Strange semi-stealthy malware that hides itself - Android Q&A, Help & Troubleshooting

Hi all,
So here's the situation: I have a Pixel 1 with stock (read: overbloated verizon) android. Whatever, I'm lazy and I haven't gotten around to rooting it. I installed a firewall recently for giggles. I'm going through the system apps and merrily blocking verizon junkware when I come across this thing (bear with me for the complete description, as XDA's spam filters are blocking my image links)
It's a system process called 'nobody' with a version number of 10. The Netguard app also gives a number above the name (i don't know what it's supposed to mean) that for most apps seems sort of random, but for this app is 9999.
I try to find this thing in my system app manager, and it's nowhere to be found.
So I keep on keeping on, thinking 'weird, but whatever', and then I come across another app called 'root' with a version number of 10 and (maybe it's a process id?) of 0.
Also, nowhere to be found.
And here's the thing; there's a gear icon in Netguard, that for _every other app_, opens up the system app manager page for that app. For these two? Nothing.
Now, I am not super proficient in android stuffs. My questions for you smart and pretty people are these:
1. How can I go about digging around in my phone to find the files that are running this thing?
2. What's the best way to get more information on what this is? (and yeah, I tried googling 'nobody' and 'root'. It went predictably).
3. How can I prepare a report / who would I send this to? There's gotta be security researchers who could use logs pertaining to this ****.
Yeah, I know that I need to nuke & pave the device. I will. I want to try and recon a little first. So, what do you got?

Related

[Q] Strange Notifications...

So I've been receiving these strange notifications periodically that are "recommending" bizarre applications. The notification looks like a star, and when pressed sends me to an application in the market. I've been on android for quite a while and I have never had this happen before, so I'm wondering if anyone has had similar problems. Or maybe this is some "feature" that I'm not aware of.
I was reading in the Vibrant forums about something that seemed similar, and in that case it was caused by a separate application. I wanted to throw it out to the t-bolt community and see if anyone has experienced this and/or knows what would cause it.
Also, if this is something that has been previously discussed, I give you permission to flame me. My several google searches didn't bring anything up. Thanks in advance.
As a side note, I am knowingly marking this thread as a question while knowing that there are no question marks in the actual post. I think the question is inferred (this could possibly spur some philosophical debates).
It sounds like one of your installed apps is using AirPush to put ads on your notification bar. I'd check the apps you installed or updated recently to see if any of them are known to do this. I believe there are also some apps that can detect which installed programs are using AirPush as well, but I haven't tried any of them personally. If you search for AirPush, you'll see more info about it, as well as learn that it is basically universally reviled by users.
This is definitely AirPush. It sends ads straight to your notifications so as the person above me said, you should check out your recently installed/updated apps to see if any have this enabled. It's a pain in the ass to have that little icon up there all the time.
OP, don't be so quick to be flamed
I don't know where it is or how to get it (I assume the air push website) but apparently you can get a tool, so to speak, from air push that will opt you out of the ads and stop them from pushing notifications to your phone. Sorry I couldn't be more helpful as to where to acquire this, but what I read said that it's provided by air push themselves.
Sent from my HTC Thunderbolt
AirPush opt out
Thanks for the quick replies. I found out that there's an app in the Android Market made by AirPush, Inc. themselves that allows you to opt out. I installed it, and I'll see if it solves the problem.
As far as the flaming goes, I figure some people just need to get it out of their system, so I was giving those people an excuse.
Thanks again for the replies.

[Q] Problems with developing a custom GS2 rom for medicinal purposes.

