Think my android phone is hacked... now asking for PIN - General Questions and Answers

After buying some bluetooth tracking keyfobs, I installed the app as instructed in the manual. The app was not from the play store but direct from the chinese manufactures. After installing I was asked to grant a bunch of permissions relevant to the functions and I granted all. Shortly after, having paired the app with the keyfobs, the app was not performing as expected and kept going to a page asking for consent to allow unknown sources from the app. Stupidly I granted this. Not long after, my phone locked me out, asking for a PIN. My lockscreen had previously been a pattern lock, and indeed it still is, however after entering the pattern I now get ask for a PIN, which I dont know.
So it appears I've installed malware and stupidly granted it all the permissions it needed to **** me over. Fortunately I was using a firewall and so it may not have been able to phone home (hopefully).
I have USB debugging on and can access the phone via ADB.
What can I do to get pass the PIN request and remove the malware to restore my phone, ideally without losing my data etc?

Since you can access phone via ADB you always can try to pull out your user-data by means of ADB.
Afterwards it's recommended to re-flash phone's Stock ROM to be on the safe side.

You could try deleting the app via adb

Related

[Q] Password protect the device administrators in security settings?

Phone is a Droid Incredible running the latest stable CM7 (7.0.3)
----------------------------
I recently installed seek droid and a few other applications meant to protect my phone in the event of malware download or the phone is stolen. I noticed though that if someone goes in and removes these devices from the admin group that they can just be uninstalled. I realize the lock screen is there to protect the phone but if they do get in they can very easily uninstall the programs I would be depending on to get my phone back.
Now I know someone could just wipe the device using the factory reset in clockwork mod but yeah ... anyway I am looking to see if there is a way to secure the security settings or the device administrators section with a separate password of some sort? Or maybe there is a program that will do it? I tried Seal but it only seems to do app locks and it doesn't require administrator privileges so it can just be uninstalled anyway.
Thanks for any help. I have been looking around for awhile and come up with nothing so I am not expecting much but figured this would be the place to ask.
There are such tracking apps that require root but will be installed into /system and thus even survive a factory reset.
I think you can install any app to /system through a bit tinkering.
Some allow to change the icon and app name to hide its true purpose.
In the end, if the person knows what he is doing, you can't stop him.
Thanks for the advice. I realize if they know what they are doing they can get it off somehow but would be nice to not have an obvious app sitting in the drwaer called 'seek droid' that can then just be easily uninstalled.
Thanks again.

[Q] Android Encryption Problem

I have a phone that I use for corporate purposes so there is a password requirement for each wakescreen.
This is obviously absurd, so I used Xposed module to "nuke" the password. The coorporate app still thinks there's a password and I've never lost my phone, so that's good.
However one shortcoming of this is, if on the off chance I do lose my phone, using Prey, or Android Device manager, I cannot "lock" the phone, because the xposed module takes it out.
I'd like to do the full encryption, still keep the password "nuked", but somehow be able to reactivate the lock, or at the very least shutdown the phone remotely in case I do lose it, when it comes back on the password will be active.
I could perhaps use tasker to accomplish this, but it's a bit tricky.
TlL;dr
Password Lock must think it's on, but not. (so corporate app doesn't boot me out)
Phone must be able to be remotely locked - or turned off.
The Cerberus App, does exactly what is needed, including full wipe, reboot, etc.
https://www.cerberusapp.com/
Full device encryption on mobile devices is useless for several reasons:
https://security.stackexchange.com/...ny-advantages-to-android-full-disk-encryption

