Is it possible for a virus to allow you to visit a site but not post on it?
Maybe get access to my router?
Something like a botnet or root kit with adminstrative access like logging me out of my accounts and disabling my sim
I installed a random apk from a random link that was sent to me by my gf and I've noticed that this virus is very secretive (to not cause suspicion by my gf)
Ive figured out it can read my keyboard(kelogger) access my media log me out of my accounts disabling my sim but I don't think it can modify or delete because she asked me to delete the apk(any ideas)
I've tried avs but they come clean and after factory reset it still continues but I can't recall the name of the apk otherwise solution would have been easier
It may be a backdoor (i could be wrong) but I don't think it can go to new device if I erase everything and create new gmail account right but how is it possible that it could survive a factory reset is there any way to detect these kind of viruses I unfortunately can't unlock my boot loader otherwise I would have rooted and flashed my phone with stock and its not xhelper I tried it
Welcome to XDA.
What OS version?
Scan the suspect app you downloaded with online Virustotal. See what you got.
Needless to say don't do stupid things again. At the very least always scan with Virustotal first.
If there's any doubt whatsoever delete the file. No app is worth the risk, the time and potential critical data lose it could cause.
alokkolaq said:
Is it possible for a virus to allow you to visit a site but not post on it?
Maybe get access to my router?
Something like a botnet or root kit with adminstrative access like logging me out of my accounts and disabling my sim
I installed a random apk from a random link that was sent to me by my gf and I've noticed that this virus is very secretive (to not cause suspicion by my gf)
Ive figured out it can read my keyboard(kelogger) access my media log me out of my accounts disabling my sim but I don't think it can modify or delete because she asked me to delete the apk(any ideas)
I've tried avs but they come clean and after factory reset it still continues but I can't recall the name of the apk otherwise solution would have been easier
It may be a backdoor (i could be wrong) but I don't think it can go to new device if I erase everything and create new gmail account right but how is it possible that it could survive a factory reset is there any way to detect these kind of viruses I unfortunately can't unlock my boot loader otherwise I would have rooted and flashed my phone with stock and its not xhelper I tried it
Click to expand...
Click to collapse
If a factory reset doesn't work yet, you may wipe cache partition + wipe data in the recovery mode.
Don't think you caught a computer virus: A computer virus generally requires a host program. The virus writes its own code into the host program. When the program runs, the written virus program is executed first, causing infection and damage.
By contrast, a computer worm does not need a host program, as it is an independent program or code chunk. Therefore, it is not restricted by the host program, but can run independently and actively carry out attacks.
A computer worm only can attack when phone's Android is got rooted: Rooting a phone means gaining access to the deepest and most important code in your phone’s operating system. With a rooted phone, users gain privileged control ( root access ) over a phone’s basic subsystems, which allows them to bypass manufacturer or carrier restrictions and install or customize almost anything they want.
In order to ensure to have a clean Android as it was installed when phone got shipped re-flash phone's Stock ROM.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
jwoegerbauer said:
Don't think you caught a computer virus: A computer virus generally requires a host program. The virus writes its own code into the host program. When the program runs, the written virus program is executed first, causing infection and damage.
By contrast, a computer worm does not need a host program, as it is an independent program or code chunk. Therefore, it is not restricted by the host program, but can run independently and actively carry out attacks.
A computer worm only can attack when phone's Android is got rooted: Rooting a phone means gaining access to the deepest and most important code in your phone’s operating system. With a rooted phone, users gain privileged control ( root access ) over a phone’s basic subsystems, which allows them to bypass manufacturer or carrier restrictions and install or customize almost anything they want.
In order to ensure to have a clean Android as it was installed when phone got shipped re-flash phone's Stock ROM.
Click to expand...
Click to collapse
James_Watson said:
If a factory reset doesn't work yet, you may wipe cache partition + wipe data in the recovery
blackhawk said:
Welcome to XDA.
What OS version?
Scan the suspect app you downloaded with online Virustotal. See what you got.
Needless to say don't do stupid things again. At the very least always scan with Virustotal first.
If there's any doubt whatsoever delete the file. No app is worth the risk, the time and potential critical data lose it could cause.
Click to expand...
Click to collapse
Click to expand...
Click to collapse
I have an old redmi 4 and I didn't root my phone, could it be done by exploit? Because I checked my phone for root and it says not rooted and I did install a random apk I know it was stupid but at least lesson learnt I didn't know that an apk could be this bad like pegasus or something
Anyways I found that on the net that this type of attack is called spear phishing (i think) and it seems it i was supposed to open it from a VM only otherwise it infects the system fully and the only way to remove it is to flash stock (I think)
Hopefully it doesn't survive the flash because it could hide in the boot image or some places where the flash does not reach
What do u do in these situations? Other than buying a new phone that is
Yes and thanks for the advice
James_Watson said:
If a factory reset doesn't work yet, you may wipe cache partition + wipe data in the recovery mode.
Click to expand...
Click to collapse
Factory reset does this.
I wish to learn everything there is to learn about spyware on android because I was once spied upon by my girlfriend and I know how it feels and would like to educate people about it and would l like to know about the origins of it how it works and what does it do and when does it do and where does it come from etc.
It warned me it was malicious and it still infects all kind of devices what could it be ? As I think its a spyware that installs other malware or the spyware itself is doing everything ( I don't remember the name of the apk or app)
But mainly used by girls to spy on their bf so as to know they aren't cheating on them
Please send me links to the wiki if it is present or just direct me to learn more about it
Any suggestions would be helpful and appreciated.
Thanks for reading.
I had a coolpad mega 2.5d (new)which was stolen by my gf(I got to know later as I said I didn't want to show her all the contents of my phone) and then I got a coolpad note 3 and then now a redmi 4
Is it possible that when she stole my phone that she could have got some access to my new phones even though I got a new sim and used new accounts?(I personally don't think so)
I was recently sent a link by my gf and was asked to download an apk and delete it after installing the apk it warned me that it was malicious but I went ahead anyway since at the time I didn't know it had such huge consequences.
I think it still works with all the phones and I don't know how because it is already known it is malicious and it still infects the device which it is installed upon I tried using avs , searched in the settings, used safe mode,used sandbox apps(not fully as to know which app it is) and even tried to FACTORY RESET my phone but it still remains as it keeps disabling my sim,records every keystroke(keylogger) and can see my media as it got leaked on the net and accounts got hacked repeatedly.
