I've setup a couple of Hermes handsets this past week, one on Cingular (US) and one on Vodafone (UK).
Our Exchange server is hosted in the UK.
I have a problem whereby the password you are forced to set when setting up the push/sync is prompting the user for entry almost every 5 minutes (ie. when the phone requires interaction from 'power save mode')
Entering the password 'settings' screen is no use as the option to change the 5 minute period is greyed out.
Is there a fix to this? Is this handset related or server related?
Surely I'm not alone with this problem?
Hermes (WM5) (1x Cingular US, 1x Vodafone UK)
Vini said:
I've setup a couple of Hermes handsets this past week, one on Cingular (US) and one on Vodafone (UK).
Our Exchange server is hosted in the UK.
I have a problem whereby the password you are forced to set when setting up the push/sync is prompting the user for entry almost every 5 minutes (ie. when the phone requires interaction from 'power save mode')
Entering the password 'settings' screen is no use as the option to change the 5 minute period is greyed out.
Is there a fix to this? Is this handset related or server related?
Surely I'm not alone with this problem?
Hermes (WM5) (1x Cingular US, 1x Vodafone UK)
Click to expand...
Click to collapse
This is server related. Technically you do not need a fix because everything is working as intended. What's happening is the exchange admin is enforcing a security certificate on your phone with the idea being that if you lose your phone, strangers cannot access your data. Further more they can trigger a remote wipe of your device after a set number of failed password attempts. This is pretty much standard in any corporation as they don't want outsiders getting access to their information. That being said there are ways to get around it. Just bear in mind that if you lose your phone, whoever picks it up will have full access to it and all information it contains. If you're willing to accept the potential implications then it's very simple. Google "zenyee.com stay unlock" and read through that thread on Mobility Today. There's a cab on the second page you need to install that will "un-grey" that box so you can set it to something more reasonable, like 24 hours.
Excellent, thanks for the info!
Is there anyway the server can be changed to avoid having to install this Zenyee.com Stay Unlock.zip on each unit?
Yes the exchange server administrator can change the certificate requirements (password requirements as well as idle time requirement).
I am the admin, any idea where this option is?
I have just received a brand newT mobile SM-A326U, Samsung galaxy A32 5G USA variant today from the mobiles website. I immediately updated to the newest security and software patch as I have been having issues with security lately imsci catcher, remote code injection, forwarding calls and texts to media servers, mItM etc.
Right away I used "Samsung My files" and enabled hidden file access within Samsung my files. I have always been aware of the need to index thumbs and thumbnail files, databases, etc in the digital camera media images or DCIM folder. Checking /storage/emulated/0 shows three NEW locations. 3 new folders titled Music, Pictures, and video. Within each of these three new folders there is a hidden ".nomedia" file and a hidden file titled "database_uuid". Attempting to delete the Music, Video,, and pictures folders from storage/emulated/0 results in them returning after a reboot. Same files within them. Performing a factory reset and flashing new factory rom and firmware provides the same result. There are those same three folders and those same files. Performing the old create a new file entitled .thumbnails as a dummy file trick didn't resolve this issue either.
I have not used the camera. I have not done anything but open a factory stock browser utilizing the providers data connection.
This has persisted through 3 new devices. A Samsung galaxy A71 5g, a Motorola G power 2021 and now this phone.
Am I being overly paranoid? Is this just a new function of the file system I am unaware of? Is the hidden "database_uuid" supposed to be there? Or have I reason to suspect the worst?
Fixes tried include
>a factory data reset or two, dalvik cache wipe included.
>Calling the provider's tech support line.
>Calling the manufacturer.
>ODIN flash of stock factory ROM and firmware.
These are fixes performed on both the Samsung Galaxy A71 5G, and the Motorola G Power 2021. This phone (Samsung galaxy A32 5G) has a locked bootloader thus far and I haven't tried a flash yet, however I have tried the aforementioned fixes.
>Creating a dummy file entitled .thumbnails.
>deleting the folders entitled Video, Music, and Picture in storage/emulated/0 followed by a reboot.
What have you done to make yourself paranoid? Those are normal hidden files.
target_relative said:
What have you done to make yourself paranoid? Those are normal hidden files.
Click to expand...