HELP ME!! ive been infected with a serious RAT/virus

my phone is infected with a virus that has imbedded itself in my system settings, any anti malware apps used do not detect it. when plugging my phone into my computer (for developer access) it began to install the device driver. once the "device driver" installed it took all administrative use away from me and locked all drives. I do not have ABD access or any computer access at this point. this phone has killed 3 laptops and a desktop. the only way ive been able to partially stop the virus is using a firewall to block it. since my phone is NOT rooted I cannot delete system files containing the virus. I noticed the virus will edit apps and system functions to try and hide itself (Google play services) for example. someone is using a form of remote access to control things and change settings. it is possible that someone (close family or friend) may have gotten their hands on it to install the virus. factory reset does nothing as the virus is stored in system settings. phone cannot be hooked to Pc without severe repercussions. I cannot gain root access through any rooting apps for some reason. only tried to access system settings. I believe the virus may be using KNOX for execution but that is just a theory. Sanding galaxy S6. I HAVE TRIED EVERYTHING. please please help me. -jesse
Pretty hard for an android to get infected by any kind of virus, especially if not rooted.
Maybe it's made specifically to deal and block access from Windows, so maybe try Linux to deal with it?
Defeated01 said:
my phone is infected with a virus that has imbedded itself in my system settings, any anti malware apps used do not detect it. when plugging my phone into my computer (for developer access) it began to install the device driver. once the "device driver" installed it took all administrative use away from me and locked all drives. I do not have ABD access or any computer access at this point. this phone has killed 3 laptops and a desktop. the only way ive been able to partially stop the virus is using a firewall to block it. since my phone is NOT rooted I cannot delete system files containing the virus. I noticed the virus will edit apps and system functions to try and hide itself (Google play services) for example. someone is using a form of remote access to control things and change settings. it is possible that someone (close family or friend) may have gotten their hands on it to install the virus. factory reset does nothing as the virus is stored in system settings. phone cannot be hooked to Pc without severe repercussions. I cannot gain root access through any rooting apps for some reason. only tried to access system settings. I believe the virus may be using KNOX for execution but that is just a theory. Sanding galaxy S6. I HAVE TRIED EVERYTHING. please please help me. -jesse
Click to expand...
Click to collapse
Sounds like a nasty one! Yes "friends" & family could have installed it, physical access makes it easier, but maybe more likely you downloaded a dodgy app (some have been known to wait weeks before acting), or a website tricked you with an overlay to install a malicious file .... or benign app may have downloaded something worse ....
Did all your computers get compromised over your network or did you plug phone in individually to each? Isolate each from each other and try to recover individually, but first check your router & reflash that with new password if required as it's a possible route for reinfection so to usb etc
You may have to reflash stock Samsung ROM (will loose all photos etc) as CLEAN install. But before that look at settings>apps>burger menu>special access and disable any apps that have given themselves special rights eg in "device admin apps". Also look at other special settings and disable any suspicions apps (or most even eg in "apps that can appear on top" if you are still getting issues), repeat for other sections in special access eg install unknown apps, data access etc etc (I don't have an S6 but it should be similar to above on S6 depending on software version)
Also try boot phone into "safe mode" hopefully that will stop malicious app running.
Submit any suspect files to virustotal and/or any virus company for analysis if not identified yet. (logs might given you some clues as to source depending on cache)
Then you should be able to root to fix or just flash latest stock (maybe install Lineage OS if S6 not getting regular security updates anymore)
Delete RAT From Your Device Easily
The appearances of RAT on your phone is really a bad sign for you because it is not only capable to ruin your device badly but also endangers privacy. RAT is also capable to cause various serious damages, so you must opt RAT removal tricks after noticing it's any symptom on your device.

Spyware tracking software on the phone

So my GF has doubt that her phone (Samsung A5) has been tapped by her ex BF who knew her phone pass and did take care of all devices they posses
Assuming that is the case, will the factory reset remove tracking software from her phone of will I have to flash her phone with fresh OS to be sure the software has been removed completely
gesaugen said:
So my GF has doubt that her phone (Samsung A5) has been tapped by her ex BF who knew her phone pass and did take care of all devices they posses
Assuming that is the case, will the factory reset remove tracking software from her phone of will I have to flash her phone with fresh OS to be sure the software has been removed completely
Click to expand...
Click to collapse
If the ex actually did something like that and embedded into the system partition on the device, a factory reset will not remove it.
You would need to flash the device with the firmware to remove it, you may even need to use the "re-partition" option in Odin when you flash the device.
It would also be wise to change the password on her Google account before flashing the device, to be thorough, change the password and maybe even the email/username while you're at it, then go to system settings and remove the account then sign back in with the new email/password, then flash the device, after flashing and booting, sign back in with the new account details.
I would also change passwords and account details for any other apps on the device, such as Facebook, Facebook Messenger, any other email addresses or other email apps and any other types of social media apps or other apps that require an email/username and password. Change any and everything on the device that the ex could have possibly had access to. If she also has other devices or PC's synced with her phone or email, I'd change the details on those other devices/PC's as well. If she has WiFi at home, change its password and maybe even see about changing the IP of her modem/router.
Then, after that, make sure she doesn't click on/open/download anything from anyone that she doesn't know, including multimedia texts/pics, it could be the ex trying to embed something again, opening it will just compromise the device again.
Sent from my LGL84VL using Tapatalk
While what Droidriven is saying is correct first things first. Has the phone been unlocked and/or rooted? If the phone is locked (*Not tampered) then all of that is overkill. Here's a simple test that you can do to see how at risk you are. Start the phone in Bootloader mode and see what it says at the top. It will either say Locked, Locked *Tampered, Unlocked or Unlocked *Tampered. Locked is exactly what it sounds like, the phone is factory locked. Unlocked again means exactly what it says, the phone is factory unlocked. The caveat is the Tampered. So you can unlock a phone and lock it back which will result in the tampered tag/statement. In which case anything could have been done or undone once the phone was unlocked even if it says locked. If the phone simply says Locked, there is no need to panic and simply factory resetting the phone will erase anything that the ex may have done or installed. If the tampered tag/statement appears that's when more detailed steps should be taken, as described by Droidriven. It is always advisable to change passwords after a breakup even if you don't suspect foul play as a precaution. If she fears foul play Google offers 2-Step verification, which I highly recommend anyway, which allows the account holder to use an Authentication app that randomly generates codes to access the account and also prevents anyone from accessing the account without the users phone in their direct possession. Google also offers security screening tools that allows users to see where they are signed in, when the last time that sign in point was accessed, and the ability to sign out of sessions that may still be active. Furthermore Google offers notifications that will text or email a user anytime a sign-in occurs allowing the user full disclosure and control over their account. Although not mentioned, Facebook also offers similar tools and notifications should the concern arise. First thing first however, find out how to log into your Bootloader and verify if the device has ever been tampered with and then work from there.
VidJunky said:
While what Droidriven is saying is correct first things first. Has the phone been unlocked and/or rooted? If the phone is locked (*Not tampered) then all of that is overkill. Here's a simple test that you can do to see how at risk you are. Start the phone in Bootloader mode and see what it says at the top. It will either say Locked, Locked *Tampered, Unlocked or Unlocked *Tampered. Locked is exactly what it sounds like, the phone is factory locked. Unlocked again means exactly what it says, the phone is factory unlocked. The caveat is the Tampered. So you can unlock a phone and lock it back which will result in the tampered tag/statement. In which case anything could have been done or undone once the phone was unlocked even if it says locked. If the phone simply says Locked, there is no need to panic and simply factory resetting the phone will erase anything that the ex may have done or installed. If the tampered tag/statement appears that's when more detailed steps should be taken, as described by Droidriven. It is always advisable to change passwords after a breakup even if you don't suspect foul play as a precaution. If she fears foul play Google offers 2-Step verification, which I highly recommend anyway, which allows the account holder to use an Authentication app that randomly generates codes to access the account and also prevents anyone from accessing the account without the users phone in their direct possession. Google also offers security screening tools that allows users to see where they are signed in, when the last time that sign in point was accessed, and the ability to sign out of sessions that may still be active. Furthermore Google offers notifications that will text or email a user anytime a sign-in occurs allowing the user full disclosure and control over their account. Although not mentioned, Facebook also offers similar tools and notifications should the concern arise. First thing first however, find out how to log into your Bootloader and verify if the device has ever been tampered with and then work from there.
Click to expand...
Click to collapse
As far as I know, Samsung does not have bootloader mode, it uses Download Mode, otherwise known as factory mode or Odin mode. It also does not quite display the information that you described as you described it. Some Samsung devices may or may not display bootloader status as "locked" or "unlocked", I've never seen anything about Samsung devices ever showing anything about *Tampered. I've seen devices show "custom binary" or "official binary" and show system status as "official" or "custom", some show info for secure boot, activation lock, kernel lock or Knox warranty void.
But, none of this necessarily has anything to do with whether something could have been embedded into system. You can push things to system even if the bootloader is locked and without "triggering" anything or being "flagged" by the system.
Plenty of Samsung devices have been rooted without unlocking the bootloader, without tripping Knox or Qfuse and will show binary status as "Custom"(the one thing that does show that the device is rooted/tampered but still doesn't necessarily indicate any malicious code that might have been placed by the ex, just rooting the device and nothing else would give the same result), all locks at default status as "locked"(non-tampered) and system status as "Official".
Given that the ex was the one that took care of and managed all devices that she owned, I would just take the thorough route just to cover the bases just because there are so many points of entry that the ex could have set up among all of the devices/equipment that she has.
Sent from my LGL84VL using Tapatalk
While I'll give you that there may be differing nomenclature for the things I mentioned, I've never heard of anyway to reach the Root of a device without going through the Bootloader and without leaving some evidence. While I cannot find an actual picture of the bootloader screen, in the link below there's a picture of the recovery menu where you can see the second option on the Samsung A5 Reboot into Bootloader. Ultimately it's up to the OP but becoming tech savvy enough to root a device is not for everyone. If the device shows no signs of being rooted, to learn how to root a device just in case seems less than worthwhile. OP you could also try one of the root detectors on the Play Store.
https://www.teamandroid.com/2017/01/28/enter-recovery-mode-samsung-galaxy-a5-2017/
VidJunky said:
While I'll give you that there may be differing nomenclature for the things I mentioned, I've never heard of anyway to reach the Root of a device without going through the Bootloader and without leaving some evidence. While I cannot find an actual picture of the bootloader screen, in the link below there's a picture of the recovery menu where you can see the second option on the Samsung A5 Reboot into Bootloader. Ultimately it's up to the OP but becoming tech savvy enough to root a device is not for everyone. If the device shows no signs of being rooted, to learn how to root a device just in case seems less than worthwhile. OP you could also try one of the root detectors on the Play Store.
https://www.teamandroid.com/2017/01/28/enter-recovery-mode-samsung-galaxy-a5-2017/
Click to expand...
Click to collapse
This tells me that you aren't familiar with Samsung devices because plenty of Samsung devices have been rooted without unlocking bootloader, I couldn't even begin to count them all. Unlocking bootloader is really only necessary if flashing a custom recovery or custom ROM. Not all Samsung devices are rooted by flashing a custom recovery to gain root. Most of the Samsung devices sold in the US have locked bootloader that cannot be unlocked by any means whatsoever, yet these devices can be rooted. Obviously, they have been rooted without unlocking the bootloader.
Yes, it may have the "reboot bootloader" option in recovery, if selected, that will boot you into download mode/Odin Mode. Typically, what you are describing with bootloader mode applies to devices that use fastboot, Samsung does not use fastboot, it isn't compatible with fastboot, adb works with Samsung but fastboot does not work with Samsung in any way, shape, form or fashion.
And it is possible to root a Samsung device, then install something in system and then remove root immediately after(which means that root checker will not see anything) and it won't show anything in Odin mode, won't trip Knox or Qfuse and still show Official in Odin mode. If it is rooted, then an app is pushed to system then root is immediately removed and this was all done without rebooting the device in the process, then the bootloader, Knox, Qfuse and all that never even detects that root was ever there because it was removed, which means it never gets loaded at boot for the bootloader and other security coding to see that root was there. Some can be rooted and then flash TWRP using Loki without unlocking the bootloader, which "shouldn't" be possible with a locked bootloader, yet, it is done.
I'm just saying, it isn't always as detectable as you imply.
Sent from my LGL84VL using Tapatalk

Forgot phone password

Friend got into a fight with his brother. His brother was able to break into his phone.
Friend changed the password on the device last week, and because of his school, he doesn't take the phone with him.
He opened the phone today, and can't remember the password.
It is a Moto G7 Power, running Android 9
It has GenTech installed on the phone.
I do not know any specifics beyond that, as the settings are hidden behind a lock screen.
When I logged into the Google account, it looks like the account hasn't been backing up photos, contacts, etc since the GenTech was put on. iDrive also hasn't been backing anything up.
Are there any tools that can remove the lock screen? Preferably free, but I wouldn't mind paying a small amount. And NOT wipe the device.
Before coming here, I saw Eelphone, but it looked super shady.
Searching through XDA's forums, I saw Dr.Fone as an application as well.
Are these the best options? I mean, I troubleshoot devices for clients all the time, and thankfully haven't had to recover their devices like this, and I know that it has changed a lot since the beginnings of Android, but I need something in the toolbox for sure.
Any help is appreciated, thank you!
Edit: I thought I might try Dr.Fone on my Motorola device. Uh, not the right application that I need! I want the data preserved, not wiped. If I wanted the phone wiped, I'd have done it from the bootloader.
(Or do they make a copy of the device, wipe the phone, and reload everything minus the lock screen?)
(Or is Dr.Fone a malicious program masquerading as legitimate?)
DaNissNYC said:
Friend got into a fight with his brother. His brother was able to break into his phone.
Friend changed the password on the device last week, and because of his school, he doesn't take the phone with him.
He opened the phone today, and can't remember the password.
It is a Moto G7 Power, running Android 9
It has GenTech installed on the phone.
I do not know any specifics beyond that, as the settings are hidden behind a lock screen.
When I logged into the Google account, it looks like the account hasn't been backing up photos, contacts, etc since the GenTech was put on. iDrive also hasn't been backing anything up.
Are there any tools that can remove the lock screen? Preferably free, but I wouldn't mind paying a small amount. And NOT wipe the device.
Before coming here, I saw Eelphone, but it looked super shady.
Searching through XDA's forums, I saw Dr.Fone as an application as well.
Are these the best options? I mean, I troubleshoot devices for clients all the time, and thankfully haven't had to recover their devices like this, and I know that it has changed a lot since the beginnings of Android, but I need something in the toolbox for sure.
Any help is appreciated, thank you!
Edit: I thought I might try Dr.Fone on my Motorola device. Uh, not the right application that I need! I want the data preserved, not wiped. If I wanted the phone wiped, I'd have done it from the bootloader.
(Or do they make a copy of the device, wipe the phone, and reload everything minus the lock screen?)
(Or is Dr.Fone a malicious program masquerading as legitimate?)
Click to expand...
Click to collapse
Is the device rooted?
Does the device have USB debugging enabled in system settings?
If the answers to these questions are no, then all you can do is factory reset. After resetting, it will probably be FRP locked(Factory Reset Protection), which means you still need to remember the google account username and password to get logged into the device, but, the lockscreen pin/password will be removed. You'll lose the user's data in the process. At this point, if it isn't rooted or does not have USB debugging enabled, there aren't really any options to save their user data before resetting the device.
Sent from my SM-S767VL using Tapatalk
The phone is not rooted, unless the GenTech software gained the root access. (I am too new to post a direct link, but it is a monitoring program - I don't know how common it is outside of my community)
If I recall correctly, I did get access to developer options, but that was back in July - I'm not sure if I have developer options enabled at this time.
The paid softwares can't crack it? That really is too bad.

Categories

Resources