Redmi 4x satoni(not rooted or flashed)
Is there any way to detect root by exploit, apps like Kingo root and king root and many other one click root apps do this kind of thing where they use and exploit in the Android system and root the phone using it and similarly a malware can do the same?
(I'm assuming this is what it is)(spear phishing)
Can an apk file really gain root access and rewrite your device's rom with a malware in it, is that a thing?
I have installed a third party app where it just disappeared into the background(most likely social engineering) and I tried all avs but it came clean even went into safe mode and settings and tried app managers and settings but all failed
Next I tried the factory reset and the symptoms still persists
Note that I have created new accounts and changed passwords and have MFA on but is there any way for it to reinfect because I'm using the same device to create the new account?
Like is it because it infected my google access or something to come again after factory reset
Thanks
If you think a girlfriend virus is bad, just wait until you get married.
To answer your question....
Android is designed to be very rootkit-resistant. Features such as Verified Boot prevent unsigned/modified images from loading if the bootloader is locked; while it is possible for a malicious app to use an unpatched exploit to root the device every time it runs, any modificaiton made to any critical partiion such as /boot and /system would be detected, and the device would warn the user that the system is corrupted.
Since you've removed the app from your device and performed a factory reset, you should be safe. Good job on using MFA, by the way.
V0latyle said:
If you think a girlfriend virus is bad, just wait until you get married.
To answer your question....
Android is designed to be very rootkit-resistant. Features such as Verified Boot prevent unsigned/modified images from loading if the bootloader is locked; while it is possible for a malicious app to use an unpatched exploit to root the device every time it runs, any modificaiton made to any critical partiion such as /boot and /system would be detected, and the device would warn the user that the system is corrupted.
Since you've removed the app from your device and performed a factory reset, you should be safe. Good job on using MFA, by the way.
V0latyle said:
If you think a girlfriend virus is bad, just wait until you get married.
To answer your question....
Android is designed to be very rootkit-resistant. Features such as Verified Boot prevent unsigned/modified images from loading if the bootloader is locked; while it is possible for a malicious app to use an unpatched exploit to root the device every time it runs, any modificaiton made to any critical partiion such as /boot and /system would be detected, and the device would warn the user that the system is corrupted.
Since you've removed the app from your device and performed a factory reset, you should be safe. Good job on using MFA, by the way.
Click to expand...
Click to collapse
Click to expand...
Click to collapse
No I think I misunderstood there were two apps that I downloaded one disappeared into the back ground (which is causing more havoc) and is undetectable by android avs and i m having trouble removing(got from a sketchy link from my gf)
The second app was just an Instagram app follower which ran in the background and I could uninstall directly(got from playstore)
I want to know how to detect and remove the first one
alokmfmf said:
got from a sketchy link from my gf
Click to expand...
Click to collapse
That's why one should always use protection.
alokmfmf said:
The second app was just an Instagram app follower which ran in the background and I could uninstall directly(got from playstore)
I want to know how to detect and remove the first one
Click to expand...
Click to collapse
What makes you think the first app is still there? If you've performed a factory reset, it's gone - unless it downloaded again when you restored your Google account to your device.
Are you sure you're not mistaking a built-in app?
alokmfmf said:
Is there any way to detect root
Click to expand...
Click to collapse
Yes, almost every banking / payment app does it.
V0latyle said:
That's why one should always use protection.
What makes you think the first app is still there? If you've performed a factory reset, it's gone - unless it downloaded again when you restored your Google account to your device.
Are you sure you're not mistaking a built-in app?
Click to expand...
Click to collapse
Yes I'm sure as my accounts getting hacked my personal media getting leaked permissions asked repeatedly and sim getting disabled
Also I'm trying not to log in to my google account and see how that works
Although I have tried to make new accounts from scatch and start from a clean new slate from factory reset it it may be the device itself I'm afraid
Social engineering-spear phishing(I think)
Redmi4x satoni
I was asked to click on a link and download an apk by my girlfriend and as soon as I downloaded it, it disappeared and I was asked to delete the apk
(I do not have access to the link also)
Later I realized that it tracks permissions, media and keyboard(except of exactly who I'm texting to because of android sandbox)
I tried FACTORY RESET but the symptoms still persisted (like getting hacked again and my private info getting leaked,sim deduction and detection of sim card and permissions being asked again and again even though I allowed it)
I checked all the settings of my phone and nothing is abnormal(I'm not rooted)
Is it possible that a used account could somehow transmit virus because I had a nasty malware on my phone so I factory reset my phone but the symptoms still remain so I used a new google account and others also but it still comes back so I'm guessing its the kernel or the ROM that got infected
I tried all avs but they all came clean and I'm certain that my android is infected with something
First and foremost I need to know how to DETECT the malware (to know which app is causing this)
And second how to REMOVE the malware
Thanks.
