Page 1 of 4 123 ... LastLast
Results 1 to 10 of 36

Thread: HELP! Phone Severely Compromised!! (Like Nothing I've Ever Seen)

  1. #1
    Junior Member
    Join Date
    Oct 2015
    Posts
    4

    Angry HELP! Phone Severely Compromised!! (Like Nothing I've Ever Seen)

    Hello folks, moving this thread here due to little activity on premium forums.

    So a week or two ago, my phone started to act very suspiciously. It started to glitch, run slow, and restart on it's own. Upon digging around in the running processes, I discovered hundreds of curiously named .apks and custom written scripts that seemed to make use of "org.simalliance.openmobile.api.service:remote ". Essentially I found logs being created of every app and service on the phone and found protocols used to dump the logs into a remote service. Simple spyware? Maybe....until I found this.

    Upon trying to factory reset the phone, I saw that the phone was in "#manual mode. Multi csc mode applied" There were also several log files that appeared to show some genius level hijacking of everything in the phone down to the root files. At this time I'm not 100% sure if the "phone" rooted itself. But, it sure looks that way based on the log files. The files show custom scripts being injected to launch apk files and scripts while "factory resetting" the phone (I've never reset or rooted this phone). The interesting thing is though, is that once the files did their work, they deleted themselves, according to the logs.

    Upon trying to factory reset or wipe the cache partition, the phone spits out a short log file and in about 2 seconds "factory reset and wipes the phone". However, upon booting the phone, it's clear that all of the same rogue apps (multiple iterations of "android system", "google services", "smartcard manager" and processes are still running strong. A few examples include "com.qualcomm.attfwdservice" "com.qualcomm.embms" "com.qualcomm.telephony" "deviceTest" "com.samsung.inputeventapp" "com.trustonic.tuiservice" "Make_sim_DBService" just to name a few. I realize that at face value, some of these processes are part of core files in the phone, but upon viewing the processes started by them and the permissions they are given, they seem very out of place.

    Permissions include READ_CALL_SETTINGS, "This application can access MDM content providers" "com.sec.android.app.music.permission.WRITE_SE TTIN GS", "com.sec.android.app.sns3.permission.SNS_FB_AC CESS _TOKEN", "MIRRORLINK_ACCESS_PERMISSION", "com.samsung.android.soagent.permission.ACCESS ORY" "com.android.permission.LOCK_TASK_MODE ".......provider.badge.permission.WRITE" and many more. all of the apps that I deem suspicious are mentioned in the process description as grouped together and all have similar permissions.

    Some other symptoms (to name a few) of the phone are random shutdowns and reboots (this always happens when trying to install a new app however), battery life being taxed slightly, catching the phone once or twice in a menu when unlocking the phone, cache files constantly piling up for audio recorder and camera, "selfie alarm process", things like google services and play store showing up in the downloaded apps section, getting redirected to "tracking.roo....." very briefly before getting to the URL I typed.

    I'm worried that my security is threatened as I've also had some issues with my home PC. I've had several exploit attempts blocked by A.E. programs as well as fishy processes and a sluggish system. I don't want to have my information stolen and I'm just plain pissed off that my $800 phone is essentially an unfixable P.O.S. that is spying on my every move. I want to be able to log into my bank apps and other websites without having to worry about keyloggers or remote hijacking attempts. I just want this to be over with! If anyone can offer some advice I'd really, really appreciate it. I'm at a complete loss now as my technological abilities are limited.

    My 3 main questions:

    If I flash a factory rom to the phone with ODIN, will that completely eliminate any chance of rogue files being left in the root folders?

    How can I keep my phone and home network secure once this is fixed?

    Is it possible that this threat is now somehow stuck inside my network? Meaning that anything I connect to the router could be affected.


    I really appreciate your help, this is driving me insane.

  2. #2
    Senior Member
    Join Date
    Dec 2011
    Posts
    41,791
    Do not expect an immediate response to this issue.
    As you have indicated, there are strange things happening that would not immediately be put down to a firmware or app issue.
    I am inclined towards your theory of malicious trojan or other malware.
    But that is an immediate reaction , and after some more thorough analysis may not be the case.