She even wants to know my new phone and install the spyware on it so it is malicious and is known and it can infect any type of android(assuming) because she's not worried about whether it will work or know and is sure about it.
She even sent me links after every time I got a new phone so as to reinfect me but I did not know this at that time
What could this be? I'm assuming its a spyware as its done by my gf maybe by spear phishing (as I know of from what I experienced)
If someone could explain what type of attack this is and how to detect and remove this spyware(assuming) and to learn more about it
I learned that factory resets are not enough to santize devices and such apps(spyware) are to be opened in a VM only (or maybe sandbox it so it does not infect the entire system?)( all of it this is assuming I got it right)
Maybe a wiki or an article or a community or advice or some kind of help would be preferred
Thanks.
alokkolaq said:
the apk it warned me that it was malicious but I went ahead anyway
Click to expand...
Click to collapse
So despite being clearly warned that the app was malicious, you disregarded said warning...and now you want help fixing something you could have easily avoided had you simply heeded the warning?
A gram of prevention is worth a metric ton of cure. There's not much anyone here can recommend beyond changing all your passwords, using multi factor authentication, and performing a clean factory flash on your device. At this point, you might need a priest more than a technical expert.
Just so the noobs that are unfamiliar with the Android/Linux kernel can gain a little understanding of viruses on Android.
It is virtually not possible for an Android device to get a true "virus", there is only things like spyware and malware and those can only target your device if THE USER GRANTS THE OFFENDING CODE OR APP PERMISSION TO LOAD BY DIRECT INTERACTION FROM THE USER WHETHER YOU WERE AWARE OF IT OR NOT. Such as installing malicious apps, opening attachments in malicious emails, clicking on/downloading photos from unknown suspicious phone numbers or even photos from people on your contact list if they have malware/spyware on their device that can target other devices that they send messages to. It boils down to this, you can only be targeted by something that you, as the user, specifically clicked on/opened/allowed at some point, when you clicked on it, opened it or allowed it, this is what gave it permission to target you. The moral of this story is be very careful about what you click on, open or allow, be absolutely sure of what it is before you do it. Research it before you click on it, open it or allow it.
Droidriven said:
Just so the noobs that are unfamiliar with the Android/Linux kernel can gain a little understanding of viruses on Android.
It is virtually not possible for an Android device to get a true "virus"
Click to expand...
Click to collapse
Is it possible to remove the infamous Pegasus malware or its family(similar to it)by flashing the device with its stock rom? Or is there a special method?
I know there's a tool to detect it but I want to remove it
It might also be the infamous xhelper app that survives factory resets
I want to know if the Pegasus malware(trojan) or its family could be got access to private use like my gf installed something in my phone I doubt it is but it doesn't seem to get detected under avs like xhelper does maybe some variant of it doesn't get detected
Im open to suggestions to what this could be
I just clicked on a link that my gf sent and it led me to download an apk and I was asked to install it and delete the apk(I wasnt aware that it could be this serious) (it did warn me) (but I wasn't aware of its consequences)
Also whenever i got a new phone she asked me to reinstall it (this happened sometime back when I still didn't realise) so it didn't matter which phone she was ready to infect it what kind of malware could it be (I'm guessing trojan but it could be something else like a rootkit maybe)
But I know it can survive factory resets and I tried using universal android debloater but i guess it just reinstalls I tried using avs but no use is there some other method to detect or remove it?
Someone told me to use android host files but idk what to do cause I'm new maybe there are methods that need expertise in? I just want to know if its there as it will give me some relief
Also what if it survives a flash?
What do I do then ?
The symptoms are keyloggers(clipboard and everything), media detection(can see media) and can also disable my sim card rendering it useless
I think it also has administrative access as it can do all this
but I'm sure it cannot see who I'm texting to as I'm not rooted and the android sandbox prevents from knowing it
I think I tried all the non root methods safe to say that nothing works (to remove or detect it) so will rooting be able to uninstall the app because of the administrative permissions? Or will I have to reinstall the ROM or firmware or something
I even tried apps like quad9 but it doesn't detect it too
Also is there any wiki or guide to help me through with this situation or just android guides in general would be nice
Thanks
My recommendation: Do a fresh clean re-install of phone's Stock ROM - as you already were told to do. If you don't know how to do that either ask Google Bard or ask here for help
Android Q&A, Help & Troubleshooting
This forum is for all of your questions about Android Development and Hacking. If you need help troubleshooting a problem, please be as specific as possible by describing your software configuration, including the ROM, kernel, and any modifications you've done.
forum.xda-developers.com
If it's Android 9 or higher and the boot loader is locked the most you should have to do is a factory reset, secure your accounts... and be careful what you install.
It's possible there's some malicious scripts hiding in your backup data too. Jpegs and pngs are the most common vectors.
So save loading those for last after testing the reload. If there's more crap in your database you'll need to find it... one way or another.
The trigger is opening the scripted file so it may be a while until you stumble into it
Related
So I'm sure we've all heard about the ExynosAbuse exploit. If not, the original thread is here. The only proper solution is a kernel fix. This thread is only about app-based fixes.
There are various fixes available at the time of this writing, including my own. I don't mind some competition, that is not the problem. What is a problem is that some of these other app-based solutions out there have been mentioned and pushed a lot in the media (tech as well as non-tech) while they are seriously flawed (the only true solution is a kernel fix that simply removes the exploitable memory device, but that requires a non-universal device update, so we focus only on app-based fixes here that users may run immediately).
What I mean by flawed is that while they offer protection most of the time, they may leave a big gaping hole during boot that can be exploitable (as I will demonstrate) - and serious malware authors will of course include this attack vector in any serious malware - as will they include an attack vector to exploit temporary enabling of the exploit so you can use your camera (on devices where the fix breaks camera use).
Serious malware needs only a tiny hole to squeeze through once, and will attempt to leave it's own backdoor in case the hole they squeezed through is closed. Disabling the fix to use your camera only for a second with a malicious app running in the background running the exploit in a loop, and game over. I'm not even going to demo that, that flaw should be clear.
Due to unreliable fixes being mentioned by the media, a lot of people who have read online (or even print) news about this exploit may be using a fix they believe will work, but actual malware will easily bypass. Maybe some noise needs to be made about this ?