Click to collapse
Haha, I can totally see why one would assume I've done something to reach such levels of paranoia but I assure u it is because I am on my journey through the web security exams. I have had enough field experience in the security audit role to notice odd behavior and activity, but not enough experience to prevent or patch it However, I have some data siphoning neighbors so my first assumption was someone was pilfering my incoming and outgoing data during contractual gigs. Considering the data that is sometimes transmitted, one can totally assume the worst. That's how zero days occur. Anyway, thank you so much for the assurance, one thing I need to really brush up on is the android OS file system.
Wondering if a senior member would be so kind as to weigh in on this one. It's not that I don't believe the answer provided, it's that clarity can be had by the collective opinion. If others where to say the same, I'd be inclined to say, yep, those are certainly normal hidden files. However, I never noticed either folder or the database_uuid file recently until after an attack on the local network. Hence my suspicion and thought process around the data siphoning neighbors.
Factory reset. Cured... whatever it was.
Now ^that's^ being paranoid
blackhawk said:
Factory reset. Cured... whatever it was.
Now ^that's^ being paranoid
Click to expand...
Click to collapse
Not as much as you'd think. Prior to all this I had my tenth PC custom built rig go down due to persistent malware that found its way into the bios and reflashed the bios and then further flashed itself into a level between bios and boot. Still hopping from device to device. PTA or persistent threat actors aren't nearly as hard to come by in the wild when u study cyber security enough. Finding yourself in an officially sanctioned red team/ blue team op and performing well whilst also blazingly bragging about your leet skills on social media will quickly garner a few PTAs.
It's not hard to assume someone in the area could monitor the device for restarts and or factory reset on a root level and then push an injection into either the zygote or an OTA update as the device begins setup. Or even easier remote code execution targeting the "Sign in with Google account" portion of device setup.
DrRoxxo said:
Wondering if a senior member would be so kind as to weigh in on this one. It's not that I don't believe the answer provided, it's that clarity can be had by the collective opinion. If others where to say the same, I'd be inclined to say, yep, those are certainly normal hidden files. However, I never noticed either folder or the database_uuid file recently until after an attack on the local network. Hence my suspicion and thought process around the data siphoning neighbors.
Click to expand...
Click to collapse
This should help answer your question:
https://en.wikipedia.org/wiki/Hidden_file_and_hidden_directory#Android
tavella said:
This should help answer your question:
https://en.wikipedia.org/wiki/Hidden_file_and_hidden_directory#Android
Click to expand...
Click to collapse
This explains how the .nomedia file works. Which I assumed was natural after a bit of research, what concerns me is within each new folder titled Movies, Music, and video, there is a .nomedia folder. Not a big deal, but then there is a "Database_uuid" file within each of those .thumbnails folders. Which I do not currently understand the purpose or concept of. Prior, I understood the .nomedia file and the need for .thumbnails and .thumbs etc, but I had never once noticed the database_uuid file within those folders on my boredom inspired file dives.
Thank you to all the new and Senior members who helped me to understand this issue.
I truly appreciate the reassurance and responses.
I don't know if there is a way to do so as I am quite new to XDA myself, but I'd like to mark this issue as resolved.
resolution: Stop being so paranoid
tavella said:
This should help answer your question:
https://en.wikipedia.org/wiki/Hidden_file_and_hidden_directory#Android
Click to expand...
Click to collapse
Samsung file explorer can see .nomedia files if that option is enabled in its settings.
Protected backup files are sometimes "hidden" like this... so it's useful to have that option enabled especially when making backup copies.
They appear greyed out indicating they are hidden.
Hey all, Update.
I just got off the phone with a Cisco certified level 2 tech from my provider, T-mobile. They verified what was going on was indeed a sophisticated attack. The database_uuid files point to not just stealing data, but logging all activities. They are attempting a honeypot on the back end to attempt to catch the individual. They have begun monitoring the network for suspicious activity (for whatever it's worth). The technician verified that this sounds like a remote code execution taking place at the text entry field of "setup a new account" after factory reset.
Edit one of the fixes provided was a full Reroute. Data now comes as if I'm in a different location. I don't know how much of a difference it'll make but to note some of the oddities I've faced:
When browsing a random word, results display fine. When browsing search terms related to my issues, I get a "malicious traffic has been detected on this network" error from Chrome, brave, and Firefox. Clearing data on those browsers sometimes works to resolve it, other times it persists.