Which OS version? If not running on Pie or higher it's suspectable to the Xhelper family of partition worming malware
Yeah sounds like you got a worm... nasty critters.
A reflash may be the best option although if it is Xhelper it can now be removed without a reflash.
You are what you load
blackhawk said:
Which OS version? If not running on Pie or higher it's suspectable to the Xhelper family of partition worming malware
Yeah sounds like you got a worm... nasty critters.
A reflash may be the best option although if it is Xhelper it can now be removed without a reflash.
You are what you load
Click to expand...
Click to collapse
Yes I know I made a stupid decision its completely my fault I tried using the xhelper method but it comes clean I assume there is only one method that involves disabling the play store
I run on miui 11 nougat 7
Any methods to detect and remove the malware are welcome
And about reflashing its very complicated for mi phones most
alokmfmf said:
I run on miui 11 nougat 7
Any methods to detect and remove the malware are welcome
And about reflashing its very complicated for mi phones most
Click to expand...
Click to collapse
Reflash it to stock firmware. If you can upgrade to Android 9 consider doing so for security purposes. It may have performance/functionality drawbacks though for your application though, not sure as I never used 6,7 or 8.
Make sure you reset all passwords, keep social media, sales and trash apps off the phone. Always keep email in the cloud ie Gmail or such.
Run Karma Firewall. Be careful what you download and especially install... don't sample apps unless you have a real need for that particular app. Once installed don't allow apps to update as they may try to download their malware payload, a way to bypass Playstore security.
blackhawk said:
Reflash it to stock firmware. If you can upgrade to Android 9 consider doing so for security purposes. It may have performance/functionality drawbacks though for your application though, not sure as I never used 6,7 or 8.
Make sure you reset all passwords, keep social media, sales and trash apps off the phone. Always keep email in the cloud ie Gmail or such.
Run Karma Firewall. Be careful what you download and especially install... don't sample apps unless you have a real need for that particular app. Once installed don't allow apps to update as they may try to download their malware payload, a way to bypass Playstore security.
Click to expand...
Click to collapse
Will not logging in my google account help
alokmfmf said:
Will not logging in my google account help
Click to expand...
Click to collapse
No. The malware is in the phone apparently in the firmware.
blackhawk said:
No. The malware is in the phone apparently in the firmware.
Click to expand...
Click to collapse
I disagree, unless Xiaomi/Redmi's AVB/dm-verity implementation is useless, it should prevent a persistent rootkit.
I suspect this has little to do with the phone and more to do with reused passwords and other "organic" security failure.
V0latyle said:
I disagree, unless Xiaomi/Redmi's AVB/dm-verity implementation is useless, it should prevent a persistent rootkit.
I suspect this has little to do with the phone and more to do with reused passwords and other "organic" security failure.
Click to expand...
Click to collapse
You're probably right. Forgot it was running 11... lol, organic security failure, I like that
blackhawk said:
You're probably right. Forgot it was running 11... lol, organic security failure, I like that
Click to expand...
Click to collapse
The security measures that prevent persistent rootkits have been in place long before Android 11.
The most common root cause of a breach of security is the failure to ensure sufficient security in the first place. Simple passwords, reused passwords, no MFA, connected accounts, etc. Yes, there are plenty of Android viruses out there, but all of them "live" in the user data space. Of course, there may be unpatched exploits that allow root access, but these must be exploited every time the app is run. An app cannot modify the boot or system partitions without tripping AVB (if the bootloader is locked) whereupon the device would warn that the OS is corrupted.
At the end of the day, it's much much easier to simply use social engineering or other methods to gain someone's credentials, rather than trying to hack their device.