We're going to talk about three solutions here:
RyanZA's ExynosMemFix
Supercurio's Voodoo Anti ExynosMemAbuse v0.6
Chainfire's ExynosAbuse APK
The demo
What I am going to demo is running the exploit at boot, even though a fix that runs at boot is installed, on an exploitable device. After reading the rest of this article, find attached the ExynosExploitDemo APK. After installation, open the app, reboot your device, unlock your device (enter PIN, pattern, etc) and watch the screen like a hawk. Within a minute, a toast (bottom of the screen) notification will popup telling you whether the exploit worked. If it didn't work the first time, please try it at least 3 times. Once you are satisfied with the results, you should uninstall it again as it slows down the boot process.
Test setup
For each test I have completely factory reset the devices, and installed the "protection" APK before installing the exploit demo. Tests have been run on both Galaxy S3 as well as Galaxy Note 2, with and without SIMs installed. Tests were performed on December 18, 2012 with the most recent versions at that time.
BOOT_COMPLETED
Both RyanZA's as well as Supercurio's solution depend on Android launching the apps at boot (using the BOOT_COMPLETED mechanism), so they can plug the hole. This is a standard Android practise, The problem is, there is no guaranteed order in which apps are started at startup. A malicious app could also register to be started at boot (as the demo app does), and it would be a race whether the malicious exploit is run first, or the protection code. Luckily, you are more likely to have installed one of the patches before the malware, and the app that is installed first also has a better change of being run first - but is something that you cannot and should not rely on, nor does it guarantee the protection app will win the race, as explained below. The number of apps installed (and their package names, and what exactly they do at launch) may further influence which package "wins". What I'm trying to demonstrate here is that depending on this method of patching is unreliable at best.
The demo vs RyanZA's ExynosMemFix
RyanZA's is probably the least advertised/mentioned solution, which I expect is least used as well. The solution relies on BOOT_COMPLETED and "su" availability (like being rooted with SuperSU or Superuser), but does not rely on the exploit itself.
The reliance on "su" availability makes it vulnerable, it runs "su" to get the required access level to plug the hole. Even if installed before the malware and the system launches its startup code before the malware, the "su" call is an expensive one that can take an arbitrary amount of time to complete, regardless of the app having been granted permission before or not.
In my tests, even with ExynosMemFix installed before the demo, and having verified it's code launched first, it would always lose against the demo (and thus the exploit succeeds) if the root management app installed is Superuser. Due to the way the Superuser app is designed, it takes a longer time acknowledging the "su" request, giving the demo time to run the exploit. I have also seen ExynosMemFix generate an ANR error during testing a number of times, indicating that it may be calling "su" from the actual broadcast receiver (instead of a background thread), with all the problems that may cause.
When SuperSU is used, ExynosMemFix would always win against the demo in my tests (and thus the exploit fails), due to SuperSU responding much faster as it does not rely on the Android framework as Superuser does.
This solution can be somewhat secure, but even if used in combination with SuperSU, it cannot be guaranteed the malware does not launch first (I've seen it happen, but have not found the key to reproducing it yet). In combination with Superuser instead of SuperSU, the patch leaves a major hole.
The demo vs Supercurio's Voodoo Anti ExynosMemAbuse v0.6
Supercurio's is probably the most advertised/mentioned solution in general by media outlets. The solution relies on BOOT_COMPLETED and the exploit itself (but no "su" required).
The reliance on the exploit makes it vulnerable. The exploit may need to run a couple of times before it succeeds during boot, and it takes quite a few milliseconds to run. It runs the exploit to get the required access level to plug the hole. The exploit does however take some time to run, and both exploit as well as the hole-plugging-command must be completed before the malware starts, to effective block it.
In my tests, even with Voodoo Anti ExynosMemAbuse installed before the demo, and having verified it's code launched first, it would always lose against the demo (and thus the exploit succeeds). The protection code would launch before the demo code, but it would not complete (and fix the hole) before the malware was started, thus failing to block it.
Note that this specific case is probably especially sensitive to the number of apps you have installed - it may be the case that the more apps you have installed after this solution and before actual malware, the better the chance the protection will succeed before the malware is triggered. You can't possibly rely on this, though.
This solution is the least secure solution of all available options - it will leave a big hole open, you might as well not run any patch at all.
The demo vs Chainfire's ExynosAbuse APK
Mine is probably the second most advertised/mentioned solution. The solution relies on modifying /system and the exploit itself, with parts relying on "su".
This solution can root the device and install SuperSU as management app itself, though it also works with a pre-installed Superuser. It requires this to install the on-boot fix. After that patch is applied, you can unroot again (inside SuperSU: Settings --> Full unroot) - the patch will keep working. The patch itself does however modify /system, to make sure the fix is applied before any normal Android app is started with BOOT_COMPLETED, completely preventing the hole the demo app (and malware) would use to run the exploit. As such, the exploit always fails.
This solution is the most secure solution of the available options in this regard, topped only by actually fixing the exploit in the kernel.
Virus/malware/etc scanners
I have also noticed that various virus and malware scanners have updated their definitions in the past few days, and they will now detect the original ExynosAbuse exploit. Be warned however, that this specific hole can be exploited in many different ways and the example code provided by alephzain is just that: an example. I am not at all convinced that all different exploits based on this hole can even theoretically be reliably detected by these scanners - including Google's - unless every app is actually tested against in a sandbox environment (and even then ...). They may protect against those using the exploit as-is, though.
The big joke
The funny thing is, all the fixes that can actually work void warranty: mine requires modifying /system, RyanZA's requires root as well, and a proper fix requires a custom kernel.
In other words, right now you can't really protect yourself against this abuse without voiding your warranty. If there ever was a case for having laws against limitations of warranty, this is it. On a related note, any warranty denied because your system status is "modified" is also completely bogus, as a successful exploit might (outside of your knowledge) probably try to install their own backdoor in /system ... which might trigger "modified" status.
Also, if you're thinking this is complicated code, malware authors are not smart enough, etc - think again. Serious malware authors live and breathe this stuff, and the relevant code for this attack is rather trivial and only about 30 lines, including whitespace and actually showing you the exploit result.
Another joke is that I seriously doubt any major news outlet will post a correction, but hey at least I tried
Different test results
Let us please not make this thread about your test results being different. If you have read and understood all the text above, you would know that there are various factors that may throw the test outcome one way or the other. Unless your sure your different result is significant in being different, please do not clutter the thread with it.
Download
If you have a decent and updated virus scanner, it will likely scream at you for trying to download this. It is after all an exploit. You may need to turn it off if you want to test this for yourself.