When attempting to stream a searched title in any streaming service, the title fails to play, yet when choosing a random stream it plays fine.
When attempting to play any chosen online game, I get internet errors; the hotspot shows internet but no connectivity. When choosing a random game, it plays fine.
When signing up for Facebook, even with a newly created email for this purpose, I get a text verification code immediately from what seems to be official FB shortcode but appended at the bottom of the text is a signature: Laz.nx.carlw
Searching this signature shows hundreds of other users whose accounts where pwnd by the same method.
Since the issue seems to be at the account creation screen after a factory reset, I've tried creating new Google accounts to setup the device with, however almost immediately, passwords are changed.
APN settings where grayed out and as a T-MOBILE customer using a strictly tmobile device purchased and provided by the provider, there is yet, a com.vzw.apnlib package or service, running in the background. Attempting to locate this service or package in every manner fails.
Banking apps have had passwords changed and purchases have been "denied by card", an error of which I've never seen before.
Amazon orders have been "canceled by the buyer" with no input or action on my end relentlessly.
While on VPN, windscribe and Lion vpn, the same happens. It rarely happens without vpn on, but does still occur. I would assume this is to encourage unencrypted traffic that has already been had due to the exploite.
I am aware that windscribe was recently exploited and pwnd. However, it doesn't seem to make a difference because the activity I'm witnessing seems to be that of a dirt box.
Could anybody weigh in on a potential fix or solution?
New update all.
So after calling again to the provider I was told that there was no way for them to monitor everything on the backend and potentially catch them. The rep I spoke to this time assured me he'd been working tech support for the provider 12 years and they've never been capable of doing so.
He also informed me that as far as getting support from the provider, the best they are going to be able to do even in level 2 tech support is verify whether the device is receiving a proper connection from the tower, and if it is and the issue still persists basic troubleshooting (which I've already done ten fold) would be the next course of action. He informed me that had those troubleshooting options not worked the next usual step taken would be to advise to speak with the manufacturer as they would have the ability to remote in and or replace the device in the event of a failure to fix the issue. However, as explained to the rep at the provider, I've already had replacements sent to me. This issue has persisted through 3 provider changes, 4 new cell phones, and multiple network changes in new Sim, new number, data rerouting etc.
My last call with the manufacture resulted in a Cisco certified level 2 remoting into the device with smart tutor and his entire fix applied was a mere opening of my Eset security app and a scan initialized. And suggesting I purchase premium eset.
That was the course of the whole fix provided by the manufacturer prior to a replacement being provided.
DrRoxxo said:
Hey all, Update.
I just got off the phone with a Cisco certified level 2 tech from my provider, T-mobile. They verified what was going on was indeed a sophisticated attack. The database_uuid files point to not just stealing data, but logging all activities. They are attempting a honeypot on the back end to attempt to catch the individual. They have begun monitoring the network for suspicious activity (for whatever it's worth). The technician verified that this sounds like a remote code execution taking place at the text entry field of "setup a new account" after factory reset.
Edit one of the fixes provided was a full Reroute. Data now comes as if I'm in a different location. I don't know how much of a difference it'll make but to note some of the oddities I've faced:
When browsing a random word, results display fine. When browsing search terms related to my issues, I get a "malicious traffic has been detected on this network" error from Chrome, brave, and Firefox. Clearing data on those browsers sometimes works to resolve it, other times it persists.
When attempting to stream a searched title in any streaming service, the title fails to play, yet when choosing a random stream it plays fine.
When attempting to play any chosen online game, I get internet errors; the hotspot shows internet but no connectivity. When choosing a random game, it plays fine.
When signing up for Facebook, even with a newly created email for this purpose, I get a text verification code immediately from what seems to be official FB shortcode but appended at the bottom of the text is a signature: Laz.nx.carlw
Searching this signature shows hundreds of other users whose accounts where pwnd by the same method.
Since the issue seems to be at the account creation screen after a factory reset, I've tried creating new Google accounts to setup the device with, however almost immediately, passwords are changed.
APN settings where grayed out and as a T-MOBILE customer using a strictly tmobile device purchased and provided by the provider, there is yet, a com.vzw.apnlib package or service, running in the background. Attempting to locate this service or package in every manner fails.