Hello to you all people of XDA, firstly I must state that I've scoured the forums far and wide and have yet to find some valuable info regarding my problem.
So what we're doing is developing (or trying to, as is obvious from this post) a custom rom for the Galaxy S2 which would be used for a single medical application for sensor tracking and the processing and displaying of said data on the SGS2, while at the same time sending it to his/her doctor.
What we need to be able to achieve with this rom is to put it into the hands of the end-user (a chronical patient which will in turn be able to stay at home instead of being hospitalized) and be able to completely lock down the phone for his use (I know, it sounds terrible) so that he loses the phone/sms/games/youtube/internet functionality as we need the phone to run as stable and for as long as possible without any additional battery stress (the constant sending, processing and processing of data seems enough of a problem for now).
I've searched into some custom roms but we eventually came up with the need for a stock Samsung rom which could be modified as we want to.
See this is where the problem begins, we can't seem to get the phone rooted, the ROM customized and then unrooted again so that the phone can't be fiddled with anymore, except when it's completely dead and we need to fix it.
So to cap it all up:
It needs to allow for a custom load and bootscreen (I almost got this to work)
It needs to be completely locked down for the end user.
It has to have full BT, NFC and WiFi functionality
It has to be able to call out and reciev calls, but only to/from specific numbers (911, doctor, etc..)
It has to basically allow for 2-3 programs to be running, while the others simply don't exist on the phone.
I am terribly sorry if anything like this has been asked about before, I swear I put 2 days of me life into researching already.
Any help, any help at all, ideas and solutions, but mostly links are welcome.
Thank you and good day to all.
Just a detail, but the SGS2 doesn't have the NFC functionality. Project seems to be possible, I would look into CyanogenMod sources if I was you.
Sent from my GT-I9100 using XDA App
Why are you afraid of leaving the phone rooted and in hands of the patient?
Is he so uncritical that he can search the web and find means of unrooting a mobile phone and then get around to actually doing it?
LucLucLuc said:
Hello to you all people of XDA, firstly I must state that I've scoured the forums far and wide and have yet to find some valuable info regarding my problem.
So what we're doing is developing (or trying to, as is obvious from this post) a custom rom for the Galaxy S2 which would be used for a single medical application for sensor tracking and the processing and displaying of said data on the SGS2, while at the same time sending it to his/her doctor.
What we need to be able to achieve with this rom is to put it into the hands of the end-user (a chronical patient which will in turn be able to stay at home instead of being hospitalized) and be able to completely lock down the phone for his use (I know, it sounds terrible) so that he loses the phone/sms/games/youtube/internet functionality as we need the phone to run as stable and for as long as possible without any additional battery stress (the constant sending, processing and processing of data seems enough of a problem for now).
I've searched into some custom roms but we eventually came up with the need for a stock Samsung rom which could be modified as we want to.
See this is where the problem begins, we can't seem to get the phone rooted, the ROM customized and then unrooted again so that the phone can't be fiddled with anymore, except when it's completely dead and we need to fix it.
So to cap it all up:
It needs to allow for a custom load and bootscreen (I almost got this to work)
It needs to be completely locked down for the end user.
It has to have full BT, NFC and WiFi functionality
It has to be able to call out and reciev calls, but only to/from specific numbers (911, doctor, etc..)
It has to basically allow for 2-3 programs to be running, while the others simply don't exist on the phone.
I am terribly sorry if anything like this has been asked about before, I swear I put 2 days of me life into researching already.
Any help, any help at all, ideas and solutions, but mostly links are welcome.
Thank you and good day to all.
Click to expand...
Click to collapse
Block all internet access apart from ones you want or you can just setup iptables rules, shouldnt need root apart from when setting it up
As far as removing programs, just delete the apks from the zip, or before you remove root. My sig has a list of all apks in a upto date rom and what they do.
You can use gemini app manager to control autoruns (stop them etc) also to block (hide and disable apps)
As far removing root, your best bet is to once you are done, use adb (from the android sdk) to remove the superuser.apk then flash the stock kernel back, as far as I know without superuser apps cant grain root permisions.
OR
This app will allow you to block any app behind a password
This app will block incoming and outgoing sms and calls on white and blacklists
Custom boot logo (the first screen before the animation)
Custom boot animation need to go into system/media, I am not sure about the format but there are loads around, like this thread has loads, stock kernel should support them.
I hope that helps
Most of that is easily possible.
If you listed the apps needing removed, the apk files just need deleted.
To control calls, you can use a third party app from market for that.
It's possible to have the custom rom unrooted, and easily flashed, regardless of how badly the phone gets rooted
Boot animation is easy anyway... If you can provide it in a zip like other ones (zip containing numbered png's) then it's a piece of cake.
A little bit of clever firewall stuff would prevent any web traffic, in or out, except to your defined server, which is obviously a concern when a phone is handling sensitive medical info.
genieass said:
Why are you afraid of leaving the phone rooted and in hands of the patient?
The phones are going to be used by around 500.000 people in a year, it's not that we want to take anything away from the user, it's more about not having any problems with the firmware - like ever.
Thanks for all the help!
Click to expand...
Click to collapse
genieass said:
Why are you afraid of leaving the phone rooted and in hands of the patient?
The phones are going to be used by around 500.000 people in a year, it's not that we want to take anything away from the user, it's more about not having any problems with the firmware - like ever.
Thanks for all the help!
Click to expand...
Click to collapse
LucLucLuc, not sure where you live, but you're entering the patient confidentiality minefield with big, big boots.
Apart from the legal considerations, your question is definitely OS related and not device related.
I see what you want, but legally - where I live anyway - it's too much of a grey area to get involved with.
I use call recording a lot for referrals and info from other doctors, but I've always asked the other party if they're OK with it. I won't record patient conversations, and I won't accept any files whatsoever that have seen RIS or PACS first - not worth it.
Can't see it's worth your while, but I'd appreciate it if you keep me informed should you decide to work on it.
Big boots indeed
We are from Slovenia, Europe.
I'm actually just a student doing the research and some basic Android programming, thank god I wasn't let into the bigger of the projects
But yes, this project is a colaboration of several european firms and you can read more about it at chiron-project.eu - it's a very very interesting project afaic.
I don't think we'll be swimming with lawyer piranhas soon though, the project uses sensor data (which sorta is a privacy issue) which will be monitored on a tablet running Android (currently testing the Galaxy tab 10.1 - we were lucky to order one before Steve had another one of his fits), proccessed in real time and then stored on the central server, from where it will only be accessible by the patients doctor.
Patient consents are dealt with before we even start talking about mobile hospitalizations.
It's very encouraging to see some actual interest, if anyone wants to know more about anything related to this project contact me at [email protected]
Thanks again for all the help.