2012.12.19 Update
I have a new (private, yeah) version of the demo that now beats both Supercurio's (v0.9) as well RyanZA's solution 100% of the time
--- also reserved ---
Thanks for this thread. It's so fun !
But, I have solve the problem (I think) after flashing my phone with my kernel (exynos_mem files modified).
lelinuxien52 said:
Thanks for this thread. It's so fun !
But, I have solve the problem (I think) after flashing my phone with my kernel (exynos_mem files modified).
Click to expand...
Click to collapse
Yes, as stated, the best solution is a fixed kernel
My app clearly states the limitations of the approach (inside the app itself, leaves no doubt)
But it should not loose every time against the demo exploit at boot, so I'll change for a more aggressive way to start.
Thanks Chainfire for taking the time to test.
Chains, it's not much but have an Export 33 on me mate: 8BH470706S240353D :good:
Well said.
Chainfire said:
Yes, as stated, the best solution is a fixed kernel
Click to expand...
Click to collapse
So when do you think Samsung+carriers will plausibly get around to officially fixing it?
Sounds more precarious to not try your workaround & there is reasonable deniability even if there is a warranty issue..?
Tomorrow I'd like to install the official T-Mobile SGH-T889 multi-window update followed by ExynosAbuse-v1.30.apk , anyone expect issues as this recently discovered exynos exploit is not listed as addressed in this likely tested for weeks update?:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
So is ExynosAbuse-v1.30.apk now regarded as the best-easiest-fastest-safest reversible root method for stock ROM compatible devices (as it also offers a reversible exynos exploit work-around with full unroot)?
-Thanks
Tried demo app this way:
- 2 times under WiFi and I get "Exploit FAIL" and the toast shows the directory that is something like "[!] ... /exynos-...."
- 1 time under 3G regular data connection and I still get "Exploit FAIL" but in the toast I don't see any more the directory but only the message
I use Chainfire's exploit app.
Am I secure???
Sent from my GT-i9300 using TapaTalk2
Chainfire, guys, please give a try to the v0.7 version of my app, same place.
Chainfire, it would have been nice to be informed while you were preparing the article (on your early conclusions)
Just wondering, when Samsung DOES release a fix, I think it'd kinda be a catch 22 because those rooted or modified won't be able to update - or those infected won't be able to update. So Samsung will have to be lax with that rule. Or is that even possible? But regardless, I'm sure you guys will be able to get us the Samsung fix when and if they come out for us modified folks.
ThaiM said:
Just wondering, when Samsung DOES release a fix, I think it'd kinda be a catch 22 because those rooted or modified won't be able to update - or those infected won't be able to update. So Samsung will have to be lax with that rule. Or is that even possible? But regardless, I'm sure you guys will be able to get us the Samsung fix when and if they come out for us modified folks.
Click to expand...
Click to collapse
Yes, that's good thinking.
And also why I tried to provide something (even an imperfect workaround) that doesn't alter system.
I have 2 questions tho and I'll verify to get an answer to the first one.
- Is my app really not triggering the "modified" status
- If Chainfire un-do all the modifications applied by his tools, will the device return to its "un-modified" status
Or maybe the "un-modified" status can be faked, restoring the proper function of OTA updates.
maybe note worthy thing to here, in EU you dont lose your warrantly for applying fixes like this in fact you can install kernels/roms as many times as you want and you still got your warrantly. what comes to my own experience from this, my phone have been repaired 2 times because micro-usb didnt want to co-operate with me first time i had miui installed, second time had cm10 when i sent my phone to get fixed, both times got it fixed free of charge.
source: https://fsfe.org/freesoftware/legal/flashingdevices.en.html
tl;dr
if flashing original firmware dont fix issues you had on your phone, then you must have the damage covered free of charge(ie. micro-usb port goes crazy)
Chainfire, thanks for your elaborate demo.
I tested the exploit demo thrice with mobile security apps disabled; once with your app, and twice with the two "disable exploit" boxes from your app unticked. The first time, the exploit failed.
The kernel I have installed (link in my sig) seems to have fixed the problem. It uses the fix by AndreiLux that was successfully implemented by Entropy512 from the original thread.
Both times I rebooted, the exploit failed (see screenshot). I guess this is expected, but both times after boot, the checkbox "disable exploit" was enabled again without touching it.
Seems like a success story to me.
Thanks again!
SGS2 // RootBox 3.2 // Dorimanx 7.33
The 0.9 update of my app is strong now on boot (or less weak), but this is not very satisfying.
Frustrating as there's no "perfect" fix for regular users I'm thinking about right now.
I'm not really a fan of waiting, are you ?
@supercurio I was wondering the exact same thing on how may the "un-modified" status can be faked. Then again, as another user pointed out, though warranty rules and regulations maybe the same across all regions - it is their comprehension and application which is ambiguous.
I for one can attest that at my place they will simply replace the internals of your phone as long as the purchase bill you produce confirms that your device is still covered by the manufacturer warranty.
Props on the great research Chainfire, I agree with it all 100%
Personally though, malware authors target the easy and low hanging fruit - in this case, 99% of phone users who have not used any kind of fix. (99% is a very low estimate). They have no real reason to try and 'out race' mine or supercurios fix in practice, as (mine in particular) has very few users. Why bother creating a special exploit that only runs on boot, when you can just target 99%+ of all unfixed devices by just running the exploit when the app is started?
I've seen 4 malicious uses of the exploit in the wild so far, and all of them run on app start, which is blocked by all 3 'unsecure'/non-kernel fixes. Users are still VERY heavily encouraged to use any of the fixes as they currently stop all uses of the exploit in the wild. Supercurios is still the best one as it does not require root, and should definitely be advertised by the media as much as possible as it stops a real world and current threat to user security as best as it can.
Gotta say great research chainfire need of the hour indeed :thumbup:
Chainfire said:
The big joke
The funny thing is, all the fixes that can actually work void warranty: mine requires modifying /system, RyanZA's requires root as well, and a proper fix requires a custom kernel.
Click to expand...