Banking apps have had passwords changed and purchases have been "denied by card", an error of which I've never seen before.
Amazon orders have been "canceled by the buyer" with no input or action on my end relentlessly.
While on VPN, windscribe and Lion vpn, the same happens. It rarely happens without vpn on, but does still occur. I would assume this is to encourage unencrypted traffic that has already been had due to the exploite.
I am aware that windscribe was recently exploited and pwnd. However, it doesn't seem to make a difference because the activity I'm witnessing seems to be that of a dirt box.
Could anybody weigh in on a potential fix or solution?
Click to expand...
Click to collapse
Sounds like a StingRay IMSI
DrRoxxo said:
Hey all, Update.
I just got off the phone with a Cisco certified level 2 tech from my provider, T-mobile. They verified what was going on was indeed a sophisticated attack. The database_uuid files point to not just stealing data, but logging all activities. They are attempting a honeypot on the back end to attempt to catch the individual. They have begun monitoring the network for suspicious activity (for whatever it's worth). The technician verified that this sounds like a remote code execution taking place at the text entry field of "setup a new account" after factory reset.
Edit one of the fixes provided was a full Reroute. Data now comes as if I'm in a different location. I don't know how much of a difference it'll make but to note some of the oddities I've faced:
When browsing a random word, results display fine. When browsing search terms related to my issues, I get a "malicious traffic has been detected on this network" error from Chrome, brave, and Firefox. Clearing data on those browsers sometimes works to resolve it, other times it persists.
When attempting to stream a searched title in any streaming service, the title fails to play, yet when choosing a random stream it plays fine.
When attempting to play any chosen online game, I get internet errors; the hotspot shows internet but no connectivity. When choosing a random game, it plays fine.
When signing up for Facebook, even with a newly created email for this purpose, I get a text verification code immediately from what seems to be official FB shortcode but appended at the bottom of the text is a signature: Laz.nx.carlw
Searching this signature shows hundreds of other users whose accounts where pwnd by the same method.
Since the issue seems to be at the account creation screen after a factory reset, I've tried creating new Google accounts to setup the device with, however almost immediately, passwords are changed.
APN settings where grayed out and as a T-MOBILE customer using a strictly tmobile device purchased and provided by the provider, there is yet, a com.vzw.apnlib package or service, running in the background. Attempting to locate this service or package in every manner fails.
Banking apps have had passwords changed and purchases have been "denied by card", an error of which I've never seen before.
Amazon orders have been "canceled by the buyer" with no input or action on my end relentlessly.
While on VPN, windscribe and Lion vpn, the same happens. It rarely happens without vpn on, but does still occur. I would assume this is to encourage unencrypted traffic that has already been had due to the exploite.
I am aware that windscribe was recently exploited and pwnd. However, it doesn't seem to make a difference because the activity I'm witnessing seems to be that of a dirt box.
Could anybody weigh in on a potential fix or solution?
Click to expand...
Click to collapse
APN settings where grayed out and as a T-MOBILE customer using a strictly tmobile device purchased and provided by the provider, there is yet, a com.vzw.apnlib package or service, running in the background.
This is normal.
Banking apps have had passwords changed and purchases have been "denied by card", an error of which I've never seen before.
Amazon orders have been "canceled by the buyer" with no input or action on my end relentlessly.
Probably because orders where placed whilst running ****ty VPN.
have you flashed Stock firmware tru Odin ?
DrRoxxo said:
I have just received a brand newT mobile SM-A326U, Samsung galaxy A32 5G USA variant today from the mobiles website. I immediately updated to the newest security and software patch as I have been having issues with security lately imsci catcher, remote code injection, forwarding calls and texts to media servers, mItM etc.
Right away I used "Samsung My files" and enabled hidden file access within Samsung my files. I have always been aware of the need to index thumbs and thumbnail files, databases, etc in the digital camera media images or DCIM folder. Checking /storage/emulated/0 shows three NEW locations. 3 new folders titled Music, Pictures, and video. Within each of these three new folders there is a hidden ".nomedia" file and a hidden file titled "database_uuid". Attempting to delete the Music, Video,, and pictures folders from storage/emulated/0 results in them returning after a reboot. Same files within them. Performing a factory reset and flashing new factory rom and firmware provides the same result. There are those same three folders and those same files. Performing the old create a new file entitled .thumbnails as a dummy file trick didn't resolve this issue either.