[HINT] Accessing inaccessible APK files.

I hope this proves useful to someone, but especially noobs like myself! I've searched high and low for a a way to access and install apps that are either restricted by country (I'm in Vancouver, BC) or by device type of and up to now was only able to find references here at XDA that involve using VPN. If the following tip is already common knowledge and I somehow overlooked it, I apologize in advance.
Yesterday I ran across this article handy applet that so far has worked flawlessly for me:
Clearly I can't post URLs yet but the applet "Real APK Leacher" can be downloaded at:
www[dot]mediafire[dot]com[slash]?5vibfddvxmh98y
No need to install anything, but just unzip the DL into any new folder and run it directly from there. It does require Java Runtime Environment 1.5.0 or later. First time the tool is launched it prompts you for a DeviceID and associated account and P/W for the device. I used the DeviceID for my Galaxy S2.
(To find the DeviceID on a phone, enter [*#*#8255#*#*] (not including the brackets), and find the lines that begin with "JID="and "DeviceID-".
When I first ran the tool, I ran a search and got no results.. Found that the trick is to enter the search term(s) and then select the "custom" radio button. I've used the tool to successfully DL and install 1) Google Currents, 2) Onlive Desktop, 3) USAA Mobile Banking, 4) HBO GO, 5) Canada Post App, 6) UPS app, 7) Fedex 8) Hulu+ 9) all Amazon apps, 10) Realtor.ca, and many others. Till now I haven't run across any app I wanted that I haven't been able to install using the tool. Hope you have as much luck as I have with it.
After downloading the APKs to your computer desktop, simply transfer to the Prime via you're method of choice and install.
VancouverIngo said:
(To find the DeviceID on a phone, enter [*#*#8255#*#*] (not including the brackets), and find the lines that begin with "JID="and "DeviceID-".
Click to expand...
Click to collapse
And how do you propose we do that on our tablets?
leppie said:
And how do you propose we do that on our tablets?
Click to expand...
Click to collapse
or use the device ID app
https://play.google.com/store/apps/details?id=com.redphx.deviceid&reviewId=03899096149324352534
leppie said:
And how do you propose we do that on our tablets?
Click to expand...
Click to collapse
I tried to be as detailed as possible in my post (it was late, I was tired, perhaps I wasn't) which is why I went to the trouble of pointing out how I used my smartphone (the GS2) to carry out the procedure myself. I certainly don't claim to know exactly how the tool works behind the scenes, but I think it most likely needs to "fool" the source it accesses to DL the requested APKs into thinking the DL request is coming from a phone rather than a tablet.
In any case, there are probably many ways in which to retrieve a DeviceID. The method I went to the trouble of describing just happens to be the only way that I know how to do so. If you know of another... GREAT... use it. If not, then well, I think anyone frequenting these forums is probably clever enough to figure out/search for other ways.
In this day and age, I don't think that there are many tablet owners out there that don't also own or have access to a phone as well. In light of this fact, I assumed (perhaps unwisely) that readers of this thread don't require the same level of handholding/specificity that less tech-savvy members of the population might.
For those who've found other work-arounds to achieve the same end and are happy with their method, well, this post isn't meant for you. For others, like me, who've been seeking a simpler way, I truly hope you find the tool as useful as I have.
Running an unknown executable from a poster with no track record...can I just give you my CC# and SSN now and simplify things?
e.mote said:
Running an unknown executable from a poster with no track record...can I just give you my CC# and SSN now and simplify things?
Click to expand...
Click to collapse
Just googled the tool and seems it's getting quite a bit of attention; certainly not unknown. Favourable reviews/mentions from well known and respected sites. I In fact, I seems like someone here at XDA beat me to the punch in extolling its virtues ... found link to an active thread in the General Section.
While there are ways to check out executables of questionable provenance (particularly a Java applet on a PC) without endangering/in a secure environment, particularly when link to said executable comes from a noob poster such as myself, you are wise indeed to be cautious! For the adventurous among you, check it out at your own risk.
Searching on "real apk leecher" (note the correct spelling), it looks like this tool came out a week ago. It wants your email acct, password, and device ID. At least to start out.
From the screenshot, the apparent dev, Nhat Cuong Mobile, is a Vietnamese outfit with website here: http://nhatcuong.vn/. However, it's a mobile phone sales & repair site, and I can't find any info on software development (I can speak Viet).
If you do try this out, be extremely wary.
If you're rooted try Market Enabler (in the market), change to code to whatever network in whatever country, force close the market app (drag it to App info, and force close from there), then open it again, and voila Access to all the apps you couldn't access before.
adancau said:
If you're rooted try Market Enabler (in the market), change to code to whatever network in whatever country, force close the market app (drag it to App info, and force close from there), then open it again, and voila Access to all the apps you couldn't access before.
Click to expand...
Click to collapse
Will the Market Enabler app also open apps that are device specific? I. E., phone-only apps for tablets?