Click to collapse
so if i understood correctly. custom kernel solves issue. :good:
i don't care about warranty
I believe nothing is secure in my phone including passwords, security pin and even what i'm typing now. Recently, my facebook acct got hacked too.I think my phone is being keylogged. So, I did the following things:
1.First of all, I resetted mydevice
2. Then, I even changed the rom
But, still I feel insecure. I want to know is there any way that the keylogging is kernel masked? Do I need to update the kernel? I need to know about the things I should do to make sure that my phone is completely keylogger free. Please help!
dreamer04 said:
I believe nothing is secure in my phone including passwords, security pin and even what i'm typing now. Recently, my facebook acct got hacked too.I think my phone is being keylogged. So, I did the following things:
1.First of all, I resetted mydevice
2. Then, I even changed the rom
But, still I feel insecure. I want to know is there any way that the keylogging is kernel masked? Do I need to update the kernel? I need to know about the things I should do to make sure that my phone is completely keylogger free. Please help!
Click to expand...
Click to collapse
Im no expert in this subject, but what I would do is Flash a new Rom and kernel, then Monitor packets send and recieved by the phone with an app, or with a router. The rooting method also matters. So, Flash the original OEM Software first. Rooting methods that harvest IMEIs have been reported. So, dont go with the "one clickers" to root your device method, but do it the Long way.
I am curretly also using a Firewall in my phone and also my Connection goes through a router with a Firewall.
Normally, I never enter sensitive data when in a dangerous enviroment, such as an unprotected Caffe WiFi.
If you are concerned about a keylogger, then you should be more concerned on how you got your device infected.
I usually refrain from using the Google Appstore. I mostly use Open Source programs/apps that can be compiled or tested
You should look into Fdroid, which Hosts open source apps, not many, but there are some.
Tell me what to do?
My phone is over heating too. So I installed network log from play store and watched the log. I found my phone sending and receiving packets through kernel.
I have uploaded the screenshots with this. Please have a look and tell me is this normal or if it isn't, what to do?.
Also, before unlocking the lock screen shows some messages as in the screenshot. But, after unlocking there is no such messages exist.
Please help.
dreamer04 said:
My phone is over heating too. So I installed network log from play store and watched the log. I found my phone sending and receiving packets through kernel.
I have uploaded the screenshots with this. Please have a look and tell me is this normal or if it isn't, what to do?.
Also, before unlocking the lock screen shows some messages as in the screenshot. But, after unlocking there is no such messages exist.
Please help.
Click to expand...
Click to collapse
I'm not sure about the message in your lockscreen but the IP's in your kernel log seem to be corresponding with these domains:
Host 24.9.193.104.in-addr.arpa. not found: 3(NXDOMAIN)
Host 233.127.230.115.in-addr.arpa. not found: 3(NXDOMAIN)
Host 54.213.160.61.in-addr.arpa. not found: 3(NXDOMAIN)
Host 108.213.160.61.in-addr.arpa. not found: 3(NXDOMAIN)
233.24.249.123.in-addr.arpa domain name pointer error-cdnzz-com.cdnzz.net.
188.200.125.74.in-addr.arpa domain name pointer sa-in-f188.1e100.net.
As you can see, the first 4 are unresolved, hence there is no domain linked to the IP.
The last 2 do have a domain linked, but I'm have no idea if they are used for malicious stuff.
But like shadowcore said, shouldn't you be more concerned about where you got this infection from?
After resetting and reinstalling a new rom, there are little places left for a logger/malicous-app to have been hiding.
What you could do is install OSMonitor. This is yet another logging app, but it provides you with a list of all the current running processes and connections, with the option to watch it, or kill it. Maybe you can use this to filter out any loggers still on running your device. You can find it on the Play Store.
You can also restrict networktraffic with AFWall+, which is a firewall app. It takes some time to configure, but it does wonders.
Also: Unclefab has written a really good tutorial about securing your phone, in a multitude of ways.
It's here: http://forum.xda-developers.com/general/security/tuto-how-to-secure-phone-t2960077
Traffic through the kernel is normal see:
Code:
https://github.com/ukanth/afwall/wiki/FAQ#34-why-the-kernel-need-an-internet-connection-all-the-time-afwall-shows-appid--11-blocked
You should probably install afwall+ to restrict internet access to some apps.
Thank you in advance. First of all I am still a beginner in knowledge here. My Alcatel fierce 4 TCL 5056N seems to have been hacked and is now being remotely accessed and controlled by an unauthorized 3rd party. I may be way off base but I think my phone may have been exposed to a R.A.T.. Temporarily rooted long enough for someone to modify the kernel and other system coding, which I cannot access myself with an unrooted phone, installing some sort of sub-OS with limited user setting options and a completely different named storage platform,( I.e. emulated, bdef55, self), and not even factory resetting my device helps because it reboots into the sub-OS they installed. They are screen overlaying buttons, and toggles are being reversed in real time before my eyes, settings and options are disappearing from one minute to the next and I've somehow found myself poking around in some windows software on a PC that is used to develop Android software, maybe sdk, not sure but was Linux coding and looked like it was meant for me. I was on the other end of this hack for a few minutes tho but my lack of knowledge made this useless to me. I have downloaded many an app trying to combat this issue but to no avail. Although unsuccessful I have seen a few thing I don't understand but could possibly be helpful for you to identify exactly what my issue is. One thing is an app I downloaded said that a trust cert has enabled a malicious trust agent and my system is being remotely accessed by a third party. The rest is beyond my understanding but I'm going to list a few tidbits you may recognize. LIB, Kinguser, kingroot, persist, unremovable/???/xxx, code Aurora, bootstrap something, libnfc, system/framework/Apache/xml, bin, user value=0 or 1/2, managed provisioning, also a .base ext. on a bunch of sytem apps below the same app without and a few of others. I don't know if that's helpful but it's all I can remember. Symptoms are apps closing on their own, microphone and camera being remotely enabled, unable to update Google play services or store and being forced to use an obviously older and modified version with possible replica apps with restrictions, unexpected reboots, in settings/apps/permissions apps like gallery, when you click battery and then the little i button for info, it says it's a system app and all of the sudden the disable and force close buttons become un-highlighted and unusable and so on and so forth. Lastly, my home wifi is infected I think as well because my roommate is having the same issues. I've tried(unsuccessfully) to root my phone so I could manually remove some of these apps and extra coding and such but it seems impossible because of a locked bootloader. Tried about 10 different ways without success so I've just about given up and smashed the damn thing but then you geniuses popped into my head so I beg of you, please help me or if nothing else, tell me to proceed with the smashing...lol! Thank you very much for your time. P. s. I'm new to XDA dev website so maybe drop me a line at [email protected] with directions back to this thread. Had a bit if trouble navigating here. Thanks again and have a great day! -Spencer
Okay so ive been battling this for sometime. I'm starting to get a little more knowledgeable but still don't know what to do with all this.I experienced this first back in 2015 then I completely made a switch. Well now I'm back to same issues.
