Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible malware infection/network attack


  • Please log in to reply
11 replies to this topic

#1 RayRay26

RayRay26

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 21 November 2018 - 02:15 PM

The night of the 17th, I was using the Facebook app while suddenly a download in progress icon appeared in the status bar. I pulled down the notifications screen just in time to catch a glimpse of the word "attackers" followed by a bunch of symbols like $ before it disappeared. I could not find anything in the downloads folder list, ESET premium that was monitoring my phone and all downloads hadn't even detected it, and I tried in vain to search online using only the selected phrases I had managed to glimpse.

Then by sheer luck, today, I managed to find a thread on this problem with the full details. The message had been "attackers on <b>%1$s</b> might atte..." with a download in progress while using Facebook app. Which I assume is completed as "might attempt to steal your information" or something.

I tried using this phrase to search about it on Google, and while nothing specific to this problem came up, a list of generic information results on various types of network attacks, DDos, man in the middle and zero day attacks came up, which has me really worried.

I am still using the phone as is, I really don't know much about technology related things. Please advise me what I should do now, if I should just turn off the phone or something. The person in the other thread said he had reset his phone and the problem had reappeared when he had signed into Facebook again, so now I'm not sure if a simple factory reset will help and I will probably need to install a custom ROM or something.

I'm using Android 7.0 in a Samsung Galaxy J7 Prime. I got a software update to Oreo just an hour earlier and I wonder if updating the software will help remove whatever malware/spyware/hacking application got installed.

Please help, I am logged into all my accounts through this phone and it's already been like 4 days since the message first appeared damage control is needed.

Thank you very much. If you know anything, anything, please let me know it's very urgent.

BC AdBot (Login to Remove)

 


#2 svim

svim

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:16 AM

Posted 22 November 2018 - 11:05 PM

It's hard to determine if your phone has or hasn't been compromised just through a help forum.

But if you do suspect this issue is more than just some pop-up crap:

-- Go into your Settings >> Apps menu, locate the Facebook app entry and open it. Now tap on the 'Force stop' button, then go into 'Storage' and tap on the 'Clear data' button. This wipes all the app's settings and configuration data, and its cache, essentially returning it to its original, first-time used status. Reboot your phone.

-- You mentioned having Eset installed so do a full manual scan and while that's going on log into your Facebook account on a trusted PC and change your account password. If you don't have two-factor login enabled give some serious thought into enabling it.

-- Hopefully if the Eset scan does find anything it will be able to take of the problem but another utility to try is Malwarebytes. Either way, start up the Facebook app and you'll have to re-enter your user name and your new password since had earlier wiped the Facebook app settings. (If you made any changes to the app's settings menu you'll have to re-do those too.)

-- Or another option, if you're not a heavy Facebook user, is to avoid using the Facebook app entirely and just use your phone's web browser app to log into your Facebook account.



#3 RayRay26

RayRay26
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 26 November 2018 - 05:34 PM

Hello, thanks a lot for replying. Yes, I understand that no one can know if my device is compromised unless they can actually examine it, but I was hoping if anyone knew anything about this particular incident.

I have run full scans with multiple apps now, ESET premium, Malwarebytes free, Kaspersky trial, Norton trial, Sophos, McAfee, and my preinstalled Knox security, none of them find anything. But my phone has been behaving strangely for a while now, since even before this incident occurred. I am not able to figure out what is causing this, I have checked the list of all the apps I have installed, and they have all been on my phone for quite a while now and never caused problems, all this weird behaviour started around a month ago and all my apps are older than that. I have tried pulling up the system apps list too and searching online for any app that seems suspicious, but so far, the apps I have searched are all legit apps. Though I haven't checked each and every app on the list manually, cause there's too many.

Thank you for your suggestions, I will try clearing the data and cache and see if it happens again. It does seem largely like a Facebook app related issue, because I have found a few users on forums who have had same problem while using the app. One of them even factory reset his phone to be on the safe side, but the same notification appeared again the next time he logged into Facebook through the app on his phone. For other users too, the problem has recurred, happening multiple times, though on my phone, so far, it was only a one time thing.