V0latyle said:
The security measures that prevent persistent rootkits have been in place long before Android 11.
Click to expand...
Click to collapse
Yeah Android 9 was where the hole for the Xhelper class of rootkits was plugged for good. It runs securely unless you do stupid things. This phone is running on that and its current load will be 3 yo in June. No malware in all that time in spite of the fact it's heavily used. It can be very resistant to attacks if set up and used correctly.
V0latyle said:
The most common root cause of a breach of security is the failure to ensure sufficient security in the first place. Simple passwords, reused passwords, no MFA, connected accounts, etc. Yes, there are plenty of Android viruses out there, but all of them "live" in the user data space. Of course, there may be unpatched exploits that allow root access, but these must be exploited every time the app is run. An app cannot modify the boot or system partitions without tripping AVB (if the bootloader is locked) whereupon the device would warn that the OS is corrupted.
Click to expand...
Click to collapse
I was initially thinking his was running on Android 8 or lower. Forgot On Android 9 and higher (except for a big hole in Android 11 and 12 that was patched if memory serves me correctly) about the only way malware is getting into the user data partition is if the user installs it, doesn't use appropriate builtin settings safeguards or by an infected USB device. Any phone can be hacked if the attacker is sophisticated and determined enough to do so... in my opinion. Even if this happens a factory reset will purge it on a stock phone unless the hacker has access to the firmware by remote or physical access. Never allow remote access to anyone...
V0latyle said:
At the end of the day, it's much much easier to simply use social engineering or other methods to gain someone's credentials, rather than trying to hack their device.
Click to expand...
Click to collapse
Lol, that's what social media is for
blackhawk said:
No. The malware is in the phone apparently in the firmware.
Click to expand...
Click to collapse
OK thanks for helping its been good
alokmfmf said:
OK thanks for helping its been good
Click to expand...
Click to collapse
You're welcome.
I retract that (post #12) as I forgot it is running on Android 11. Like V0latyl said it's probably the password(s) that were compromised if a factory reset didn't resolve the issue other than the exceptions I stated in post #16.
Also i found this on the net if that helps with the situation
Be especially wary of spear phishing. Do not click on any weird link sent by your closest friends, or if you feel compelled to do so, open it from a tightly secured operating system (a fresh VM) where you have never logged in to your social networks.
And
Factory resets are not enough to santitize the device.
Also I'm a bit scared as some people on the net have told that in some cases that even a flash might not wipe it as it resides in the boot logo or some places where flashes do not reach or in flash ROMs chips(but of course this is all very rare)
I am very fascinated and would like to learn more about it any suggestions would be helpful
Related
Forgive my ignorance, but ive never used android before and expecting my phone delivered tomorrow (htc hero! )
As i understand it, the android app store signs the apps similar to iphones itunes store to prevent piracy and malware.
Is this correct?
Ive read about how one can "root" the device by loading a image file thru the bootloader over usb, but i wonder, is there a sudo command or similar to temporarily enable root access and later return to default state?
I suppose i could flash it with the root image, install the app and then flash back the default os image, but that feels pretty awkward procedure and would probably raise a bunch of new problems as how the default os would launch the app installed under another os.
I was hoping to start tinkering with programming, but im unsure if i can "throw in the app" and expect it to work..?
After using mac´s for over 20 years ive become too used to stuff just working right out of the box, so i dont feel like experimenting on my own...
There is an option in the settings that lets you install unsigned apps, so no rooting required.
xarvox said:
As i understand it, the android app store signs the apps similar to iphones itunes store to prevent piracy and malware.
Is this correct?
Click to expand...
Click to collapse
Not exactly! Many paid apps are copy protected, but most of the free ones are not. Unlike the iPhone, where you can only install "unauthorized" apps if you jail break the device, Android allows you to install and run applications from a variety of sources on a stock device.
In essence, you do not need to root the device to develop for it, but there are certain things that applications can only be done on a rooted device (for example, receiving a file via Bluetooth, WiFi tethering etc).
I was hoping to start tinkering with programming, but im unsure if i can "throw in the app" and expect it to work..?
Click to expand...
Click to collapse
Well, programming errors aside ( ), and as long as you don't need to do anything that requires root privileges, yes you can. You should bear in mind that the *vast* majority of Android devices will not have been rooted, and therefore the vast majority of available applications do not require rooted phones.