The problems I'm experiencing is it's happening on all the devices I have. The phone I'm on now bought brand new from metropcs. and not even a day 30minutes later I get an update for the phone. I new not to install or download. But it inventively did. Now it's sitting on my storage wanting me to move files to root.
LET ME MAKE THIS CLEAR. NON OF MY DEVICES ARE ROOTED.
to make this short. My devices seem to have a Bluetooth admin. And connects to any Bluetooth device without me knowing.
So far from what I see chromium and stage fright is a big part of what I'm seeing.
I'm attaching some pictures to give more detail look. And it's not just my Android devices it's my Xbox one S as well.
looking to completely remove. I'm not trying to waste money on switching networks or completly going Mia.
Fast responses please.
Sincerly,
-Desperate androidian
BLEEDCOLORYOU said:
Okay so ive been battling this for sometime. I'm starting to get a little more knowledgeable but still don't know what to do with all this.I experienced this first back in 2015 then I completely made a switch. Well now I'm back to same issues.
The problems I'm experiencing is it's happening on all the devices I have. The phone I'm on now bought brand new from metropcs. and not even a day 30minutes later I get an update for the phone. I new not to install or download. But it inventively did. Now it's sitting on my storage wanting me to move files to root.
LET ME MAKE THIS CLEAR. NON OF MY DEVICES ARE ROOTED.
to make this short. My devices seem to have a Bluetooth admin. And connects to any Bluetooth device without me knowing.
So far from what I see chromium and stage fright is a big part of what I'm seeing.
I'm attaching some pictures to give more detail look. And it's not just my Android devices it's my Xbox one S as well.
looking to completely remove. I'm not trying to waste money on switching networks or completly going Mia.
Fast responses please.
Sincerly,
-Desperate androidian
Click to expand...
Click to collapse
The Android community isn't what it used to be that's for sure. No help, no suggestions. Just nothing.
BLEEDCOLORYOU said:
Okay so ive been battling this for sometime. I'm starting to get a little more knowledgeable but still don't know what to do with all this.I experienced this first back in 2015 then I completely made a switch. Well now I'm back to same issues.
The problems I'm experiencing is it's happening on all the devices I have. The phone I'm on now bought brand new from metropcs. and not even a day 30minutes later I get an update for the phone. I new not to install or download. But it inventively did. Now it's sitting on my storage wanting me to move files to root.
LET ME MAKE THIS CLEAR. NON OF MY DEVICES ARE ROOTED.
to make this short. My devices seem to have a Bluetooth admin. And connects to any Bluetooth device without me knowing.
So far from what I see chromium and stage fright is a big part of what I'm seeing.
I'm attaching some pictures to give more detail look. And it's not just my Android devices it's my Xbox one S as well.
looking to completely remove. I'm not trying to waste money on switching networks or completly going Mia.
Fast responses please.
Sincerly,
-Desperate androidian
Click to expand...
Click to collapse
I'm no expert but I'm struggling to see your exact issue you seem to think you have, is it just t your Bluetooth is switching on. All those licences, security certs, file locations etc look normal to me (without checking numbers or being able to compare to same phone os etc) though I have disabled many of those certs eg the Turkish ones etc & my Bluetooth files are different but I can find ref hill those locations online eg Xieomi phones
You appear to have a ZTE, please give model number and current OS & rev (must be stock I suppose). ZTE was found with a backdoor in older phones, sending data to China, so it's possible, & some Chinese phones also update their apps without notification. But as you say your whole network appears compromised so the source may be something else, like your router/modem, or Bluetooth as you think (though some apps require Bluetooth admin permission legitimately, you can disable it as an Admin). Tell us what behaviors you are seeing that you believe are malicious. New phone update soon after you turn on is quite common, as I'm sure you know.
When I had a quick look at your log it did have a lot of activity going to the US DOD, would you expect this, as well as the usual google & Facebook connections. Though (perhaps) strangely also to a server from a small marketing company here in Australia, but I'm no expert even if I looked at your log line by line I wouldn't understand it all.
Ref his other post
https://forum.xda-developers.com/general/security/security-global-family-credientals-t3665851
Things to try. Run a reputable antivirus. Boot into safe mode, so only system apps run, is it still happening? Can you turn off anything that is listed as a device admin? Try run a root checker app. Even if it all comes back negative you may still have a problem as a port may already have been opened and malicious app self deleted or something. Use an app like Fing to see if any device you don't recognise are connected to your network.
You may be able to block some activity if it's not going through root with a firewall eg NetGuard no root firewall, start with everything blocked.
Above are just some general hints, without knowing specifics I can only suggest you backup any stuff you want to keep then factory reset everything & change ALL passwords to strong ones (no good just adding a number on the end of your old ones!), better still reflash all firmware (updates if available) to overwrite everything. This incl your internet access points eg router, and only reconnect to the net/networks after you have done them all (one at a time preferably then you may be able to identify source of problems)
That turned out a lot longer than I intended!
IronRoo said:
I'm no expert but I'm struggling to see your exact issue you seem to think you have, is it just t your Bluetooth is switching on. All those licences, security certs, file locations etc look normal to me (without checking numbers or being able to compare to same phone os etc) though I have disabled many of those certs eg the Turkish ones etc & my Bluetooth files are different but I can find ref hill those locations online eg Xieomi phones
You appear to have a ZTE, please give model number and current OS & rev (must be stock I suppose). ZTE was found with a backdoor in older phones, sending data to China, so it's possible, & some Chinese phones also update their apps without notification. But as you say your whole network appears compromised so the source may be something else, like your router/modem, or Bluetooth as you think (though some apps require Bluetooth admin permission legitimately, you can disable it as an Admin). Tell us what behaviors you are seeing that you believe are malicious. New phone update soon after you turn on is quite common, as I'm sure you know.
When I had a quick look at your log it did have a lot of activity going to the US DOD, would you expect this, as well as the usual google & Facebook connections. Though (perhaps) strangely also to a server from a small marketing company here in Australia, but I'm no expert even if I looked at your log line by line I wouldn't understand it all.
Things to try. Run a reputable antivirus. Boot into safe mode, so only system apps run, is it still happening? Can you turn off anything that is listed as a device admin? Try run a root checker app. Even if it all comes back negative you may still have a problem as a port may already have been opened and malicious app self deleted or something. Use an app like Fing to see if any device you don't recognise are connected to your network.
