Hey guys, i got a scareware pop up last night and rebooted my phone.
Then it popped p again so I googled I should disable my ad preferences. but While I was looking through my google stuff I found a ton of these "modules"
I don't remember them being there before. Between the Chimera Virus and the Chimera tool floating around out there, and not being able to find good information on it..., , it makes me pretty paranoid.
I noticed in settings that I have these Chimera Modules in the bottom part of my google services info.
Does anyone know what those are and why they are there?
First of all, this would be better suited for the Q&A forum.
To somewhat answer your question, if I were to take a guess, something you installed, probably in the hopes of gaining root or unlocking your device, was either malware or a scam. There is a site for this tool which looks really shady. I've never heard of it, so I could be completely wrong. If I were you, I would uninstall your most recently installed apps and see if it goes away. Otherwise, I would do a factory reset to protect myself.
Would second the factory reset - if you're rooted I'd also take a scorched earth approach and wipe as much as I can within recovery just to make sure.
I found similar modules on my phone in Google Setting "[internal] section. But from what I can see inside it lists only packages from Google Services and after a bit of searching Google Services contains package with "chimera" in its name namely: "com.google.android.chimera.container.*". Therefore I think it don't have to be connected with any adware/spyware etc. you might have accidentally installed on your phone. Maybe it showed up lately on many phones with some update or it was there already for sometime? Waiting to hear about it from other users.
how can you make your ph delete what is added because ive got stuff on my ph & dont know what all has been added since i bought ph had 1 yr my furst i know nothing about them
[/COLOR]
comprohacked said:
I have Chimera Modules "Listeners", "Stagefright" Virus, c.betrad.com, GPS Locations popping up in Las Vegas (The exact same time I'm sitting on my bed in El Cajon, CA) on a LINUX using Chrome 44.something, which is very strange, being as I only have smartphones to use that keep getting hacked and/or being destroyed by being rendered completely useless. There are files I didn't put on my device (s) and I can't access them, I've been completely locked out of email accounts I've had since my children were going into Junior High School. Countlesd, irreplaceable photos, cherished momentz and video are all gone!!! Our Precious Memories that only I took the time to capture, are not expected to ever be seen, again!! I just found out my Router has also been hijacked, I'm learning terminology I was never before interested in learning (and, really...I still am not...I am and app chick...I love trying and using new apps)! My calls, posts, texts,, emails have been intercepted and, responses have been returned as though I were compiling the messages in whatever form, now, none of my old friends will speak to me....so, I have no social life, anymore. I'm constantly being redirected elsewhere on the web, I passed background and DMV checks for both Uber and Lyft, but, I can't drive for them when even their Driver apps are badly compromised, that I cannot even get to the part of the app where I log on, I just keep being redirected!!! Since this all started about a year ago, I may spoken to an actual employee of my Service Provider....MAYbe 4 times...it took me a long while before I realized my outgoing calls were intercepted and I was speaking to an imposter!!! Oh and ALL of the so-called Antivirus apps are completely bogus and easily disarmed (while returning false results that your "device (or, apps or, files or, system, etc) are safe and virus-free"....and you are LOOKING AT THE VIRUS WORK ON THE APP AND YOU SEE ALL THESE REALLY MESSED UP COMMANDS IN THE LOGS AND URL STRING AND, PFOGRAMS, BUT your device is SAFE!!! UNfrkgbeLIEVABLE!!! This stuff is so REAL AND UNFRKGREAL!!! WTH???? You'll never catch these supervillain superbeings with their superintelligence who are on a supermission....I'm one of them. I had a lot of stuff here in this box, but I didn't copy like I usually do and now a huge chunk of it is gone. Nevermind, I'm not in the mood, anymore. Carry on with making me supermiserable in your superdon'tgivdadamn way. I'm just going to go to bed, watch YouTube, if you let me and, chill in a superchill way. Carry on, Carry on. By the way, Kaspersky didn't last e minutes of the first layer of attack by cyberthemfkngangsta...I'm telling you it Kaspersky was disarmed and effectively rendered disabled and wholly ineffective. Better come deep and loaded on brain grains...feeling much more powerful than your websites. Simple as that. Good luck.
Click to expand...
Click to collapse
Hi comprohacked .. Its nice to know in not the only one .. I am a network engineer with a bachelors in computer science, so I'm much more familiar with the things I have seen. Fighting it has only proven to render my devices unusable, but it has been extremely educational for me. I can tell you some of the things vie learned so far: first of all they use UPnP and a vulnerability in Adobe to gain access. They even moved my Adobe from the programs list to my windows update list. They are very stealthy as my system event codes show them errorig out hundreds of times until they get a success, then continue, what they were doing was elevating their access beginning with default then user, up to admin, and continue until the have system access .. Basically as far as programs or anything else, its windows itself making requests. Then they use what's called a root kit, they actually flash your bios and create a second bios that can not see or access. They map your I/Os and reserve memory space on your periphials ad flash the ROMs of your video, audio, network card, USB ports and really everything else .. And while they take complete root control and ownership of all the hardware, they use network discovery to find every device, cell phones, playstations, Xbox,notebooks, routers, modems, anything connected and do the same thing to all of these, then set up a raid, meaning fault tolerance, or lets just call it a backup of each system on other systems on the network, that way even if you get passed the b
Mbr rootkit somehow, and somehow able to regain control of your PC or phone and reset it, they just put it back as soon as it boots up again. They basically sandbox you as a child environment, while they have a parent profile that overlays whatever they want you to see. They Grey out buttons for setting that can potential trip them up, proxy your web traffic .. They configure servers for your dns and the list goes on. You see on captures that your dns traffic is going out to your loopback address of 127. The will have small portion of your hard drive where they keep whats called metadata, lets just say they have backups of their backups .. Ive experienced everything you listed and more .. They use legitimate software from windows or google but hide the rest,and since they control the OS they tell the programs whrrr they can and canyon look.
These are nit kids doing it, it is far too advanced fir that, and with the language packages I would say nit just America, but several other countries . They eveN have bk
You described to a t exactly what I have on all of my devices. Can you share about what to do about it?
I'd like to drop some information about what your describing Phil, and some of the people/organisations connected with developing it, and how it has been used in the finance and trading sector. Can you or anyone suggest links to places on the web or ways I could do that? Effectively, so that the information spreads quickly.
Have u found a soultion
My husband and I are currently dealing with the same issue down to a t. Any more info on any of it so far?