Personally, I expect that later Android builds will remove many of the restrictions that require applications to have root access, so that they can function without requiring a device to be rooted.
Regards,
Dave
Ive found a app that would tether my laptop (mac) over wifi, but requires me to root the device.
Is there a way to temporarily do this, install the app and make the neccisary changes and then switch back to default state?
I don't believe so.
As far as I'm aware, the application requires the elevated privileges when it runs as opposed to just configuration changes. I don't think that even a setuid would help, since I believe the app expects to find and use su/sudo.
Regards,
Dave
Hi,
So I was always under the impression that rooting is more dangerous because it lets applications more access to the system and let it perform more actions. However, now that I think about it can't this be handeled by a program that limits permissions?
Or do apps in a rooted phone behave differently than in an unrooted one (ie.can do actions not included in the permission system)?
What about an unrooted phone?
If I install a spyware what information can't it gather that it can on a rooted?
Thank you very much!
oy-ster said:
Hi,
So I was always under the impression that rooting is more dangerous because it lets applications more access to the system and let it perform more actions. However, now that I think about it can't this be handeled by a program that limits permissions?
Or do apps in a rooted phone behave differently than in an unrooted one (ie.can do actions not included in the permission system)?
What about an unrooted phone?
If I install a spyware what information can't it gather that it can on a rooted?
Thank you very much!
Click to expand...
Click to collapse
http://www.lockergnome.com/android/2013/01/25/how-safe-is-rooting-android-devices/
http://google.about.com/od/socialtoolsfromgoogle/a/root-android-decision.htm
http://www.bullguard.com/bullguard-...ity/mobile-threats/android-rooting-risks.aspx
Thank you for the links, I have alredy enconutered some of them previously (I usually Google before posting ) and they are part of my confusion.
On one hand: http://www.bullguard.com/bullguard-...ity/mobile-threats/android-rooting-risks.aspx says about apps with root access circumvent the security system, on the other: http://google.about.com/od/socialtoolsfromgoogle/a/root-android-decision.htm notes that you can control this access, so why does first warning exists?
Also, do superuser apps can detect every element and limit it accessability? For example, what about malicious code that I recieve from clicking on some pernicious link?
PS. When one of the pages said: "A common practice that people do with "rooted" phones is to flash their ROM's with custom programs." - it meant custom OS/ROM or did it mean the program you are using in order to perform flashing?
Thank you.
upity up.
so I picked up a used pixel from craigslist. seems ok. but I starting thinking... how can I be certain this phone is not booby trapped. it would be awful to have a trojaned device and not really know it.
I searched quite a bit about about malware that can survive factory reset. so it seems that simply resetting is not so great.
then I thought adb sideload an official google factory image to both slot a and slot b would purge any demons. but then again, I cannot find any documentation that make it clear what get overwritten and and what doesn't. (eg do the bootloader or recovery partition remain intact... seems like a great place to hide malware on a booby trapped phone). similarly, it is unclear what /system paritition blocks get replace.. all of them? some of them? can a clever trojan/rat survive an ota?
and then there is the full factory image install via fastboot. the problem is that I cannot enable oem unlocking b/c Verizon locked bootloader. booooooo
final thing. and the trigger that really had me thinking about this. after setting up the phone and connecting to the network, I saw a notification that subtley asked to install a Google screen reader. no idea why. and no google searches return anything useful. was this device hacked already??!
specifically the notification said:
"install app for screen share" and "tap to install from the play store"
so, any security minded android users out there who can help me understand if I need to trash this phone?
Infrequent pop-ups when using a web browser or when running an app can be normal. However, if you are getting pop-ups even when you’re not opening a browser or when using a totally different app, there could be malware in your phone. Malicious pop-ups are often brought about by a bad app that you may have installed in the past. In some cases, legit looking apps may update to a sinister version after some time and cause pop-ups to be displayed.
Run the phone in safe mode and observe it. Safe mode is great tool in detecting a problem app. On this mode, all third party apps will be suspended so if the problem is absent when your Android is running on safe mode, that means there’s a malicious app in the system. While in this mode, you should be able to use preinstalled apps normally as well as use basic networking services without a problem.
My recommendation to have a malware-free phone:
Do a factory reset
Before re-installing any app install an anti-virus app
So will sideloading an official factory OTA image using adb from recovery, completely remove any malware? (I read about malware that can survive a factory reset.)
Also, has anyone else ever seen a notification asking to install a screen reader? This appeared after a factory reset, immediately after connecting to the wifi network. No apps installed.
A factory reset really only deals with the Data and the Cache partitions. System partition isn't affected. This is true regardless device is rooted or not So if malware got installed in System partition it survives a factory reset. A factory reset will also not remove any ROM upgrades or OTA's.
Hopefully by now you have a better understanding of what a factory reset is.
May be the browser - what typically is installed as system app / system-privileged app - is the culprit: Use another browser and see what happens.
I think I understand how the factory reset works. For this discussion, I am do used on Google Pixel line, no modifications, and no root, and only app from the official Play Store.
The adb sideload of a Google factory OTA is the part I don't fully understand.
For example, doe the OTA merely replace files? Or does to do a bitwise blocklevel swap? Does it modify anything in the bootloader, or recovery partitions?
I cannot find clear documentation on this.
The notification requests to install Screen Reader do not come from Chrome or any browser. They appear to come from the system. (Android 10).
So what I am trying to figure out is whether some malicious actor/app installed a persistent malware into the system partition, or the bootloader, or the recovery. Such that a factory reset cannot remove it (like with xHelper malware)
Like for example, can a malware get into the system partition, and a manual adb OTA sideload , or even manual fastboot factory image install, fail to remove the malware from the system partition? That would be. a nightmare for security.
Finally, I cannot find any documentation from Google that Pixel (3) on Android 10 will automatically try to install a screen reader as a native operation.
Basically, is this used, never rooted phone, permanently Trojan-ed junk now?
@thehighhat
Sorry to say this: I'll no longer waste my time with this ...
oops: duplicated post deleted
jwoegerbauer said:
...
My recommendation to have a malware-free phone:
Do a factory reset
Before re-installing any app install an anti-virus app
Click to expand...
Click to collapse
OK. Not sure why you're done with this - if you have insight, sharing it is good for everyone.
anti-virus (13 different ones) all show no malware. shows it is clean.
there are well known malware that can survive a factory reset.
the notification to install "screen reader" occurred immediately after a newly wiped phone connected to internet, even before any of the default apps (chrome, settings, etc.) opened
still looking for answers from someone who knows:
has anyone ever seen a system notification asking to install a "screen reader"?
does anyone know if
Code:
adb sideload official.google.ota.img
on a pixel modifies the boot partition or the recovery partition?
does anyone know if that manual ota install will guarantees the system partition contains only unmodified valid files/blocks?
thehighhat said:
OK. Not sure why you're done with this - if you have insight, sharing it is good for everyone.
anti-virus (13 different ones) all show no malware. shows it is clean.
there are well known malware that can survive a factory reset.
the notification to install "screen reader" occurred immediately after a newly wiped phone connected to internet, even before any of the default apps (chrome, settings, etc.) opened
still looking for answers from someone who knows:
has anyone ever seen a system notification asking to install a "screen reader"?
does anyone know if
Code:
adb sideload official.google.ota.img
on a pixel modifies the boot partition or the recovery partition?
does anyone know if that manual ota install will guarantees the system partition contains only unmodified valid files/blocks?
Click to expand...
Click to collapse
If you fastboot flash an official google system.img partition. From Google. With the correct hash value to insure correct download. It should flash the entire partition. Same goes for any other partition. If you have a certified unmodified image and flash it, the entire partition should be flashed, not just part of it.
With OTA updates. You only get patches. At least that's how the normal process goes. You got the smaller sized ota update and it only modifies the specific files that are being patched for that particular OTA update.
So with normal OTA only pieces of the partitions get updated. Sometimes they all are not touched with every update.
Delgoth said:
If you fastboot flash an official google system.img partition. From Google. With the correct hash value to insure correct download. It should flash the entire partition. Same goes for any other partition. If you have a certified unmodified image and flash it, the entire partition should be flashed, not just part of it.
With OTA updates. You only get patches. At least that's how the normal process goes. You got the smaller sized ota update and it only modifies the specific files that are being patched for that particular OTA update.