(What are) Must have APPS and To-Do to newbies to Galaxy S9+ (?)

Hey all.
Within a couple of days I'm getting my new Galaxy S9+ (Exynos) phone.
I made a year break from Android and switched to Apple, and now I'm back.
Unfortunately, I know nothing about newest Galaxy phones.
Maybe anyone has suggestions what should I do (download) when I'll set-up my phone (I've watched all the reviews of "must have" etc., don't suggest me to do that)?
I used to root and unlock bootloader for each my android phone, but I won't do that to my Galaxy S9+ at least for 6 months.
Hence, many root apps not working: "AdAway", "Viper4Android" etc.,
Maybe anyone knows Ad Blocking app without rooting a phone?
Or just mention anything that newbie to Galaxy S9+ should know.
(If you're wondering why am I "spamming" with these "stupid" questions: And no, I didn't find any similar thread to this)
Thanks in advance!
I use to root and rom all my phones, but I don't think it is as necessary as before.
I also use to download all the tweaks, but I don't do that either.
Non-root to block adds try Blokada it is in the F-Droid store.
It is Free and it Works.
I also swear by ES File Explorer to view and move files on your app. Also to sync any cloud storage you have.
If you have a regular phone number and google voice number going to the same phone
Voice Choice 2.0 is a nice app that allows you to make calls with a specific number
i.e. family and close friends have you carrier number
work partners, resume, business line has your google number
when you make a call you don't have to select anything, based on your rules set up it will dial out using the appropriate number.
re
qnc said:
I use to root and rom all my phones, but I don't think it is as necessary as before.
I also use to download all the tweaks, but I don't do that either.
Non-root to block adds try Blokada it is in the F-Droid store.
It is Free and it Works.
I also swear by ES File Explorer to view and move files on your app. Also to sync any cloud storage you have.
If you have a regular phone number and google voice number going to the same phone
Voice Choice 2.0 is a nice app that allows you to make calls with a specific number
i.e. family and close friends have you carrier number
work partners, resume, business line has your google number
when you make a call you don't have to select anything, based on your rules set up it will dial out using the appropriate number.
Click to expand...
Click to collapse
Thanks! Maybe you know anything about removing / disabling Bloatware as well?
LaurynasVP said:
Thanks! Maybe you know anything about removing / disabling Bloatware as well?
Click to expand...
Click to collapse
check out this thread at your own risk. It works I disabled Facebook (don't see why that would be on and unlocked phone fro Samsung, but i digress)
https://forum.xda-developers.com/galaxy-s9-plus/how-to/s9-s9-bloatware-removal-thread-g960u-t3817810
Be careful with the commands and understand what is being done before you hit the enter/return key
Good thing about disabling is if you fubar the phone you can do a factory restore and start all over
I only disabled Facebook. will investigate the other software as i play with the phone. Only had it 2 weeks so far.
re
qnc said:
check out this thread at your own risk. It works I disabled Facebook (don't see why that would be on and unlocked phone fro Samsung, but i digress)
https://forum.xda-developers.com/galaxy-s9-plus/how-to/s9-s9-bloatware-removal-thread-g960u-t3817810
Be careful with the commands and understand what is being done before you hit the enter/return key
Good thing about disabling is if you fubar the phone you can do a factory restore and start all over
I only disabled Facebook. will investigate the other software as i play with the phone. Only had it 2 weeks so far.
Click to expand...
Click to collapse
Thanks, I'll keep everything in mind

Perpetual Infection. Is it possible?