Same thing
It started about 2 months ago. First i use comcast internet. Comcast was out front on the pole doing something idk cause i dont have neighbors an my internet was fine. Then a week later a public utilities truck was across the street on a pole that didnt have a transformer on it. They installed a box at the top. Proware technologies. I walked over to them and they hurriedly got down and left. I thought strange. So i went to my desktop and looked at my network and even wierder is i had a some pc connected by ethernet to my comcast modem that was sitting in front of me. I only have 1 computer hooked up by ethernet that i know of and can see only one cable to my pc. So i hurriedly copied all the info from mac address etc of the mysterious connected pc. After about an hour they had chsnged my name of hetwork and had hidden there pc. Theres a lot more that i wont blab on about but i think its the FBI. The box came down last weekend in the middle of the night- but i still cant get any internet company they all tell me they dont service my area when ive had them in the past. Im connected to sum modem i have no idea where cause its not the one i should be connected to. Its crazy. I feel crazy. Drives me crazy! Friends cell phones get all screwed up wen they come over. Its aweful. What can i do?
My wife and I have also had this same NOBUS level hack done to us and after 9 months I realized a few tricks that have shut them down several times but they always seem to figure some new hack to thwart my efforts until I finally took a screwdriver and shorted out my MOBO out of shear frustration. That seemed to work! Lol well now I do everything on my cell that I had to root to eliminate their emulated files and restore a custom ROM. As for the PC that is a harder nut to crack...
Thank God, I thought I was losing my mind,3 laptops, 2 cable companys and 3 different phones, and now these modules, my daughter thinks I'm nuts but I know what I see and I know what I have done, factory resets don't work, I keep changing my password info my wifi info even my numbers, if I'm not using my phone or wifi I keep it disconnected this is crazy, what's the purpose.
OK I've done some extensive research on this google play services chimera. It's not a bug or virus or . It's google play services latest secret weapon to control our devices. It's a container full of different modules. I've blocked some through amplify. They start as an alarm. Then turn to wakelocks. One is a system update server that runs continually while our phones try and sleep. Killing our batteries. I'm running Oreo Android 8.0 and have just recently started seeing this said activity. It's no wonder normal people that don't root their devices have no idea what these are. Being slipped in on updates. They know what we know and it's their efforts to go around that and try different things to regain control of anything computerized. Take for instance. Was talking in conversation the other day. Mentioned New Nike shoes. Low and behold next day it's in my damn Facebook feed. Uninstalled fb, that's just way to much for me. Hope this might help. But definitely not a virus
Oh my god i am so glad i found this i am crying. I literally thought i might be insane. Been dealing with this for over 2 years but has lately gotten worse by a mile. For now I'm just relieved I have company. I do not believe it is Google. There is a "real" Google out there and everytime I interacted with them they were helpful. Currently though I'm connecting to some imposter "Google" in India. I also have comcast but the router in my basement is NOT the one I am connecting to. Everyone thinks i am a lunatic when i tell them any of this. I kept seeing the term Firefly come up and it feels important
Same same
Comprohacked and ppl below. Exact same thing has been happening to me for months. No one will help not even family. No one speaks to me. I knew nothing at all at first. Ive been scammed etc. Phone after phone. About 30 this yr. I dont know if this will work because everytime i type something om a forum it never sends or theres always an issue with it redirecting etc. I dont even log onto google anymore om a new phone but theres still a hidden account connected and **** downloading itself. Photos get deleted. I have a daughter now and ive lost everything. Im embarrassed for her to see how lonely i am when she grows up. Its all government related. I do know that and how corrupt this world is. How google are allowed to do whateber they want. Im on medication now. I dunno if anyone has had any luck on how to claim there lives back but im just about done for good. Just thanks to everyone coz i know im not alone.
What the hell is going on in here? I feel like I'm scrolling through a conspiracy post on reddit or something. I need more info!
HackedInAz said:
My wife and I have also had this same NOBUS level hack done to us and after 9 months I realized a few tricks that have shut them down several times but they always seem to figure some new hack to thwart my efforts until I finally took a screwdriver and shorted out my MOBO out of shear frustration. That seemed to work! Lol well now I do everything on my cell that I had to root to eliminate their emulated files and restore a custom ROM. As for the PC that is a harder nut to crack...
Click to expand...
Click to collapse
It's funny you say that. Not considering the other ways described previously in this post, I just knew my modem was the source of my issues, thinking I had eliminated all other possibilities. Ironically a screwdriver through the Ethernet device (not sure of exact terminology here) took a screwdriver through the center of it. Worked well for turning it into trash lol.
Targeted
You people who have been locked out of your own devices and online accounts...google "Targeted Individual."
Related
Ok, before everyone jumps to conclusions on multiple accounts let me get this out there.
1. I am not a noob when it comes to forums and no how to search ie my search results:
http://forum.xda-developers.com/showthread.php?t=989241
http://forum.xda-developers.com/showthread.php?t=1067003
http://forum.xda-developers.com/showthread.php?t=913958
2. I am not a noob when it comes to android devices and would call myself moderately knowledgable in the subject and really cant think of any other ideas also google nor sprint is not helping in the slightest ( and honestly I dont expect them too).
3. The story below is true and i DID NOT STEAL or receive a STOLEN phone, nor am i some jealous boyfirend. I am doing this for a friend, so here it goes.
My coworkers son commited suicide and has asked me to look at his phone to see if i can find away to unlock it so he can either know if anybody knew this was happening or most likely i think for closure of this whole ordeal. When given to me he had already given the phone to many gestures and gives me the google account lockout screen. the father just wants to see the latest messages on the phone as well as anything that might have come up. now this is what i have done so far:
PHONE: EVO 4G
Status: Stock AKA NOT ROOTED
1. I have taken out the SD card to see if i can grab anything off of there but the last time the text messages were backed up were on 7-31-2011, so that really doesn t help me there. I cant think of any other folders to look in in order to find anything else.
2. The phone was never set to USB debugging so there is no chance of rooting the phone (although i am not sure this would even unlock the phone at this point)
3. His father does not know the gmail account and I have only found a few other accounts through facebook and odd random searches that you can scarely do on the internet. After reading some other posts though I am not sure i could do what i was thinking with this because it only updates the computer and not the password on the phone.
4. Tried calling the phone. The phone doesnt even register as if someone is calling. The father said he didnt turn off the phone yet, and it makes since as i am creepily getting text messages as we speak.
So this is where i am at. I cannot think of too much more. Like i said i dont want the phone, it isnt stolen, and i am really just trying to help the guy out. Google told him becaus ethe kid is older then 18 ther eis nothing they can do and if that is there policy then that is BS especially in this situation. and sprint told him they can do a factory reset on the phone. so those are out of the question.
If you're positive that usb debugging is off, then there's not much you can do.
If you can reset the password to his Google account, and the phone has an internet connection, then inputting the new Google information should unlock the phone. I'm not sure if a connection is automatically created during this process. If you'd like, I can test the theory on my own Evo if you can't get any further.
Most people use the same password for everything. If you can find a password for anything, it's likely that's the password for his Google account. Check his computer as well. If he has saved his login information in his web browser, you should be able to pull that information.
Unfortunately you would have many more options if the phone was rooted. You could do a nandroid backup then sift through the data.img. I'm not sure if the stock recovery allows for anything that will help you. When you get into the stock recovery, it looks like you don't have any options. I believe holding both volume buttons simultaneously on the screen with the red triangle/exclamation point will give you a list of options.