You may be able to block some activity if it's not going through root with a firewall eg NetGuard no root firewall, start with everything blocked.
Above are just some general hints, without knowing specifics I can only suggest you backup any stuff you want to keep then factory reset everything & change ALL passwords to strong ones (no good just adding a number on the end of your old ones!), better still reflash all firmware (updates if available) to overwrite everything. This incl your internet access points eg router, and only reconnect to the net/networks after you have done them all (one at a time preferably then you may be able to identify source of problems)
That turned out a lot longer than I intended!
Click to expand...
Click to collapse
Thank-you. Now for a better visual. There's to many apps.
And if u can give me links to apps that will help.
And on my oneplus one the Bluetooth thing says :1002 sharing or midi or something.
BLEEDCOLORYOU said:
Thank-you. Now for a better visual. There's to many apps.
And if u can give me links to apps that will help.
And on my oneplus one the Bluetooth thing says :1002 sharing or midi or something.
Click to expand...
Click to collapse
And code.auroa? What is this
BLEEDCOLORYOU said:
Thank-you. Now for a better visual. There's to many apps.
And if u can give me links to apps that will help.
And on my oneplus one the Bluetooth thing says :1002 sharing or midi or something.
Click to expand...
Click to collapse
I don't have that phone so can't really tell what is a suspect app or not, especially just from screen shots.
Here use this app to run on demand scans against the virustotal database (this is not an "antivirus app" like Avast so offers no protection, it only scans apps on demand, so you should run a good antivirus also)
https://play.google.com/store/apps/details?id=com.funnycat.virustotal
it should flag any suspect apps and you can submit any unknown ones you are worried about.
---------- Post added at 05:12 AM ---------- Previous post was at 05:02 AM ----------
BLEEDCOLORYOU said:
And code.auroa? What is this
Click to expand...
Click to collapse
edit: not Firefox then.
org.codeaurora.bluetooth is a legit part of Bluetooth .... Well unless it's flagged by virustotal then it probably is a malicious app just given a common name to try and hide
IronRoo said:
I don't have that phone so can't really tell what is a suspect app or not, especially just from screen shots.
Here use this app to run on demand scans against the virustotal database (this is not an "antivirus app" like Avast so offers no protection)
https://play.google.com/store/apps/details?id=com.funnycat.virustotal
it should flag any suspect apps and you can submit any unknown ones you are worried about.
Click to expand...
Click to collapse
Okay but what is provisioning? Code auroa smartcard services googleplay for instance apps and
And IV never encrypted this phone.
BLEEDCOLORYOU said:
Okay but what is provisioning? Code auroa smartcard services googleplay for instance apps and
And IV never encrypted this phone.
Click to expand...
Click to collapse
And alot of the overlay apps n simtoolkit are all questionmarked
BLEEDCOLORYOU said:
And alot of the overlay apps n simtoolkit are all questionmarked
Click to expand...
Click to collapse
ser my edit above re aurora
sometimes virustotal will have 2 or 3 antiivirus companies flag a file, these are probably false positives so probably nothing to worry about (though could just be a new submission, other companies should soon update if real malicious code, check back in a day or two). If lots of companies flag an apk then you haven a problem.
It looks like you have a problem whit overlays (unless it's an app your phone company installs for that function, not sure what you mean). You should install a proper antivirus app like Avast, malwarebytes etc as a first step, hopefully it can remove malicious apk
---------- Post added at 05:51 AM ---------- Previous post was at 05:37 AM ----------
BLEEDCOLORYOU said:
And IV never encrypted this phone.
Click to expand...
Click to collapse
Doesn't matter, encrypting phone only protects unauthorised access to your data. Once it is unlocked anyone can view your stuff. And once a malicious app is on your system it can shall read all your data even if you had encrypted it as it's unencrypted when you use it
IronRoo said:
ser my edit above re aurora
sometimes virustotal will have 2 or 3 antiivirus companies flag a file, these are probably false positives so probably nothing to worry about (though could just be a new submission, other companies should soon update if real malicious code, check back in a day or two). If lots of companies flag an apk then you haven a problem.
It looks like you have a problem whit overlays (unless it's an app your phone company installs for that function). You should install a proper antivirus app like Avast, malwarebytes etc as a first step, hopefully it can remove malicious apk
---------- Post added at 05:51 AM ---------- Previous post was at 05:37 AM ----------
Doesn't matter, encrypting phone only protects unauthorised access to your data. Once it is unlocked anyone can view your stuff. And once a malicious app is on your system it can shall read all your data even if you had encrypted it as it's unencrypted when you use it
Click to expand...
Click to collapse
Okay so now I'm trying to post screenshots of when I'm connected to wifi and it's not letting me
Pairwise cyphers and
Group cyphers
Sim_num
?
BLEEDCOLORYOU said:
And alot of the overlay apps n simtoolkit are all questionmarked
Click to expand...
Click to collapse
Tap those with question marks to submit to virustotal for analysis
IronRoo said:
Tap those with question marks to submit to virustotal for analysis
Click to expand...
Click to collapse
/sys/fs/selinux/class/appletalk_socket/perms
Not suspious?
BLEEDCOLORYOU said:
/sys/fs/selinux/class/appletalk_socket/perms
Not suspious?
Click to expand...
Click to collapse
Now I'm not stupid, this is facts. I just need defined and solution!!!
No these are normal library files. Stagefright "the malicious exploits" were called this as it was the stagefright framework it exploited. Everyone has these files, here are mine below.
You need to use tools like antivirus to identify bad files but even that is no guarantee as there is the possibility the original malicious file could have self deleted and, for example, just left open ports which would not be found as a "virus" but still allow remote access to your device.
If you cannot identify the actual exploit on your phone then the best solution is probably to just reflash the stock rom as this will wipe & overwrite everything. But if a malicious file is left on your SD card or another networked device you could soon be infected/compromised again. That is why I said before if you can't identify the source of your infection you really need to factory reset or reinstall all OS on all devices affected including your home router etc (or maybe it's your work or public network) and change all passwords.
IronRoo said:
No these are normal library files. Stagefright "the malicious exploits" were called this as it was the stagefright framework it exploited. Everyone has these files, here are mine below.
You need to use tools like antivirus to identify bad files but even that is no guarantee as there is the possibility the original malicious file could have self deleted and, for example, just left open ports which would not be found as a "virus" but still allow remote access to your device.
If you cannot identify the actual exploit on your phone then the best solution is probably to just reflash the stock rom as this will wipe & overwrite everything. But if a malicious file is left on your SD card or another networked device you could soon be infected/compromised again. That is why I said before if you can't identify the source of your infection you really need to factory reset or reinstall all OS on all devices affected including your home router etc (or maybe it's your work or public network) and change all passwords.
Click to expand...
Click to collapse
I'm on a video bridge network I got the direct TV setup with 2 wireless setups. Both secure from what I know.
BLEEDCOLORYOU said:
Pairwise cyphers and
Group cyphers
Sim_num
?
Click to expand...
Click to collapse
These are for encryption of your connection, not your phone
BLEEDCOLORYOU said:
I'm on a video bridge network I got the direct TV setup with 2 wireless setups. Both secure from what I know.
Click to expand...
Click to collapse
I'm no coding/security guru, but I have worked on telecoms, military electronics, etc but my coding & network security knowledge is limited.
I would run this app Fing to check your local network, are there any unknown devices connected?
https://play.google.com/store/apps/details?id=com.overlook.android.fing
note: this only finds currently connected devices, so you'd want to do this several times & especially when you see suspect behavior.
Also check for open ports, easiest way is probably this site, it will scan the first 1000 ports or so (select all)
https://www.grc.com/
go to shields up
but you really need to scan ALL possible ports with a tool like Zenmap (for PC) if you think you are compromised
https://nmap.org/zenmap/
However it's not clear to me if you ever installed a proper antivirus and whether it found and deleted anything? Virustotal seemed to find some suspect apks, I had a quick look at Trendmicro database but it didn't list details of the one it found in your screenshot, but the fact some of those antivirus companies called the suspect apk names with "joke" in it may suggest it's just a joke app your mate has installed, though probably not a joke app if your other devices are really also compromised, from memory there is also real malware with that name which may be able to infect other devices. Running a proper antivirus should easily find and clean any "joke" app on your phone & hopefully any real malware. If you've done this and still seeing indications you are compromised then do what I suggested above. (Also repeat malware checks on other devices and removable storage media)
You should also log into your router as admin and check settings, are you using a secure router password? Is firmware up to date. Is firewall set up correctly? Also close any open ports that you don't use. Turn off remote admin, if router has it. Etc etc what do your router logs show (turn on more detailed logging if necessary) Factory reset or reinstall firmware if you think changes have been made to your router by someone else.
Hi I am having same issues. Exact same behaviors regardless of new phones new carrier and all accounts being unconnected in name. Google etc. This is extreme. Its via bluetooth I agree something with esims or virtual sims for use of wifi access and or signal piracy for media. The DOD files are also something I am familier with seeing. Code Aurora was also a govt project way back. Its Interesting thst I have Verizon files loading on at & t phones and sprint loading on Verizon. Whatever this is has managed to infiltrate my computers as well. Its relentless. Its impressive and sophisticated. Please please help.
Spidder77 said:
Hi I am having same issues. Exact same behaviors regardless of new phones new carrier and all accounts being unconnected in name. Google etc. This is extreme. Its via bluetooth I agree something with esims or virtual sims for use of wifi access and or signal piracy for media. The DOD files are also something I am familier with seeing. Code Aurora was also a govt project way back. Its Interesting thst I have Verizon files loading on at & t phones and sprint loading on Verizon. Whatever this is has managed to infiltrate my computers as well. Its relentless. Its impressive and sophisticated. Please please help.
Click to expand...
Click to collapse
I'm having the same issmy ues. Did anyone ever resolve or figure out what is happening? I think I'm under investigation by the DOD and they own my devices. My uploads/downloads are blocked, internet searches filtered, pics/screenshots of evidence deleted off my phone, etc.
Ok. Last year someone was able to tunnel into my network at home. Alot of crazy s*** went down. Long story short, I think there's something fishy going on again.. let me explain.
Everytime I get a new phone, laptop, desktop, etc. I start finding a ridiculous amount of hidden files and folders. The PC side is no longer the issue, now its moved to Android, I think?..
The question I want to know, is how can I compare my what my phone should be installing after a factory reset, file wise? I've looked for a list online to compare with and no luck so far. I also found that there is a partition of the internal storage, completely hidden and inaccessible. Like.. I can't see anything. Add that with permissions being changed randomly so I'm not able to take full control over these pesky little buggers.
In short, I'm either wayyyy to high off that last dab, or my phone is being tampered with. What can I do? Here's what I'm working with.
Samsung A21 (SM-S215DL) using Straight Talk. Attached is a screenshot of the SW mumbo jumbo. I really hope someone can help. TIA!
namdrop22 said:
The question I want to know, is how can I compare my what my phone should be installing after a factory reset, file wise? I've looked for a list online to compare with and no luck so far.
Click to expand...
Click to collapse
IMO nobody can tell you what apps to install after a Factory Reset: it's alone your decision what apps you want to run.
jwoegerbauer said:
IMO nobody can tell you what apps to install after a Factory Reset: it's alone your decision what apps you want to run.
Click to expand...
Click to collapse
No no. You're missing the question here.
namdrop22 said:
No no. You're missing the question here.
Click to expand...
Click to collapse
May be.
A Factory Reset doesn't install anything, it wipes all user apps and data. A Factory Reset never touches Android OS itself.
Look at the running apps and services, anything utilizating root or kernel or system privileges will not be in that list unless it's using a app to bootstrap but if you have a weird duplicate system app or an app with a strange name could help you narrow it down. if you have usb debugging enabled you may be able to run a logcat as well to see what messages the system is generating.
Does samsung offer any tools to read the boot log? You might find something In that too. Lastly, well you should do this first, check if there are any exploits or vulnerabilities with your phones software and hardware. Google search " chipset-or-software-name-here + escalate vulnerable cve exploit "
Check past software versions too, you could get hit while the vuln is unknown or lesser known then it patches the manufacturers patches.
Can u elaborate on these file systems or folders you say you have that are invisible?
Unless you loaded malware, a trojan etc on to the phone either in data from the PC, email download, an app you installed or a download from the internet.
Even so it would die with a factory reset... so do another factory reset so if you think so.
Then be careful what you allow into it.
Don't let anyone use your phone or access any of your devices ie flashcards, PC etc.
Run
SafetyNet Test - Apps on Google Play
SafetyNet device compatibility test
play.google.com
to check whether phone's Android got tampered or not