    Can you provide some info about your firmware by installing the following app.
    Can you install this app and post:
    Product Code
    Original CSC code
    Active CSC code
    PDA version
    CSC version
    Baseband version
    Android version
    Mobile operator
    [ Login above or register to see download links. ]



  3. #3
    Junior Member
    Join Date
    Oct 2015
    Posts
    6
    My s6-128 GB phone has no been rooted either. I did try .... with a few China-based Windows-10 programs. My PC became infected with very hard-to-remove malware.

    I think that Samsung has been very wise in not allowing root in the s6. It is not easy. It allows hijacks, as happened to your phone. I am surprised that you have not been able to wipe the phone clean, and re-install the original ROM.

    The original ROM has a few places the you can download it. I think that I will just allow Samsung's OTA upgrades happen now. No more rooting, ROM stuff now.

  4. #4
    Junior Member
    Join Date
    Oct 2015
    Posts
    4
    Hello Greenman. Thank you for your reply. I apologize about the slow reply time, I've been trying to avoid using my home network. I have run app and collected the data you requested. I just have a quick foreword; I have not, nor ever attempted to root my phone. To my knowledge it is still unrooted.

    Product Code: [This was blank]
    Original CSC code: VZW
    Active CSC code: VZW
    PDA version: G920VVRU4B0G7
    CSC version: G920VVZWBOG7
    Baseband version: Matches PDA Version
    Android version: 5.1.1
    Mobile operator: Verizon Wireless/311480



    There were also a few other key pieces of data that I thought could be important. The following queries just seemed a bit off to me.


    Build Fingerprint: Verizon/zerofltevzw/zerofltevzw:5.1.1/LMY47X [PDA VERSION]: user/release-keys

    Build Description: Zerofltevzw-User/LMY47X [PDA VERSION]: user/release-keys

    Build Date: Sat.Sep.19 13.18.11 KST 2015 -----------I have had this phone since May

    Changelist: 5358024

    Latest Firmware: N/A

    Kernel VersionL [email protected]#1 64 bit.

    Java Virtual Machine: ART 2.1.0 ----------I never set this up, to my knowledge.



    After finding a file called "PERMISSON.alwaysmicon", I've decided to keep the phone powered off with a dead battery for now. All other devices on network are having issues too. Even on my PS3, I suspect there a rogue security certificates for all websites I visit. Thank you again for your help! I'll try to get back to you as soon as I can.

  5. #5
    Junior Member
    Join Date
    Oct 2015
    Posts
    4
    Just to clear up a couple of things, I've never rooted the device, factory reset the device, or even wiped the cache. I could not successfully get rid of the rogue processes by doing any of those (each only took about 4 seconds) so I just don't believe the phone is allowing an actual factory reset. When I tried to flash the ROM on the phone with ODIN, I was using the latest factory firmware from this site. 5.1.1 All went as planned until I tried to carry out the download for the phone. ODIN threw an error code. I appreciate your help!

  6. #6
    Junior Member
    Join Date
    Oct 2015
    Posts
    4
    One other, mind-bending thing worth mentioning...... I was messing around with a few old devices of mine. Neither had a SIM card inserted, and neither were configured with my WIFI. On one of them, I was messing around for close to an hour, no issues. I then connected to WIFI and it immediately started having similar problems. In regards to my second device, and this is where things get really interesting....

    I booted immediately into the recovery mode. (Remember no SIM, SD, or WIFI) It sat at the regular menu for a second and when I tried to execute the factory reset, the menu screen flashed black and came back with the android error logo. It rebooted to the recovery screen, executed a few lines of text pertaining to enabling manual mode, and installed a file or two (can't remember the extension, /dev/something).

    The menu then displayed;
    Android System Recovery <3e>


    #Manual Mode#
    Applying Multi CSC....
    CSC code applied:VZW
    Multi CSC Mode.