Hi guys, I was just thinking if my PC , from which i read emails sent for my gmail account which is the same account I have on my Android device , gets hacked one day, and the hacker also has some virus app hidden at Play Store, if he could remotely keep installing this virus app at my Android device perpetually , even if I format my device .
Gmail is pretty bullet proof as long as you don't bring in downloads. What's kept in the cloud, stays in the cloud.
Never in over 12 years had a virus infect either Android or Window device via Gmail. Which is why I use it.
Most infections are downloaded or installed by the user including those nasty jpegs and pngs. Had one recently that destroyed files in my downloads folder but never got beyond that.
Perhaps because I discovered it within minutes and was able to isolated it ie delete it.
Simply changing your password after the Android reload would defeat the hacker anyway. Right?
For real paranoia there are viruses that can allegedly escape a reload purge by hiding in what should be immutable areas of the internal memory. Presumably only a firmware reflash could eradicate them.
The SD card is another hiding place...
Keep at least 2 hdd backups of it that are physically and electronically isolated from each other. Enforce this isolation if there is the slightest sign of malware until it's eliminated.
Losing your head with a infected device can destroy your whole data base... got to keep them separated.
It may get one, even two devices but not the isolated hdds unless you screw up bad.
Tks for the reply and for the hints
The reason for my thread was that I got at my new tablet, an adware which would pop up the Google Play Store with the app IQ Option ( a Forex app , from IQ Option ) . The IQ option "pop up" started after installing Netflix , Amazon Prime and... a paid calculator app called Calculator Infinity from Inception Mobile.
I already contacted Samsung which asked me to take the tablet to the repair service, I contacted Google which asked me to take numerous steps which didnt prove succesful, including formating the device.... It has stopped after 2 months, not sure why ( Android update??? Banishment of IQ Option Forex of Brazil due to law transgressions??) . I dont think it was the law enforcement since I saw some cases reporting this virus at another foruns after the banishment of IQ Option... Due to the pandemic, I didnt take the tablet yet to service repair. Planning to do it at march. But I would like some more advices... Dont want to migrate in the future for IOS because of this.
P.S: Ive already flagged the app at the Google Play Store, but Im afraid Im pointing the wrong culrprit... Nothing happened , so maybe Google didnt find anything...
If you reloaded the OS that should be the end of it unless you installed it after the reload or it's in your data that you added after the reload.
It may not be the app(s) you suspect...
Scan with Malwarebytes.
Thats the question, it was a new tablet . I instaled only Netflix, Amazon Prime and when I put this calculator app, the problem started. As soon as the the problem started, I ran the antivirus that comes with Samsung tablet ( McAfee ) , and nothing was detected, I later instaled Avast, nothing was detected, then AVG, nothing was detected again, but the problem continued for 2 months.
@malandrex
Forget all the mentioned scanners and comparable ones: they all are absolutley useless on Android. These scanners all exist for one purpose only: to pull money out of the pocket of fearful Android users like John Doe / Jane Doe
Take note that latest Android versions by default come with AVB ( read: Android Verified Boot ) feature, what prevents any changes can be made to Android's system - of course unless this feature gets disabled by user ( what is a bit complicated because user must know how to modify device's bootloader ).
Knowing this you must not fear Android's system gets infected, IMO.
jwoegerbauer said:
@malandrex
Forget all the mentioned scanners and comparable ones: they all are absolutley useless on Android. These scanners all exist for one purpose only: to pull money out of the pocket of fearful Android users like John Doe / Jane Doe
Take note that latest Android versions by default come with AVB ( read: Android Verified Boot ) feature, what prevents any changes can be made to Android's system - of course unless this feature gets disabled by user ( what is a bit complicated because user must know how to modify device's bootloader ).
Knowing this you must not fear Android's system gets infected, IMO.
Click to expand...
Click to collapse
So what does explain the autonomous opening of Google Play at the app IQ Option on my new Galaxy tab s6 which was acquired at the beginning of 2020? This behavior lasted from february to april and resisted, during this period, inumerous factory resets. Was it caused from an adware installed by the calculator app?? Was an app remotely installed from a PC virus that used the same Google account of the tablet? Or was something else?

Categories

Resources