So with normal OTA only pieces of the partitions get updated. Sometimes they all are not touched with every update.
Click to expand...
Click to collapse
Thank you. This is exactly what I was looking for
So it sounds like file level replacement instead of block level.
Does the ota verify the other files on the system partition that it does not intend to modify?
thehighhat said:
Thank you. This is exactly what I was looking for
So it sounds like file level replacement instead of block level.
Does the ota verify the other files on the system partition that it does not intend to modify?
Click to expand...
Click to collapse
It does in the sense that it verifies before and after the process begins/ends, the correct size of the partition. This is true in the sense of Ssmsung devices and how the typical standard recovery image works.
But it is the update zip that does most if not all of the size/digest verifications after the files have been patched. Because there is no real way for the rom to know how big the updated build(s) is going to be before the update arrives.
Generally I've seen it verify all the hash values are the same as last time it updated when it begins. And the update zip specifies the ending size.
first i'm sorry if i'm on the wrong topic.
I installed an application to test (pirate) and I believe I caught some type of malware.
Even restoring the device it is slow.
My device is SM-J510MN, Android 7.1.1 without root.
Before installing Android he warned me that the App could track me. Any solution?
Falling.down said:
first i'm sorry if i'm on the wrong topic.
...
Before installing Android he warned me that the App could track me. Any solution?
Click to expand...
Click to collapse
Did you tried factory reset? Most malwares disappears that way, but if it elevated privilege and installed itself as system, you're screwed.
First try to reboot in safe mode, and see if the app is still here.
Raiz said:
Did you tried factory reset? Most malwares disappears that way, but if it elevated privilege and installed itself as system, you're screwed.
First try to reboot in safe mode, and see if the app is still here.
Click to expand...
Click to collapse
Hello, thanks for replying.
The application is no longer installing but the device is very slow.
Falling.down said:
Hello, thanks for replying.
The application is no longer installing but the device is very slow.
Click to expand...
Click to collapse
It must have installed some others apps in the background or something in those lines, try safe mode and see if it's still slow.
Edit#1: You also might want to see which account were connected to this device, they might have been compromised, and you should change password ASAP just to be sure
IMHO an Android phone or tablet can be classified as slow, if it's taking longer than the usual time to open apps and if you can clearly notice a delay while switching between screens. In case of installed malware, then if the malware tries to perform somewhat intensive tasks on your phone or tablet, you may find that your device begins to slow down as it takes up processing power to do its job. This results in slower loading, apps hanging, and long boot times. It may also cause interruptions and other weird occurrences while making a phone call.
BTW:
One easily can check in real-time what apps/services are running ( plus their priority ) to find any bottlenecks by means of ADB, i.e. running
Code:
adb devices
adb shell "top <options>"
More info here:
What You Need to Know About Commands in Windows
A command is a specific instruction given to a computer application to perform some kind of task or function. Here's more on the different Windows commands.
www.lifewire.com
Can there be malware files other than apk ?
I mean in phone, only apk can do hacking like taking video without user knowing.
But would there be other exe files that can run and hack??
What if i install custom ROM not based on android linux?
Then other files can run and hack?
if malware is in kernel , then can it use camera in my phone? I mean malware in kernel would be not in the form of apk i guess. But can it still access to my camera?
if they can, i heard 2 programs cant use camera at sametime. Then when malware in kernel is using camera, if i click camera app, one of malware in kernel and me will lose access to camera?
What OS version?
blackhawk said:
What OS version?
Click to expand...
Click to collapse
Lolipop-marshmallow
Jenjenjney said:
Lolipop-marshmallow
Click to expand...
Click to collapse
Anything below Android 9 is vulnerable to partition worming rootkits like X-helper. A full reflash should be done if a factory reset doesn't get it. Rootkits are the worst of the worst and can do exponential damage. It must be eliminated... zero tolerance. Scan with Malwarebytes if you haven't already... it might find some of it.
Change passwords once it's eliminated. Be careful what you install and download in the future. Scan any sideliaded apps first with online Virustotal, if there's any question of security with an app, don't install it. You are what you load.
Use only cloud based email like Gmail.
If you continue to use that OS version you'll want to lock it down more. Install Karma Firewall and block everything that doesn't need internet access to function ie browsers. Paid apps block once activated.