    The exact same thing as my s6. I'm no expert, but doesn't it sound like this execution enabled more than one CSC code, possibly allowing SIM access?
    Last edited by Username12768e7; 19-10-2015 at 05:04. Reason: Added info

  7. #7
    Junior Member
    Join Date
    May 2016
    Posts
    1
    Hi, I've just joined after reading this post as I have the exact same thing going on and it's been going on for a few months now. 3 laptops a Windows tablet, 6 or 7 phones (Windows, android & IPhone) and I can't get rid of it. The laptops are pulled apart, was like it was some kind of boot or bios virus that took over admin using trusted installer profiles etc. Numerous attampts, reinstalling Windows, formatting hard drives (write zeros to entire drive) nothing worked, no antivirus would even detect it. Phones all the same issues as the previous poster. Factory reset does nothing, it appears to work only to boot to the same state they were before. Nothing detects it and I'm completely stumped and it's really been getting to me as I don't like something beating me. One other thing I noticed as whatever this is it seems like it can infect my other devices without even a wireless or Bluetooth card in the laptops (I removed them) haven't tried to flash rims as I haven't had a usable pc since this started and not sure how I go flashing Rom from sd or internal memory without pc. This thing has taken over everything and I got to the point I packed everything up and didn't even have a phone for weeks. Also have a feeling it may have been or is using our phones as a server. I cancelled number, New phone, New number and it was back. How did you go username12768e7 did you get rid of it, find something that actually detected it or Find out anything more? 7 months after your post and I'm struggling. I have searched and searched until it almost sent me loopy in the process and your post is the first thing I've seen that names my problem to a tee....
    Phones effected are Galaxy Core prime x2 (SM-G360G)
    Galaxy A3
    HTC one Max (OP3P520)
    Telstra Tempo (ZTE T815)
    Alcatel Pixi 3 4.5 (5017A)
    HTC DESIRE 520
    IPhone 4
    And......
    3 laptops
    Any help or advice would be greatly appreciated as I'm at witts end.
    Thanks in advance

  8. #8
    Junior Member
    Join Date
    Jul 2016
    Posts
    3
    Ive got a samsung galaxy s6. The same thing has happend to my phone thru my home network. Ive figured out much everything that has been talked about previously and agree with. Im pretty sure the trojan got in thru my port for my wireless printer in my home network and spread to my phone. It turned my hp touchsmart 320 or whatever into a host server of some type and I was not the "top dog" administrator on my own fricken computer. Which led me to look at my phone and found all the apps, and permissions, and data usage. I got sprint to switch it out with a new one and the same thing happend to it again. Can i hook it up to my computer with a program to see what the hell ROM the S6 is running or see whats doing what? IDK.............

  9. #9
    Senior Member
    Join Date
    Dec 2011
    Posts
    41,791
    There are plenty of anti virus apps available in the Play Store, but for info on your phone install this app:
    [ Login above or register to see download links. ]

  10. #10
    Junior Member
    Join Date
    Jul 2016
    Posts
    3
    Quote Originally Posted by greenman [ Login above or register to see download links. ]
    Do not expect an immediate response to this issue.
    As you have indicated, there are strange things happening that would not immediately be put down to a firmware or app issue.
    I am inclined towards your theory of malicious trojan or other malware.
    But that is an immediate reaction , and after some more thorough analysis may not be the case.

    Can you provide some info about your firmware by installing the following app.
    Can you install this app and post:
    Product Code
    Original CSC code
    Active CSC code
    PDA version
    CSC version
    Baseband version
    Android version
    Mobile operator
    [ Login above or register to see download links. ]



    I'm wondering why it's taken so long for you to give an answer to
    Username12768e7...i know you said it would take some time but dang long time.....you gave me an answer in like 8 minutes....although i have the same problem as Username12768e7, therefore an anti virus is the last thing that would work for me.. if im running somebody elses mimic-rom....but i do appreciate the help this one's tough

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •