asked any of those actions to be performed. The beauty of it was that it could not be disabled or uninstalled. I was desperately looking for a way to get rid of it without drastic measures, like a full factory reset or rooting my device. I found a suggestion on the net to install AppMgrIII from the Play Store. I did it as I was determined to try anything at that point. It offered me to replace the app with a “factory version”. I accepted that and sure enough, a normal-looking File Manager with no ads or toolbars appeared, all the rockets, boosts, virus-protection, cleaning brushes gone! I hope it won’t reinstall itself magically. In a perfect world I would prefer to have no file manager on my machine at all and a choice of installing one that I prefer but at least the nightmare of this intrusive monster seems to be over. I hope it stays that way.
Update: reverting back to factory version stopped the spam but it all came back with the next update. Now I reverted it back again and stopped automatic updates on Google Play for all apps. I will pick apps to be updated manually.

[Nougat] What is "zdemo" app? Could it be malware?

Hi Everyone,
Long time no see, but I'm back with a quick question: I've noticed an unknown (to me) application on my Leagoo T5c running Android 7.0 called "zdemo".
It doesn't appear in my app drawer (I use a launcher called Rootless Pixel that I like a lot, because it's extremely light and easy on the eye), only in the Application list in Parameters, and I've uninstalled it, but I suspect it could have been malware, because all of a sudden, I've started to get unwanted popups in a few application, Blue Mail among them, so I suspect it could come back.
Do any of you know of this app? I Googled it and got nowhere.
It happens to me too. I have another one named media provider or something like that, it has a fake Android logo and it can be desistaled.
Yeah, I managed to uninstall it... Twice, which means it's coming back at more or less regular intervals. I suspect it's a malware, but MalwareBytes didn't find anything wrong on my phone, so I'm a bit stumped.
I suspect those malware were bundled with Rootless Pixel Launcher, because since I've uninstalled it, they're gone and haven't returned...
Zdemo appears in conjunction with System Input Method. I think the former is a trojan and the latter adware. I keep stopping and uninstalling the apps just to have them return. I think the gallery app is the culprit but haven't figured out how to clean it yet because its a system file.
Hi Donna,
Do you own a Leagoo phone too? I've had issues with rotten ROM from that brand before, but I thought that was a thing of the past.
If the Gallery app is indeed the culprit, then there must be a bad picture or video in it that you imported, maybe a cover from a music album you downloaded?
I for one know that all the music on my phone doesn't come from CDs I ripped...
The funny thing is, before I installed those two launchers I mentioned, I had no issues whatsoever. The Rootless Pixel Launcher contacted me via Play Store and defended himself from injecting any bad code into his launcher, and says that CPL Launcher is based on his own Rootless Pixel launcher, so it could be that the repository where the APK is stored has been compromised, and the malware is added to the files before it's made available to the Google Play store, but I can't be sure.
For reasons unknown, my first reply got lost somewhere, and I don't feel like rewriting it word for word. Do you have a Leagoo phone too? If so, which ROM do you have installed on it (mine was released in March 2018)?
I suspect those two malware come bundled with the launchers I mentioned, but the dev for Rootless Pixel launcher assured me his code is clean, and I tend to believe him. I think the repo where his code is stored could have been hacked, but I have no way to prove it, of course.
EDIT: my first reply finally made it to the thread. Sorry for the double post...
UPDATE: I finally did a factory reset, reinstalled all my apps (minus a couple I never used anyway) from the Play Store, put my music back on the device (not my pictures though, because I want to sieve through them first), installed Rootless Pixel Launcher again, and so far, so good, no malware in the applications list.
I'll give it a day or two, just to be on the safe side, then I'll modify my incendiary comment on the Play Store about Rootless Pixel Launcher...
Somebody created this code to bug people, had probably nothing to do uses your ip to track and install his popup window.
If I disconnect my wifi and use my phone without an internet connection zdemo and system input method don't come back. I should try on another wifi or in another country. Wonder if it could be tracked and maybe interesting to see where it leads. Could it be stashed on google play store? It seems curious that there is little info on the web about this problem as if somebody in a key position really f...-up
Yeah, I too find it hard to believe that those two malware aren't better documented on the Web. However, if you scan your device with MalwareBytes and look up the entire name of both, you find ***partial*** references, stating that they aren't "real" malware, just PUPs, which I find intriguing too.
On my phone, I've noted unwanted popups that were hard to close when they were installed, but nothing untoward once I got rid of them, so they're definitely adware, either separately, or working jointly, I don't know.