If you cannot get into the phone, the SD card is probably going to be your best source of information - though it's unlikely that you'll get much. Browse through all of the directories. He could've switched SMS Backup apps and the information could be stored in a less obvious location. Try /sdcard/data and /sdcard/android/data.
If I can think of anything else I will post it. Both ADB and MyPhoneExplorer (I'm not positive that's the name) would be helpful in this situation, but without usb debugging on I don't think you'll be able to use them. Research further into enabling usb debugging without access to the OS.
I'm sorry for your friend's (and your) loss. I hope that in some way, even if not through the phone, he can find closure.
Sent from my Evo + MIUI using Tapatalk!
Thanks for the response good ideas, and I will try them. Turns out this kid never had a computer and in talking with the friends they only had his other email accounts so I will think of someway to get around that, but anyways thanks again.
Your best bet would be something like the Cellebrite UFED that was getting some attention a few months ago. There are other mobile forensics utilities - I'm not sure if they can be purchased by a single person or if there are guidelines these companies must follow before selling the devices. I'm also sure that they're not cheap, so unless you or your friend are very well off, you probably couldn't buy one yourself anyway.
I took a Computer Forensics course and we spent a week on mobile forensics. This was before Android was popular, and I believe that we used the device on a BlackBerry. The device (I don't remember the name) made an image of the contents which we then looked through using Forensic Toolkit or something similar.
If you know anyone in a computer program, ask if they have access to a similar device. We were allowed to use whatever tools were available during specified times (mainly for lab work, but we could use them for other reasons), so this would be your best bet for getting information off of the phone. Other places, like repair shops (and police departments) may have access to similar technology. If you can find someone empathetic to your situation with access to mobile forensics tools then you may be able to get somewhere.
It's a long shot, but I had the thought & wanted to bump your thread for you in hopes that someone with more knowledge could help you out.
If the device happens to have wifi on & is connected, you can also hack into it over the network. If this is the case and you need more information, shoot me a pm and I'll give you what information I know on ways to do so.
Sent from my Evo + MIUI using Tapatalk!
thanks for sharing.................
As the title states I need to know if Logcat can or will show me all recent behaviour and actions? Can it do it if the phone has been flashed back to stock?
I ask because I watched my partners phone going a bit erratic to say the least.
All sorts of things were being opened in front of us with no one touching the phone. Messages were being put to us on the screen, files were deleted, files altered.
Photo's were altered, favourites altered.
Had I not seen this with my own eyes then I would have found it hard to believe, but with personal details, bank details, photo's, addresses etc being on phone and looking compromised I would like to get to the bottom of this quickly and by any means possible.
As much as I know about ROM cards, Nagraedit etc this is a field I know nothing about although a friend told me that it's not normally done to this scale.
If Logcat can't help me could someone give me any suggestions as to how I may track the activity, cause, source etc?
All security apps that have been run find nothing! One app was classed as dodgy and was promptly deleted but there are still some things vanishing. By vanishing I mean we have a look then exit only to see they have been removed. Some time later they seem to be put back in. Some things marked as favourite are unchecked as we look at the screen yet we have touched nothing.
As crazy as it may sound it has happened and I want to eliminate all possibilities as this happened few days after flashing with ROM & kernel.
Failing this then the phone may be sent off for analysis of some sort or sold and replaced.
Thanks in advance and any help would be greatly appreciated.
C'mon guys, 84 views and no offers
Just to update the post, All photo's were deleted from the sd card as well as various other folders and all personal stuff has gone!
Yes there are options available to retrieve them and I have the programs to do but it still doesn't take away the fact the some thieving scrote thinks it's good to play games by installing sh*t on his ROM to hack into phones, then steal whatever they want!.
Feels like we have been burgled!
Three ROMS were flashed in the week leading up to this, therefore that narrows the possibilities.
That and the fact that that a similar thing happened and the person on the other end was showing content from this site.
One ROM already ruled out and behaviour of another is casting doubt due to behaviour of the smiling balloon which seemed to become an app that was being downloaded, then reappear making out it was a recycle bin.
Just hope the trail leads to the clown responsible and not a goose chase
Now, not all developers are crooked or loading their ROM'S with stuff but regardless of who makes it, who praises it, who loves it and swears by it, who kang'd it etc I would strongly urge people to upgrade or buy a phone instead of rooting, popping this ROM and or ROM in.
gtogaz said:
C'mon guys, 84 views and no offers
Just to update the post, All photo's were deleted from the sd card as well as various other folders and all personal stuff has gone!
Yes there are options available to retrieve them and I have the programs to do but it still doesn't take away the fact the some thieving scrote thinks it's good to play games by installing sh*t on his ROM to hack into phones, then steal whatever they want!.
Feels like we have been burgled!
Three ROMS were flashed in the week leading up to this, therefore that narrows the possibilities.
That and the fact that that a similar thing happened and the person on the other end was showing content from this site.
One ROM already ruled out and behaviour of another is casting doubt due to behaviour of the smiling balloon which seemed to become an app that was being downloaded, then reappear making out it was a recycle bin.
Just hope the trail leads to the clown responsible and not a goose chase
Now, not all developers are crooked or loading their ROM'S with stuff but regardless of who makes it, who praises it, who loves it and swears by it, who kang'd it etc I would strongly urge people to upgrade or buy a phone instead of rooting, popping this ROM and or ROM in.
Click to expand...
Click to collapse
What I would do is to flash a full stock ROM via Odin. Not an ordinary one, but a 3 part one (you can access it through a link in my signature). We are talking about an i9100 right? Not an i9100M/G etc? That 3- part stock firmware will wipe the device as it flashes. Then, don't install any apps after you've flashed. If nothing happens, great, put all your apps back on and see what happens.
Also, what ROMs have you flashed recently? And where did you download them from? I'd easily be over 50 ROM flashes and have never encountered any issues such as that. So have many thousands of others here on XDA.
And, what on earth do you mean with this bit:
gtogaz said:
That and the fact that that a similar thing happened and the person on the other end was showing content from this site.
Click to expand...
Click to collapse
Hi, thanks for the reply.
I used ROM'S from here but think it would be wrong to name them at this point till I get more info. The Mrs has had one or two from other places she now tells me , but there was no inappropriate behaviour before or after these. And any steps I have taken to install for her, I have obtained from XDA. All were Jelly Bean based and either 4.2.2 or 4.3.
Yes it's I9100 although it's I9100P. The variant hasn't had any effect in my opinion and have always flashed to stock then went through the usual steps of erase, wipe, format, mount etc.
There was once some nonsense from another superuser app, well not so much the app but one of the components which started zipping up stuff etc. That was eradicated immediately, and was several weeks prior to this carry on starting. For the life of me I can't remember the name of it but know I had used it before with no trouble whatsoever so did find that odd to say the least..
She had mentioned it before but I thought yeah okay, had I not seen it with my own eyes I wouldn't have believed her to be honest.
The content that was being shown from here was like watching someone scanning over a sheet of paper with a handheld scanner, only watching it on the phone. Sorry - can't think of any other way to describe it and the phone was just going to various sections on XDA - all to do with Jelly Bean. The Mrs assumed it was the dev from this other super user app pointing her in the right direction for Jelly Bean etc.
I recognised some of the content as I had in fact read them myself and went to the same pages on comp to show her but was expecting this message will self destruct in 5 seconds to come on screen and Mission Impossible music to start.
The behaviour in the latter stages was outrageous and somewhat audacious, but that's another story.
Just wanna trace it and sort it out and in one sense it's a lesson learned for her lol cos my phone is running just sweet lol.
Hello everyone,
I might have a big problem.
This morning I booted my HTC One M7 as usual, and when it finished booting it opened a browser tap with a fake whatsapp update. I closed the browser immediately, and five minutes after this, the exact same thing happened. I started thinking how this could happend, and honestly I have no clue. All my apps are from the play store, and I only download documents for school. I haven't even downloaded a new app in the last week, however 15+ of my apps aren't up to date.
I scanned my phone with malwarebytes and it couldn't find anything. I rebooted my phone after the scan, and the problem seems to be gone. I was telling this story to a friend of mine this afternoon, and my mother said that she experienced the same thing, just a couple hours before I experienced it. After further investigation, it wasn't exactly the same. When she opened whatsapp, it asked her to do a weekly back-up of her chats. At first, she closed whatsapp, but when it appeared again, she clicked yes. She wasn't very clear about this, so I don't know if it was a fake menu, or the real deal. I have also scanned her Moto g (2013), and it found no malware.
I don't know if this could be harmfull. Especially because my parents use their phones for mobile banking.
This is a screenshot of my HTC
It could easily have been done through whatsapp. Part of the reason most people have stopped using it. Viruses run rampant I'm just about all of Facebook apps. And no anti virus will find them as they are vastly different then normal viruses.
zelendel said:
It could easily have been done through whatsapp. Part of the reason most people have stopped using it. Viruses run rampant I'm just about all of Facebook apps. And no anti virus will find them as they are vastly different then normal viruses.
Click to expand...
Click to collapse
In the Netherlands literally everybody uses it, but it's good to know that this could indeed happen! Should I be worried about this, and what should I do when it returns?
Dark-shot said:
In the Netherlands literally everybody uses it, but it's good to know that this could indeed happen! Should I be worried about this, and what should I do when it returns?
Click to expand...
Click to collapse
Yeah I heard alot of people in Europe use it alot, here in the states almost no one uses it really except for kids. Most have moved to hangouts.
If I was you I would completely back up the device and then wipe everything and reflash the device.
Things like this will not be picked up by so called virus scanners.
I'am afraid that it is something like ShiftyBug (https://blog.lookout.com/blog/2015/11/04/trojanized-adware/). In the article it says that you have to install apps from third parties, but I have almost never done that. I have downloaded popcorntime in the past, but I have deletet it almost 6 months ago.
I'm afraid that if I reflash my device, that it will come back fairly soon. Is it possible that it has spread over my wifi network? Because of the fact that my mother got something similar on the same day.
But how do I know for sure that it is a virus? After I restarted my phone (12 hours ago), it hasn't shown up yet. Am I worried for nothing, or is there a big chances that I'm infected?
Thank you for all your replies!
Dark-shot said:
I'am afraid that it is something like ShiftyBug (https://blog.lookout.com/blog/2015/11/04/trojanized-adware/). In the article it says that you have to install apps from third parties, but I have almost never done that. I have downloaded popcorntime in the past, but I have deletet it almost 6 months ago.
I'm afraid that if I reflash my device, that it will come back fairly soon. Is it possible that it has spread over my wifi network? Because of the fact that my mother got something similar on the same day.
But how do I know for sure that it is a virus? After I restarted my phone (12 hours ago), it hasn't shown up yet. Am I worried for nothing, or is there a big chances that I'm infected?
Thank you for all your replies!
Click to expand...
Click to collapse
The key word there is almost. If you reflash the device and it comes back then it maybe something that someopne else downloaded and was shared through your network. As you said your mother also saw it so I would go through her phone as well.
There are many apps out there that do this that are in the play store. So it is all a matter of being careful.
There is a chance. If it is big or not depends on how you use your device. It could also have come from a website someone visited. Im not saying you did but many porn sites are set to infect devices when they visit them.
If it was me. I would just start from scratch with each device and make sure that all the things installed are legit.
You could also run a logcat and try to reproduce it. That would tell you what is causing it.
Doesn't seem dangerous.
JohnColston said:
Doesn't seem dangerous.
Click to expand...
Click to collapse
Then you have not been paying attention. Any browser pop that tells you to update an app is 99% an infected apk. It is a common practice for those that take apks and re-package them with malware
After reading more i must admit you are right.... My bad:good:
So I have to flash my phone, aren't there any other options? And if not, how do I reflash The HTC firmware to my phone?
Should I make a back-up before doing this, won't the malware spread again if I instal the back-up on my phone?
Thanks again!
EDIT:
Unfortunately, I still haven't been able to reproduce the problem.
I still haven't been able to reproduce the pop-up.
I do propably know where the problem came from, a friend of mine sent me a older version of soundcloud (the new one can't cache music). I installed that app, decided that it was to old for me and deleted it. The malware must have spread right after the first use. I'm planning on flashing my phone inthe weekend.
EDIT: I can reprodce the pop-up! It's linked to opening the app 'night mode', this app was downloaded in the official play store 2 years ago. Since then it hasn't got a lot of updates though.
Hey,
Time for a little update.
Last weekend, I contacted HTC's customer support due to the fact that I couldn't find my software version. They told me that I should execute a RUU, but they couldn't find the right version, so I had to contact the Dutch customer support (I didn't do this in the first place because the Dutch customer support wasn't open in the weekend).
The next monday (23-11) I contacted the Dutch customer support and asked them for the ROM, and unfortunately due to the regulations they don't publish the ROM's. However, they told me to do a factory reset and that should solve the issue. Unfortunately, it didn't. After the reset, I now get a different Whatsapp pop-up once or twice a day. The pop-up isn't connected to opening an app, like it was before the reset.
A friend of mine experienced the same problem this week on his new Moto X. All the other phones in my home network don't have this problem.
I hope someone will be able to help me!
Thanks in advance!
Dark-shot said:
Hey,
Time for a little update.
Last weekend, I contacted HTC's customer support due to the fact that I couldn't find my software version. They told me that I should execute a RUU, but they couldn't find the right version, so I had to contact the Dutch customer support (I didn't do this in the first place because the Dutch customer support wasn't open in the weekend).
The next monday (23-11) I contacted the Dutch customer support and asked them for the ROM, and unfortunately due to the regulations they don't publish the ROM's. However, they told me to do a factory reset and that should solve the issue. Unfortunately, it didn't. After the reset, I now get a different Whatsapp pop-up once or twice a day. The pop-up isn't connected to opening an app, like it was before the reset.
A friend of mine experienced the same problem this week on his new Moto X. All the other phones in my home network don't have this problem.
I hope someone will be able to help me!
Thanks in advance!
Click to expand...
Click to collapse
There's a chance that it might've spread over a certain network.... Is you and your moto x friend uses the same network ?
sdeepb said:
There's a chance that it might've spread over a certain network.... Is you and your moto x friend uses the same network ?
Click to expand...
Click to collapse
Yes, we both use the wifi network at our high school. But I did the factory reset friday evening, and since then I haven't connected to that network.
It might have spread through that network though.
Dark-shot said:
Yes, we both use the wifi network at our high school. But I did the factory reset friday evening, and since then I haven't connected to that network.
It might have spread through that network though.
Click to expand...
Click to collapse
Depending on the malware a factory reset will not remove it. In fact most malware cant be removed that way. You have to flash the whole device to get rid of it.
Dark-shot said:
Yes, we both use the wifi network at our high school. But I did the factory reset friday evening, and since then I haven't connected to that network.
It might have spread through that network though.
Click to expand...
Click to collapse
In my opinion after starting all over again as you've already been told, you should do all that you did before and monitor each step with patience and concentration to actually understand what's behind this... This may help out
sdeepb said:
In my opinion after starting all over again as you've already been told, you should do all that you did before and monitor each step with patience and concentration to actually understand what's behind this... This may help out
Click to expand...
Click to collapse
As he said. Here is what I would do if I was in your place. Anyone got any extra steps to add feel free to chime in. This would kinda suck for a bit.
You will need a custom recovery. And a bit of time to set up
1. Take everything off device.
2. Format full device in recovery. Not factory reset. Format system, data, internal storage and both caches.
3. Flash complete stock firmware.
4. Get root before rebooting
5. Reboot, do not connect to wifi during set up. Do not restore anything.
6. Get Catlog from the play store and run it.
7. Then continue set up. Wifi and ect. Scan backed up files with a pc virus scan but only return what you really need.
8. When restoring from TIBU install apps fresh from the market and restore data only to apps. (sucks I know but only way to be sure) make sure to delete old back and redo.
Then monitor catlog. This will tell you everything going on. You would be able to figure it out.
Lol... Use adaway or adblocker and such pop up will be gone ... These are the new tricks from those freaking advertisement companies. They are now smart buddy. Even they can access the vibration as the pop up will come phone will get vibrate and users understand this as genuine and click on those ads . You got whatsapp pop some got browser pop up. Hope this will help u ...
Even you can flash moaAB ADBLOCKER from recovery.
veer.killerboy said:
Lol... Use adaway or adblocker and such pop up will be gone ... These are the new tricks from those freaking advertisement companies. They are now smart buddy. Even they can access the vibration as the pop up will come phone will get vibrate and users understand this as genuine and click on those ads . You got whatsapp pop some got browser pop up. Hope this will help u ...
Even you can flash moaAB ADBLOCKER from recovery.
Click to expand...
Click to collapse
If you would've read it fully than you'll know that the case is far bigger than what you're thinking it is
My wife bought an S7+ from Amazon and it's been fine for a couple of months. She had a popup today which warned that the device would be locked because it was part of a trade in scheme and there was some sort of problem. I assumed some sort of malware but I was working so I didn't do much with it but now the device appears to have locked into a sort of "kiosk mode" where we just get 2 screens:
https://imgur.com/a/Z4N9TLy
All the blurb is plastered with "Samsung Electronics UK" but the domain the email is going to is "tradeinresponse.co.uk" which after some Googling seems to have been linked with some scam stuff in the past.
I've tried safe mode with the same locked screen, plugging the tablet into a PC results in it locking to the first screen.
I can get into recovery and I wanted to try a wipe, but the wife has some drawings on there she's done in Sketchbook that she would like to keep.
I'm a software developer by profession but I work with Windows/.NET and SaaS stuff so I've not got much experience with droid devices (a bit of java here and there in the past, but not so much XP with the OS itself)
So my questions are:
Does anyone know if this is any sort of official thing or is this malware/scam stuff as I suspect?
Is a factory reset likely to resolve the issue?
If I want to factory reset, can I pull files off the devices internal SD via ADB or some other tool before I do it?
Do I have any other options?
Kind of a wind up - I'd just have factory reset it by now to find out but like I said, I don't want to lose any of the wife's data if possible. If she gets anything back I'm going to make sure she sticks it in the cloud.
Any help would be appreciated and thanks in advance!
Always backup critical data redundantly to at least 2 hdds that are physically and electronically isolated from each other and the PC.
Or you will lose data eventually.
Factory reset but you will lose all data. If the drive is encrypted, you likely already have.
Sounds like ransomware. Contact Samsung and do some Google searches. See what you got and if there are any work arounds.
You may need to reload the OS completely if it's a rootkit and running on Android 8 or below.
This could be a nasty little bugger...
If it wasn't present on the device when purchased, your wife either downloaded or installed it. She needs to be more careful!!!
Maybe this will impress that onto her...
Thanks for the advice but I've already googled as much as I can. The domain doesn't go anywhere except a holding page though through reverse lookup it seems there are also other domains on the same host including some legitimate businesses that appear to do Samsung second life schemes for devices.
I've googled the actual lock message but no-one on the net seems to have seen it before.
The wife hasn't installed anything, she got the device a few weeks ago (from Amazon, supposedly new) and did a transfer from her old s6 (that has gone to my daughter) to the s7 using Smart Switch. Since then she's not installed any other applications.
It's not "critical data", per se, it's just drawings she'd like to keep, plus copying stuff onto physically disparate hard drives seems a bit overkill given she can just drop the files into a cloud storage account and have way more redundancy than you/I could ever reproduce by doing manual backups.
I'm posting in an s7 forum about an s7 so it's going to be running Android 10 at the minimum (given that's what the device ships with). Not sure why the comments about Android 8.
Anything she could have installed would have been from the Play store (and I don't believe she installed anything other than what automatically installed from what was on her old s6), plus her apps are from a reputable vendors (Autodesk etc). My son has a tablet and he installs all sorts of crap and hasn't had this issue because the OS prevents stuff like this from happening unless you allow side loading.
Is it possible to install a rootkit from the play store? I didn't think so ..?
So, either it was on there when we got it, it's legit or it's a vulnerability that exists in the OS and we are some of the first people to see it...
You can do what you want but any backup database that requires a password can be lost.
I have close to a dozen backup hdds, there's no way to I can lose my entire database.
At least use 2 OTG flashsticks to completely backup the data but hdds are still preferable.
NEVER encrypt data drives... and verify the backups are complete and readable.
As to how it happened you're going to have to sort that out or suffer the same fate possibly again in the future.
A factory reset seems inevitable at this point.
Afterwards change all passwords.
Malware has always existed on Playstore albeit not much or for long. She may have imported from your daughter's phone.
You got some potentially gigantic problems now.
Personally I would have already gone full nuke by now. It's simply not worth the risks.
In the future hawk the download folder daily for files you didn't authorize. Delete any unknowns without opening. Scrutinize all downloads and installs carefully, always. Scan as needed with Malwarebytes. Online Virustotal can be used to scan smaller files and apks.
There are also maliciously scripted jpegs too that can cause damage to any files in the same folder when opened. Be aware of any changes or strange behavior in the download folder. Vet all downloads before moving into your database.
Use a good brower like Brave and be careful what links you click, in the browser, emails and texts.
I can't even begin to estimate how many websites I backed out of, closed that tab or wiped the browser data over in the last year alone. Better safe than sorry. Zero malware infections in over 1.5 years and that's running on outdated Pie.
Almost all malware, rootkits etc are loaded by the user. Some will self install if the device's security isn't configured correctly or if not spotted on a timely basis. Androids, even ones with out of date OSs are generally very secure unless the user does something stupid... learn or get burned.
blackhawk said:
You can do what you want but any backup database that requires a password can be lost.
I have close to a dozen backup hdds, there's no way to I can lose my entire database.
At least use 2 OTG flashsticks to completely backup the data but hdds are still preferable.
NEVER encrypt data drives... and verify the backups are complete and readable.
As to how it happened you're going to have to sort that out or suffer the same fate possibly again in the future.
A factory reset seems inevitable at this point.
Afterwards change all passwords.
Malware has always existed on Playstore albeit not much or for long. She may have imported from your daughter's phone.
You got some potentially gigantic problems now.
Personally I would have already gone full nuke by now. It's simply not worth the risks.
In the future hawk the download folder daily for files you didn't authorize. Delete any unknowns without opening. Scrutinize all downloads and installs carefully, always. Scan as needed with Malwarebytes. Online Virustotal can be used to scan smaller files and apks.
There are also maliciously scripted jpegs too that can cause damage to any files in the same folder when opened. Be aware of any changes or strange behavior in the download folder. Vet all downloads before moving into your database.
Use a good brower like Brave and be careful what links you click, in the browser, emails and texts.
I can't even begin to estimate how many websites I backed out of, closed that tab or wiped the browser data over in the last year alone. Better safe than sorry. Zero malware infections in over 1.5 years and that's running on outdated Pie.
Almost all malware, rootkits etc are loaded by the user. Some will self install if the device's security isn't configured correctly or if not spotted on a timely basis. Androids, even ones with out of date OSs are generally very secure unless the user does something stupid... learn or get burned.
Click to expand...
Click to collapse
With all due respect we aren't getting anywhere here, I don't want backup advice or malware advice, I want to know the answers to the few small questions I asked about whether this is legit and if I can access the device files or not.
You seem to be convinced it's malware, you also seem to be skim reading my posts which is fine - but I don't think your input is helping me.
I'm not going to use a different "paranoid" browser - chrome is fine, the tablet doesn't have a "security configuration" that is any different from the hundreds of thousands of other S7+ devices out there since it's a tablet and out the box it's ready to go. I'm not checking the downloads folder daily just in case some random malware has somehow "installed itself" onto my device, I'm also not keeping random flash sticks and hard drives lying about - I'll just use that geo redundant pretty solid cloud storage like most of the populace.
Yes you can put malicious content in a JPEG or a JPEG header, but it requires that there's an exploit in the OS or the app opening it (for example hiding a javascript eval in the file metadata); I don't think that's an attack vector on a tablet as far as I know given that she only browses, watches Netflix and draws using her S-pen on the device.
She's not imported "malware" from someone else's phone because if you read my post properly you'd understand that it was HER device that she transferred her data from - one that she's since given to the daughter (who has no issues). If you know how Smart Switch works you'd know that it's an unlikely vector (it just transfers data from application storage and then reinstalls the apps from the play store), plus the fact the original device doesn't have the issue...
Stop telling me to "learn or get burned". This is not a "misuse" problem. The wife is on Android 10, it's a relatively new and secure O/S and she didn't install anything she shouldn't have (she didn't actually install anything at all - it was the stock samsung application and the play store that installed the apps she ALREADY HAD on her previous device). It's not a "learn" scenario. Nothing she did should have caused this - if it is/was an OS exploit or some sort of security issue what could she have done to prevent it? Nothing.
What I have done is:
* Contacted the vendor of the device (we can still send it back if they've sent us a refurbed device instead of new as advertised)
* Sent an email to the address advertised to see what response I get (if they demand money then clearly a scam)
I've checked and the domain in the above shares a host with a company called MTR which happens to be a DCC Group company (one of the groups of companies I actually consult for) so worst case I'll speak to someone from DCC Group and see if they can shed any light.
Seems like it might be legit and quite possibly a mix up.
Do what you will... if you understand the origin of that phrase.
Anything that can't be IDed is considered malware until proven innocent
The fact that you're now completely locked out speaks volumes.
Good practices and backup are your only defenses. They apply to the future not the past... so much for flavors
Personally I think it's already too late for that device's OS load and data.
Of course I could be mistaken.
If you really want the data, take it to a data recovery specialist. They may be able to recover it.
When your at the beginning you can determine how potential data lose will end. When at the end, the outcome has already been predetermined by your actions or lack of.
You are now at the end... likely a dead end.
Been there, done that... actions have consequences.
@Charleh: if I were you, I would back up all important data and do a clean firmware flash with Odin. And a factory reset on top of that, just to be sure. Definitely sounds like you got hit by a scammer.
AnonVendetta said:
@Charleh: if I were you, I would back up all important data and do a clean firmware flash with Odin. And a factory reset on top of that, just to be sure. Definitely sounds like you got hit by a scammer.
Click to expand...
Click to collapse
Like I said there's not really any important data on there, just some drawings the wife would like to keep. Also, I can't backup anything since I can't access the device.
I'll probably just speak to DCC group and see if this company is one of theirs.
If the data is lost we are just talking some drawings the wife has done, there's nothing important on there, she just loses the layers (they are stored as multi page tiffs and sketchbook uses those as layers). She has all the images as flat renders on her cloud storage drive and on Instagram.
Think we just need to invest in some extra cloud storage as the free 15gb that Google give you isn't enough to store what she wants at the moment as the images are tens of megabytes each.
Worst case scenario I factory reset and flash it, best case I get someone at DCC telling me what's what.
The bit that gets me is that there are no ransom demands at this point so I can't be sure what's what. Usually by now with crypto ransom malware you are already being given demands...
We will see.
blackhawk said:
Do what you will... if you understand the origin of that phrase.
Anything that can't be IDed is considered malware until proven innocent
The fact that you're now completely locked out speaks volumes.
Good practices and backup are your only defenses. They apply to the future not the past... so much for flavors
Personally I think it's already too late for that device's OS load and data.
Of course I could be mistaken.
If you really want the data, take it to a data recovery specialist. They may be able to recover it.
When your at the beginning you can determine how potential data lose will end. When at the end, the outcome has already been predetermined by your actions or lack of.
You are now at the end... likely a dead end.
Been there, done that... actions have consequences.
Click to expand...
Click to collapse
It's not a big deal mate.
Stop flogging a dead horse, the most annoying thing is just that the device is unusable, regardless of me making backups or signing a pact with the devil or putting candlewax on my nips, it wouldn't have prevented this from happening..
The only reason I haven't tried a factory reset up to now is because if there's a chance I can get the drawings off the device I'd like to try it first before I nuke it.
Stop talking about my lack of actions, it's getting really boring. There's nothing I could do to forsee this happening and not my fault the wife didn't put the drawings on her cloud storage.
Go bother someone else with your multiple flash disk tinfoil hat backup routines (I bet you've got a tape drive in that routine somewhere too), stop trying to be helpful by saying "told you so" after the fact, instead try answering the questions I asked.
@Charleh: The way I see it is this:
The device's data partition/internal storage (where the drawings are stored) are encrypted by default, by Samsung. So, unless you can manage to use a MTP USB connection or ADB to make copies of them, then you're locked out and there's nothing you can do to recover them. Since they're located in an encrypted area, I highly doubt that even a professional data recovery business would be able to get them back. There are certain encryptions out there that even the US govt (NSA/CIA/FBI) can't break.
I'm assuming that you're not a l33t hax0r with uber skills, so unless you can successfully boot into Android again, your recovery chances are almost zero.
Or, maybe this company can help you out. It's worth a shot. But if I were a gambling man, I'd wager a lot of money that you will end up having to clean flash/reset, without being able to recover anything.
In the future, think about making copies of this stuff before bad things occur. As the saying goes, anything that can go wrong, will go wrong, sooner or later. I rarely lose access to my data because I'm frequently backing it up.
Good luck!
AnonVendetta said:
@Charleh: The way I see it is this:
The device's data partition/internal storage (where the drawings are stored) are encrypted by default, by Samsung. So, unless you can manage to use a MTP USB connection or ADB to make copies of them, then you're locked out and there's nothing you can do to recover them. Since they're located in an encrypted area, I highly doubt that even a professional data recovery business would be able to get them back. There are certain encryptions out there that even the US govt (NSA/CIA/FBI) can't break.
I'm assuming that you're not a l33t hax0r with uber skills, so unless you can successfully boot into Android again, your recovery chances are almost zero.
Or, maybe this company can help you out. It's worth a shot. But if I were a gambling man, I'd wager a lot of money that you will end up having to clean flash/reset, without being able to recover anything.
In the future, think about making copies of this stuff before bad things occur. As the saying goes, anything that can go wrong, will go wrong, sooner or later. I rarely lose access to my data because I'm frequently backing it up.
Good luck!
Click to expand...
Click to collapse
Thanks - that was a helpful answer. I suspected that droid encrypted the data - I was looking at making an ADB connection using Android tools. Might as well give it a try before I nuke.
I can't use MTP as the device auto locks when I plug in a USB cable.
Like I've said a few times it's not a massive issue if I lose the data - I work in IT, I know the importance of backing up important data. I've seen a client lose months worth of data to crypto-ransomware (they cancelled their backup solution a few months before saying they were moving to Azure soon so they didn't need it).
I've explained though, it's not my device and it's up to the wife to put her stuff on her cloud storage if she wants to keep it. She uses Google Drive for her docs etc.
Worst case scenario I complain to Amazon, wife is saying she doesn't remember the screen having a protector/film on it when she opened it and we still have time to return/exchange it since I have a Prime account.
@Charleh: AFAIK, Amazon has a 30 day no questions asked return policy for almost everything. If you're still within that return window, then I guess you just have to decide whether the loss of drawings is worth returning it, assuming all recovery efforts fail. I bought my Tab S7+ new direct from Samsung, I haven't encountered like what you describe. And your edge case is the first one I've seen.
I think it's possible that you bought a refurbished device that was preowned but sold as new. The original buyer didn't finish paying it off, returned it, it's sold to you, you get this message. It's either legitimately locked, or someone has remotely locked it and intends to scam you. Contact that company ASAP.
Another option is to find a local techie/shop that can remove this lock for a fee, preferably without data loss. They make want to see proof of purchase, if they're legit. This would at least give you the ability to use the device again. People used to bring me locked phones/tabs all the time, this is pretty much what I did for side cash. As long as they didn't outright admit they were stolen, I didn't care.
Ok speaking to Samsung support and it's legit - what's happened is that someone's returned the device to the supplier after doing a trade in with it and receiving a new device from Samsung Trade In.
Supplier has refunded us and told us to keep the device until the issue is resolved with Samsung.
Now fighting with Samsung themselves about it. Absolute pisstake.
Basically I have a brick and although Samsung have the capability to unlock the device through Knox they won't do it until a resolution is found with the supplier.
Fun-times. Sent a complaint email to Samsung as they are essentially holding the wife's artwork to ransom because of an issue they have created with the rules of their trade-in program.
I've already received the refund too - sounds like the Amazon reseller is trying to wash their hands of it.
@Charleh: So, they refunded you AND they're going to let you keep the tablet? I'd be quite happy with that.
AnonVendetta said:
@Charleh: So, they refunded you AND they're going to let you keep the tablet? I'd be quite happy with that.
Click to expand...
Click to collapse
Depends if the tablet is ever going to be functional again...
Fingers crossed!
Time to reflash, ODIN or do whatever and see if you can and up with his + hers new(sort of) tablets.
Hello, some solution?
Charleh said:
Depends if the tablet is ever going to be functional again...
Fingers crossed!
Click to expand...
Click to collapse
How did this end?
corb06 said:
How did this end?
Click to expand...
Click to collapse
still ongoing - Amazon is trying to get hold of the original supplier but they've gone dark; I complained to Samsung and they are looking into it, just waiting for a reply.
They took almost a month to get back to me - only did so when I started complaining publicly on all social media platforms (Twitter, Instagram etc) - they don't like it when you do that.
Will update when I know more.
Charleh said:
still ongoing - Amazon is trying to get hold of the original supplier but they've gone dark; I complained to Samsung and they are looking into it, just waiting for a reply.
They took almost a month to get back to me - only did so when I started complaining publicly on all social media platforms (Twitter, Instagram etc) - they don't like it when you do that.
Will update when I know more.
Click to expand...
Click to collapse
Sorry to hear it's taking so long. I'd be super pissed. Next time, buy direct from Samsung, you wouldnt have to deal with this ****. Because they wouldnt sell you a used/refurbished device unless it's clearly marked as such, and i'm pretty sure they only sell new devices anyway.
Can you post a link to the seller's Amazon page? They could be a fly-by-night op.
If you cant get your money back or an exchange, just contact your bank/card issuer and do a chargeback. This is a last resort ootion, if nothing else works. Explain the whole situation to them. Chances are, they would force the seller or someone else responsible, to give your money back. The only caveat is that if you wait too long, it might not work. i've inititated chargebacks against sellers who dont respond to support requests, it usually worked in my favor.
Edit: If you go the chargeback route and Amazon is forced to refund your money, they may retaliate by banning your account. it recently happened to a friend. Just so you know.....
I have a A52 5g and a tab S7+ wifi, that are both remotely controled and monitored, and serve as gateway to my home network and basicaly every device connected to it. I noticed it at first and mew NOTHING related to this, didnt even know what open source was. Since then i have come to understand that, somehow, my phone seems to run a custom version of android, my guess is, built from AOSP and designed to disguise itself as oem samsung ui, but in background enables remote access and total takeover of every function. I have discovered, using total commander, that storage has been partitioned in 2 separate locations, and that one folder in there is called root system file, and filled with data/apk/installkits/etc.. this has me asking for help in 2 specific questions:
Am i holding a rooted device or is there another possibility that creates this situation? I was convinced its rooted untill i read here that root prevents from using samsung pass, secure folder etc.. and those seem to work on mine(or is it a version of those apps?) If its indeed rooted, will it wype everything if i flash it with the stock rom? And should i trust a small cell repair store to do that or learn how to do it myself?
2: i have bought 3 brand new phones since august, and made sure not to use my usual accounts, no use backups, not even set it up near my home wifi, and it almost instantly started self installing harmful software in background. I see no other way for it to link itself to be owned by me at initial setup, but for the sim card, new of course, but with my usual phone number and service transfered to it. Is that enough to make a breach and compromise a new device? If so, what would be different after fpashing the stock rom, if everything reinstalls itself? Do i need to change my number? Change cellular service provider even? I know its an unusual request but im a fast learner, i have compiled lots of technical info on specific apps, ip's, servers, build id numbers etc.. that i know would make more sense to anyone more qualified than me, and i am about ready to try and wype/flash the thing myself, i just would feel better with a little help since i have gone this far pretty much alone, since no service provider or manifacturer actualy feels like this is their problem to solve....
Here you can download firmware for your phone and flash with Odin, which you can also download at the bottom of the page, there are instructions on how to do it also.
Make sure to download correct firmware for exact device you have. There are few different A52 5G models.. SM-A526B, SM-A526U, SM-A5260, SM-A526U1, SM-A526W.
You will lose all data after flashing new firmware. After this your phone will be like brand new from Samsung..
If your device is rooted then that means your warranty is void and manufacturers and carriers are under no obligation to help you.
I'm trying to understand your situation but its so conflicting I don't know where to begin.
For example, you say your device runs a custom AOSP with a Samsung UI. Thats exactly how it actually works. Samsung take the AOSP, customise it with their own functionality, then overlay their own skin as the UI. Theres absolutely nothing unusual about that.
I'm conflicted as to whether your rooted or not. If the manufacturer or carrier has physically seen the device and won't repair it then that would suggest your definitely rooted. If you spoke to them virtually and told them your rooted then they will use it as an excuse whether you're truly rooted or not. The partitions you mention could be the internal storage and an sd card which can be seen non-rooted. I dont know what you mean when you mention a "root system file". Is it an actual folder called "root" or is the app you're using just telling you that you've reached the "root" of the filesystem? I can't quite work out what you mean. You also say Knox-powered apps still work which just adds to the confusion.
You stated you have had 3 new devices and they all self-installed harmful software. To get one device compromised is possible. To get three compromised means your either a high profile government target (which I doubt because they wouldn't be so sloppy as this) or your doing something to compromise your own devices such as continuously visiting dodgy websites.
Flashing will fix things but so would having a new device. The only common denominator is you so either you're doing something wrong or you truly are a government target in which case I wish you good luck!
First let me appologise for the long silence, i cut off most online activity for a while and just read your answers. To clarify, i have not solved my prolem yet. But ill try to explain better what you ask about my situation:
About de os version arobase40 got it right. I Asked google play help reps. And a stock samsung version of android would not trigger googles warning about running a custom version of android. So that point to a modified after-the-fact more than to the fact samsung has their propierary version installed.
About beeing rooted or not, ylwhat you are asking is what im not totaly certajn of, also. I know partition can happen without rooting, its seems to have created a "virtual sd card" since its named as such when sd card slot is actualy empty. About the root files folder, i cant say for sure, all i can say is that its holding a large amount of Gigs that dont get taken into account when looking at storage capacity and usage, and accessing that folder gives me a message that root files cant be access from this device. Does it mean my device had root acess privileges revoked to prevent viewing files that hide what is given control of the software remotely, so i dont find out or have the capacity to remove or alter those files?
What is absolutely sure is that if it is rooted, it wasnt done by me. As for the chance the devices were not factory brand new, 1 of them was not, got it opend box from amazon, a saudi arabia version, but my prkblems had started months before getting it, did not keep it more than 2 months, and all others before and since are 100% pure factory new, some directly from my cellular service provider, as financed device came with 2 year agreement of service,(actualy 2 of them i got this way) and the last one is my tab s7+ i got online directly from samsung canada website, on preorder, delivered on release day.
And lastly the fact i cant seem to shake those persistent leeches, is not from having reckless habbits online, but from having careless and uneducated habbits before that all started, usual older lazy dude stuff, like not changing my wifi password after a ruff breakup with bipolar psycho ex gf, or having only a few passwords reused on most my accounts. I have stopped doing those things long ago now that i know better, but i suspect that i could have been unaware something gettnng installed and staying dormant for a while, maybe? The ex had way more opportunities than needed to do something like this and is more than psycho enough to realy do it also. For having the skills to do it, lets say she has "assets" that can easily get her guys willing to help about that. It may also be coming from somwhere else, but as you say im not a super spy or a high ranking gov. Official. Im not even that interesting, and have absolutely no usable id for fraud or anything, my credit history would raise more red flags then there is in all china. So after so long struggling with this still very active, i cant even think of a rational reason to do so much effort into this, theres nothing to gain, i only can imagine that maybe a twisted mind seeking revege, or with a sick way of amusing themselves could see the point to all that, but i dont realy care. I only want to get rid of it.
As for the way it manages to be so much persistent, i can only see one option left i didnt remove from the process, and its through my phone number/account on the sim card, even a new sim on a new phone, still is linked to my cell service. I did initial setup with only that new sim card, accounts freshely created during setup, with no info or anythink linkable to my previous accounts, and even did it sitting outside, far from any building that could get me in range of a wifi network. And it still was no more effective at staying secure.
Thats why i did not yet try to flash a stock rom myself on my device, because it would, at best, become exactly like it was when brand new, and i know that this is not enough to keep it secure, and that means theres still something im missing in the whole picture.