Just for research sake, here's a screenshot of what it looked like, one of the other users posted it, it was the same on my device. In case any of you might know about it, or get an understanding of what it was.

https://m.imgur.com/a/31Pds5y

Thank you.

#4 svim

svim

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:16 AM

Posted 27 November 2018 - 04:44 PM

Still wondering if the Facebook app is the source of the problem, or if it's just being affected by some bigger problem. I'd still strongly recommend you at least reset your password. If you check your FB Activity Log does it reveal anything that doesn't seem to be directly related to your usage?

https://www.facebook.com/help/437430672945092

 

Regarding your phone, if you have all those anti-virus/anti-malware apps concurrently installed that's going to have a direct affect on general performance. Better to rely on one of them, or not even have one installed at all -- while there are now countless exploits and compromises for all of us to worry about, there still isn't an actual Android 'virus' on record. Filtering out all the references to any problem being tied to a 'virus' will make it easier to diagnose what is actually going on.

 

Another very significant issue to keep in mind is all of those anti-virus apps you tried will have to be installed as typical, general user apps. On your J7 the phone's internal storage is divided into several partitions, with most of them being dedicated only to the operating system and only one being a general user data partition. You only have free, unfettered access to that user data partition,  with only very limited access to any of those OS partitions (unless you root your device). And that's the most important aspect, an Android a/v utility will only have full access to that data partition, and will only have read-only at best access to any of the those permission-protected system partitions. So when there is an actual 'virus' that resides on your data partition, than one of those a/v utilities should be able to find and hopefully fix the problem. But there are some exploits now that are able to install themselves into the operating system itself. In this instance an Android a/v utility, having only user-only permissions, won't have read/write access to the installed OS itself. The most common solution in this case is to just re-flash the stock ROM, essentially replacing the OS with a clean one. But that's a last-resort option and it's still not definitive what the source of the problems actually are.

Try doing some basic maintenance on your phone to see if that makes any improvement.

-- Uninstall any apps you just don't use or need. And when you do an uninstall, don't just use that 'Uninstall' button. When you're removing an app go into 'Storage' and tap on that 'Clear data' button before tapping on 'Uninstall'. This will more likely result in clear off all that apps data from your phone. When you use just the 'Uninstall' button, that often leaves any settings/configuration files behind. (More often than not, when just use 'Uninstall', if you later decide to re-install that same app, it will just pick up the previously left-behind settings/configuration data so you don't even need to re-enter things like your user name/password). For those pre-installed apps, you won't be able to uninstall them, but most you can at least disable them. Taking steps to have less active processes you have running in the background, this frees up system resources for things you do want to have active.

Another thing to look into is Battery Optimization feature that's already a part of Nougat, Android's integral power and memory management gets better with each version. Check your Settings >> Battery menu and be sure its enabled and set your apps accordingly.

-- Go into your phone's Settings >> Storage menu, find the app's cached data option and wipe them. Generally you just leave app caches alone, any app relies on its own cache to function so when you wipe them they just get rebuilt the next time you use the app. But just doing occasional maintenance and clean up, wiping them at least eliminates a possibility -- i.e. a lot of browser based pop-ups and crap can be cleared by wiping the browser app's cache.

-- Try wiping the system cache partition too. The system cache has its own dedicated partition and to clear it you need to restart your J7 into its Recovery Mode. Also, the system cache is completely separate from the user data partition so none of your saved data will be affected. Anyway, to get into Recovery Mode you need to power off your phone, then start it up while simultaneously holding down the Volume Up, the Home, and the Power buttons. Once its running in Recovery Mode it'll be in a text-only interface so you need to use the indicated (on the screen at the bottom) to navigate through the different menus. See here for more a more detailed guide:

https://www.hardreset.info/devices/samsung/samsung-galaxy-j7-prime/recovery-mode/

The actual wiping process only takes a few seconds, and it's generally a good thing to do especially after something like applying an OTA system upgrade. (Also note that all cache files are basically just temp files -- necessary but not vital. Anything 'permanent' won't be stored in a cache.)

 

-- If you do decide to do a Factory Reset, be sure to back up all your saved data first. Install Samsung's 'Smart Switch' utility on a computer to do a full backup of your phone, then use its restore function on restore your files after the Reset.

https://www.samsung.com/us/support/owners/app/smart-switch

Something to keep in mind is doing a Factory Reset will NOT fix something like an exploit that has infected the operating system. Again, a compromised Android OS will have to be flashed over with a new, clean ROM. All a Factory Reset does is wipe that general user data partition. It does not affect any of those system partitions. It's an unfortunate but common misconception that a Factory Reset will wipe the phone's entire storage media clean, but that's jut not true. Doing a Reset on a rooted phone won't return it back to its original non-rooted state, nor will a Reset return a phone that's been upgraded with Nougat back to its original Marshmallow. The phone's OS will remain the same as it was after a Reset as it was before the Reset, it cannot delete the running operating system and magically reinstall a clean, new one. (Phones running Oreo and above have a different partitioning scheme that involves more modularity where the base Android OS is its own entity and the carriers and manufacturers having access to other inter-related but system partitions. But this is a fundamental change in the file structure so it applies only to phones initially set up this way, not for phone's getting OTA version upgrades.)

But the bottom line is, if there actually is some kind of exploit on your phone (that's still to be determined) than if it's in your data partition a Factory Reset will fix that. If it's in the OS however, that requires flashing the ROM, a more involved task.



#5 RayRay26

RayRay26
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 27 November 2018 - 10:21 PM

Once I reset my password, should I not log back in on the device with the issues? Activity log does not have anything suspicious, neither does current login sessions. I checked from another device which is presumably clean. I also tried going through past login and logout history, in case someone else logged in, then logged out and removed the obvious traces, but that history is only detailed in IP address, and like how do I know which was mine and which wasn't? As far as I know the public IP changes daily...

And no, I don't have all those antivirus apps installed all the time, I downloaded them for one time scans, then after scanning was done and no problem was found, I uninstalled and left only the one I usually rely on, Kaspersky.

I have cleared the specific app caches for browser apps, will do a cache partition wipe next. Thank you for letting me know the limitations of antivirus software, seems like it isn't as effective as it is on Windows OS. Hypothetically, saying there is some kind of exploit on my OS running malicious software, and it got through a security hole, how can I detect it if a/v can't? Like I can do a clean OS install, or even get a new device, but I would have to be sort of sure that the OS is compromised. What should be my next step here? If an exploit or malicious process was rooted to the OS, would I be able to see it in the list of system apps through settings? I know I wouldn't be able to uninstall any of them until I rooted, but as far as detection goes...would that help? Or is it that all processes running on system aren't visible until the device is rooted?

I always practice safe methods on my phone, but guess you can never be secure when you're on the Internet.

Thanks for your guidance. I hope I can get to the bottom of this soon, still got lot of crucial information on this phone and I'm using the device so far.

#6 svim

svim

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:16 AM

Posted 29 November 2018 - 12:12 AM

Once I reset my password, should I not log back in on the device with the issues?

Well depending on how many shortcuts you take, you may or may not have to. However if you did a) 'clean' the Facebook app and B) reset your password on another device or computer than you would have no choice but to re-enter your user name and new password.

 

 

.....  seems like it isn't as effective as it is on Windows OS. Hypothetically, saying there is some kind of exploit on my OS running malicious software, and it got through a security hole, how can I detect it if a/v can't? Like I can do a clean OS install, or even get a new device, but I would have to be sort of sure that the OS is compromised. What should be my next step here? If an exploit or malicious process was rooted to the OS, would I be able to see it in the list of system apps through settings? I know I wouldn't be able to uninstall any of them until I rooted, but as far as detection goes...would that help? Or is it that all processes running on system aren't visible until the device is roote 
 

It's a different situation completely. With Windows, out of the box a general user is running with administrative privileges, a somewhat backwards practice that's a long-standing and much debated security issue. When you get an Android device, the default user account is always a restrictive-privilege account. To get root access, you have to do so intentionally. It's not that something like an a/v utility is more or less effective one way or the other, it's the underlying issues involved with two different platforms that have contrasting user scenarios. (If you were running your Win PC in a non-admin account and you could get an a/v utility to even run without admin privileges, it wouldn't be able to do squat on the base Windows OS either.)

 

But getting back to your phone, if the OS is compromised (that's still to be determined as this tends to sound more like a Facebook account issue and not necessarily a phone issue) one of those utilities you tried will often be able to detect such problems but it 'might' but probably cannot actually fix them. And its still a matter where most Android malware issues are still But the most prudent thing to do is flash your phone with its stock ROM. Flashing a ROM is essentially the same as using a Restore disc/image on a Win PC, the OS gets overwritten with a 'clean' copy. Flashing a stock ROM does not require you to root your phone either, rooting is only required when you're going to use a custom, third-party ROM (i.e. Lineage). It's also important you use a ROM that matches your exact model I.D. and your carrier. Don't just use any ROM, that could soft-brick your phone or at best result in a quirky stability and loss of some features. Go here and search for your model (a J7 Prime should be something like SM-G610x with the x varying to identify your locale and/or carrier):

https://updato.com/firmware-archive-select-model?exact=1&q=GALAXY%20J7%20Prime

For more details on the actual flashing process:

https://updato.com/how-to/how-to-install-an-official-samsung-stock-firmware-using-odin



#7 RayRay26

RayRay26
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 29 November 2018 - 01:05 AM

I understand. Well, I'm taking the phone to a person I know who works in the security field, just so he can take a look at it, but honestly, it doesn't seem like if something was running in the system partition, he would be able to do or detect anything either unless he rooted or used something like adb, so...If I want peace of mind, without rooting or anything, I'll just have to go for a clean install. It's easier that way.

I have two questions regarding the clean install and the backup that I have to perform.

1) I'm backing up my data to Google Drive and a Usb drive, don't have access to a computer at the moment. However, due to the in-built auto backup feature that android 7 has or something else, when I plug in my usb via OTG cable, not just the personal data I am copying, but several app files (system ones too), like com.kmsfree (kaspersky's files), com.sec.android.gallery (I'm guessing my device's inbuilt gallery app), .nomedia, LOST.Dir, com.android.systemui, basically everything that's inside the Android > data folders visible in my Internal storage and SD card, just automatically get loaded onto the USB. Obviously I do not want to copy the app files, because I have no use for them, after the clean install, I'm just going to get the apps off of playstore again, but as of now, I haven't been able to stop this auto backing up. I'm worried that if I do have something malicious on the system, it might get backed up on the drive this way too, and thus when restoring the data back to my clean device, I'll just cause reinfection and back to square one. Even in Google drive, I have backups of App Data and call logs and default wallpapers and whatnot, and they all got backed up automatically, and will probably get restored automatically too. How can I either stop this auto backup, or at least stop the automatic restoration? I definitely do not want to restore anything related to the old OS, don't want to risk reinfection. I have tried in vain to find a solution online, trying for a couple days now since I thought I'd do a factory reset. Are my worries justified?

2) I realize once I flash the ROM, I'll lose all OTA system upgrades I've received and go back to the original OS my device came with at the time of purchase. But my device is old, so is my old OS version, and I have received several security patches, including a very recent upgrade to Android Oreo, and I'll lose all of that. Which then is a different kind of security issue, outdated software with lots of vulnerabilities. Will I be able to receive or reinstall the recent system upgrades again after the original OS is installed? I understand I can't just install Oreo on my phone because that's not the original one, but after the installation, will there be any way to get the security patches Samsung has issued once again?

#8 svim

svim

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:16 AM

Posted 30 November 2018 - 01:56 AM

I understand. Well, I'm taking the phone to a person I know who works in the security field, just so he can take a look at it, but honestly, it doesn't seem like if something was running in the system partition, he would be able to do or detect anything either unless he rooted or used something like adb, so...If I want peace of mind, without rooting or anything, I'll just have to go for a clean install. It's easier that way.

I have two questions regarding the clean install and the backup that I have to perform.

1) I'm backing up my data to Google Drive and a Usb drive, don't have access to a computer at the moment. However, due to the in-built auto backup feature that android 7 has or something else, when I plug in my usb via OTG cable, not just the personal data I am copying, but several app files (system ones too), like com.kmsfree (kaspersky's files), com.sec.android.gallery (I'm guessing my device's inbuilt gallery app), .nomedia, LOST.Dir, com.android.systemui, basically everything that's inside the Android > data folders visible in my Internal storage and SD card, just automatically get loaded onto the USB. Obviously I do not want to copy the app files, because I have no use for them, after the clean install, I'm just going to get the apps off of playstore again, but as of now, I haven't been able to stop this auto backing up. I'm worried that if I do have something malicious on the system, it might get backed up on the drive this way too, and thus when restoring the data back to my clean device, I'll just cause reinfection and back to square one. Even in Google drive, I have backups of App Data and call logs and default wallpapers and whatnot, and they all got backed up automatically, and will probably get restored automatically too. How can I either stop this auto backup, or at least stop the automatic restoration? I definitely do not want to restore anything related to the old OS, don't want to risk reinfection. I have tried in vain to find a solution online, trying for a couple days now since I thought I'd do a factory reset. Are my worries justified?

2) I realize once I flash the ROM, I'll lose all OTA system upgrades I've received and go back to the original OS my device came with at the time of purchase. But my device is old, so is my old OS version, and I have received several security patches, including a very recent upgrade to Android Oreo, and I'll lose all of that. Which then is a different kind of security issue, outdated software with lots of vulnerabilities. Will I be able to receive or reinstall the recent system upgrades again after the original OS is installed? I understand I can't just install Oreo on my phone because that's not the original one, but after the installation, will there be any way to get the security patches Samsung has issued once again?

1) Are you referring to the backup and restore option in your phone's Settings menu? If so, that's in no way any kind of comprehensive, full backup solution. All that menu option refers to is limited to only your settings preferences and the data from Google related apps and services. That stuff that's getting backed online in your Google account, and that's only what gets automatically transferred around. All your saved data (documents, photos, videos, music, etc.) is NOT a part of that. It's your responsibility to set up a real backup solution for your data. It's unfortunate you don't have access to a computer, using Smart Switch would make it much easier to backup and then restore. Doing it manually is a lot more involved, especially since it involves multiple services. One last point to keep in mind -- using Odin properly (follow documented instructions as is) you should be able to flash a stock ROM without losing your saved data. The ROM gets written into the system partitions, and the user data partition is just left untouched. (Note there is a 're-partition' check-box setting in Odin's config window -- always make sure that's not enabled.)

2) If you go to that updato page and there's more than one ROM that corresponds with the same model/carrier phone, that's often because there's newer, updated and older ROMs. The newer-dated maybe or maybe not having all the security patches depending on their creation date. Typically you want choose the newest-dated one to flash with. Then just let your phone receive and apply any OTA patches as needed. It's an official, stock ROM that you flashed, your carrier will pass along those security patches the same way as before. (If you were to use a custom ROM however, that's when the carrier updates don't apply, you'll get those from the ROM developer. Or if you just root your phone and leave it running its stock ROM, at that point you'll also have problems applying OTA updates from your carrier.)



#9 RayRay26

RayRay26
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 30 November 2018 - 09:49 PM

I think I wasn't clear with my concerns about the backup of data. I am not relying on the backup/restore option of my phone to back up anything for me, I'm doing it manually to a USB drive via OTG cable. What I'm concerned about is when I'm using a USB, system files are automatically getting backed up to it (com.kms.free, com.sec.android.gallery, .nomedia, LOST.Dir, com.android.systemui, basically everything that's inside the Android > data folders visible in my Internal storage and SD card). I was asking, ASSUMING my system partition is compromised by an exploit, will it be safe to back up these system files on the same drive where I'm copying my personal data files? I will be restoring my personal data files after I reinstall the OS, will this somehow risk reinfection? And if yes, then is there a way to stop this auto backup/auto restoration of system files?

Hope I was able to explain my concerns clearly to you. Apologies for my inability to word it properly the first time.



And thank you for the information. I didn't know I could reinstall ROM without erasing user data, but I will back up just in case something goes wrong, because I've never used Odin before, and it's better to be safe than sorry. Thanks a lot for all your help.

#10 svim

svim

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:16 AM

Posted 02 December 2018 - 02:32 PM

Well in the event your phone does get 'infected' somehow, it's always a matter where there's a possibility something has compromised a file that you backup. So the more you backup (everything you can see as opposed to just your relevant data), this 'could' increase the chance of re-infecting your phone when you restore from your backup. It's a good practice to always scan your backup with a good a/v utility just for posterity if anything.

But I'd focus more on backing up just your personal files, relevant app data since any incidentals like those miscellaneous files and directories you listed aren't that vital anyway -- you can continue manually backing them up but you're going to waste a lot of time actually manually restoring them. Those will be re-created by the OS and/or when you reinstall your apps.



#11 RayRay26

RayRay26
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 06 December 2018 - 03:32 AM

Yes I've been trying to stop these files from getting loaded onto the external usb, but no matter what I do they just reappear after a while. It seems that the OS creates some backup system files on external storages in case it fails to boot from the internal storage.

I was wondering, is there a autorun/autoplay feature for external drives in android like in Windows? Like, in Windows, you can get infected just by plugging in an infected drive due to its in-built autorun feature. Does that kind of thing happen for Android too, where you can get infected just by plugging in a drive? That way I can disable this feature and stop any reinfection from these system files when I plug in the usb to my clean phone, but I'm not sure such a feature actually exists on Android OS.

#12 svim

svim

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:16 AM

Posted 06 December 2018 - 01:25 PM


 

 

I was wondering, is there a autorun/autoplay feature for external drives in android like in Windows? Like, in Windows, you can get infected just by plugging in an infected drive due to its in-built autorun feature. Does that kind of thing happen for Android too, where you can get infected just by plugging in a drive? That way I can disable this feature and stop any reinfection from these system files when I plug in the usb to my clean phone, but I'm not sure such a feature actually exists on Android OS.

The Windows operating system and the Android operating system are very different so no. When it involves your example, something like a malicious .exe file hidden in a USB drive cannot do anything when you mount the drive on your Android device, neither automatically nor even if you attempt to manually execute it. But there are other issues involved with USB itself so you do need to at least be wary:

https://www.howtogeek.com/203061/don%E2%80%99t-panic-but-all-usb-devices-have-a-massive-security-problem/

and it needs to be noted that any anti-virus utility you might be using isn't going to be able to fix something like a firmware exploit, nor will formatting the drive. Those are things you'd being doing at the operating system level, the firmware however is at a lower, fundamental level.

Plus there are other issues that are at the OS level:

https://nakedsecurity.sophos.com/2017/11/14/google-researcher-finds-79-linux-usb-vulnerabilities/

the issue being even when newer versions of the Linux kernel are available, the number of Android devices running one of them is even less than those running the latest version of Android.

A lot of these issues are more about possibilities so it's not a matter where you should be freaking out about them, it's just that awareness is important.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users