Diagnosis of a (probably) compromised Pixel XL 2 Android 10, 1/2020

TLDR:
- Pixel XL 2 unrooted, Android 10 security patch 1/2020 probably compromised
- Where can I find the recent's calls aside the Phone app's history?
- Any other recommendation to identify the malware app?
Hello everyone.
Yesterday I was playing "Dropdom - Jewel Blast" and the Phone app splashed for a second and then back to the game. Was really fast, but the game forces an Ad every time it get focus again, so I'm sure that the game lost focus and then regained it.
I immediately opened the Phone app and saw a "tell why you called" link, but didn't follow (I know, I should, but thought I will find the phone number somewhere else). Looking at the calls history I don't see that entry.
Is there another place where I could find which phone was dialed? I would like to search that number for security reports to identify which app compromised my phone (if so).
I don't use out-of-the-store apps (except DNS66, but I trust it) nor browse shady sites.
It looks like a malware served by ADvertising, but I would like to learn about it. I'm afraid that reinstalling OS and same apps will lead me to the same security issue.
After this unique incident, I installed and run Avast antivirus, but nothing found.
Thanks everyone and any other forensic/wiping recommendation is welcome in advance.
Luigi

Looking for way to protect against theft.

Hi all, I work at a group home and one of the clients recently purchased an Amazon Fire tablet to facebook chat with his dad.
My issue is that thanks to the crapiness of humanity I know that there's a strong potential for the tablet to grow legs.
Without getting into details, the client cannot have the tablet always in their posession, and we can't conveniently lock it down anywhere, and ideally whoever is supporting him needs to have access to the tablet whenever possible.
I'm wondering if there is an app, or even better, a device, which can cause the tablet to alert my manager the moment the device leaves the property? Ideally something not easily accessed or removed.
I know getting a tablet just for facebook chat is overkill, I wasn't the one who purchased it for the client, I'm just trying to make do with what is available.
theseventensplit said:
Hi all, I work at a group home and one of the clients recently purchased an Amazon Fire tablet to facebook chat with his dad.
My issue is that thanks to the crapiness of humanity I know that there's a strong potential for the tablet to grow legs.
Without getting into details, the client cannot have the tablet always in their posession, and we can't conveniently lock it down anywhere, and ideally whoever is supporting him needs to have access to the tablet whenever possible.
I'm wondering if there is an app, or even better, a device, which can cause the tablet to alert my manager the moment the device leaves the property? Ideally something not easily accessed or removed.
I know getting a tablet just for facebook chat is overkill, I wasn't the one who purchased it for the client, I'm just trying to make do with what is available.
Click to expand...
Click to collapse
It's an Android right?
I had a look at the Amazon store for anti-theft apps but there were none that I recognised from sources I trust (nit that I have researched them, but maybe you can find a reliable review) You have to be certain it's from a trusted source as these type of apps require special permissions eg admin in order to do their job, and could be abused by a malicious app.
I would recommend Cerberus Anti Theft, I used them for years & they have a good reputation, even though Google removed the app form play store. This is because they had to link the Google app to additional downloads in order to maintain the functionality of the app that made it the best, after Google changed what permissions apps could be granted for apps downloaded from Google store.
You can download for Android devices from their website
https://www.cerberusapp.com/
However there is a potential problem with all antitheft apps, ie. Turning off wifi/data means you can't communicate with it(but Cerberus could be activated via SMS), also a factory reset will remove them, so if a knowledgeable person steals a phone/tablet they can remove the antitheft app, so possibly you would have limited time to activate it. Which is why I used to root & install as a system app, which meant only reinstalling the full factory Android operating system to remove it.
There should be the basic "fined my device" on Android built in (I'm not familiar with Amazon variants) but its not very powerful.
I'll look into it, thanks. It does have tracking but unfortunately that wouldn't alert in time to be able to accurately determine who took it.
If Cerberus can do sms then my manager might be able to get immediate notification if it walks away, once it disconnects from wifi
What I don't get is why isn't there a hardware based solution, something that you have connected to your wifi that alerts you if devices in connected to that wifi signal get disconnected. Or even simpler, bluetooth based.
The problem is that tablets don't all have data, and if turned off they lose the anti theft features. So there needs to be something outside of the device itself that can alert the owner. Maybe it's just to specific a problem unfortunately.
theseventensplit said:
What I don't get is why isn't there a hardware based solution, something that you have connected to your wifi that alerts you if devices in connected to that wifi signal get disconnected. Or even simpler, bluetooth based.
The problem is that tablets don't all have data, and if turned off they lose the anti theft features. So there needs to be something outside of the device itself that can alert the owner. Maybe it's just to specific a problem unfortunately.
Click to expand...
Click to collapse
PS. You could use Tasker app (or other automation app) on your phone to set up an alert when the tablet losses connection, if you use your phone as a hotspot, I think.

Categories

Resources