I have not used the camera. I have not done anything but open a factory stock browser utilizing the providers data connection.
This has persisted through 3 new devices. A Samsung galaxy A71 5g, a Motorola G power 2021 and now this phone.
Am I being overly paranoid? Is this just a new function of the file system I am unaware of? Is the hidden "database_uuid" supposed to be there? Or have I reason to suspect the worst?
Click to expand...
Click to collapse
Is the hidden "database_uuid" supposed to be there?
Yes its part of android system.
? Is this just a new function of the file system I am unaware of?
Probably, Android 11 has big changes and so will Android 12
financeledger said:
APN settings where grayed out and as a T-MOBILE customer using a strictly tmobile device purchased and provided by the provider, there is yet, a com.vzw.apnlib package or service, running in the background.
This is normal.
Banking apps have had passwords changed and purchases have been "denied by card", an error of which I've never seen before.
Amazon orders have been "canceled by the buyer" with no input or action on my end relentlessly.
Probably because orders where placed whilst running ****ty VPN.
have you flashed Stock firmware tru Odin ?
Click to expand...
Click to collapse
I did try flashing through odin luckily all went well, however the flaw and some of the suspicious activity continued. I managed to flash stock on 3 of the 4 phones affected and it persisted sadly. However, u are correct about the VPN, turns out, windscribe had recently been exploited.
financeledger said:
Is the hidden "database_uuid" supposed to be there?
Yes its part of android system.
? Is this just a new function of the file system I am unaware of?
Probably, Android 11 has big changes and so will Android 12
Click to expand...
Click to collapse
I am certainly not trying to be argumentative but I did want to note for the sake of those that may have the same concern, my provider and a few level 2 tech support individuals where able to confirm the database_uuid files are not supposed to be there and are evidence of logging activity.
financeledger said:
Sounds like a StingRay IMSI
Click to expand...
Click to collapse
I would have to agree. However a stingray would only route traffic through their IMSI catcher. Like a false tower. It's surely a possibility, but it wouldn't account for the suspicious behavior consistent with that of pta malware. This truly seems like a custom exploit someone created. It certainly isn't a Metasploit module.
Hello, and thanks in advance for any assistance y'all can provide.
I should preface this by saying that I'm comfortable tinkering with software and am technically inclined, but have only a vague understanding of what exactly a CSC code is and haven't flashed anything on a phone since tinkering with my old Galaxy S Captivate.
My wife and I bought "factory unlocked" S10e's via Amazon's "renewed" program. They have no visible branding, physically or in the software, and report their model as G970U1, as advertised. We're both on Cricket. My phone works without issue but she's been getting texts from Cricket for a few weeks saying that she needed to update her phone by 2/22/22, but the "software update" tool reports that the phone is up to date. Since that date, she's been unable to send or receive phone calls, but texts and mobile data still work as normal.
Going by the "Software Information" page, the phones are nearly identical in software versions, with the only difference in the two is the "Service provider software information" string. As best I understand, this displays the CSC code in the string, as "...OYM_[CSC]...".
Going by this, my phone has the correct CSC for Cricket, but my wife's phone has somehow obtained the code for T-Mobile. Given that this is the only software difference between the two, I can only assume that it's the culprit? (If not, what else could be causing this?)
I'm not 100% sure if this is something that we could have caused, or if the phone could have been de-branded somehow (again, no physical markings) and resold with a CSC already on it?
I've tried changing the CSC by using the code in google dialer, but it just throws a vague error and nothing happens. I'm not sure how to proceed from here? From googling around, I saw that flashing new firmware using Odin and Frija(?) can get the job done, but also requires resetting the phone and comes with some risk?
I'd like to avoid resetting the phone if possible, as it's also her interface to her glucose monitor (Type 1 diabetic), and this takes quite a long time to set up. From some searching, it seems there's a paid tool called Chimera that at least one person claimed can change the CSC without resetting. Is that accurate? If that's not correct, is there a better way?
Apologies for the wall of text, I hope I've provided enough information. Again, thanks to anyone who can provide guidance.