EvilZone
Hacking and Security => Mobile Hacking => Android => : Kulverstukas January 08, 2015, 02:45:15 PM
-
So, a guy I know told me he's convinced he has some sort of malware on his Samsung smartphone. He says that he once gave his phone to some dude he knows to call someone, he had it for about half an hour in another room and since then, other people tell him about things only he should know. He believes that this guy (who is also sorta rich and has connections with police, according to him) can see what he writes through Facebook, SMS's and other kind of information and is tracking his activities.
I know this is possible to do, but I am unsure of removal methods. At that moment I suggested to go to police about it, but he refused, saying he has ties with the cops. I suggested then to bring the phone to a repair sweatshop and have it dewormed flashed by a new stock system (phone is also stock as he has it), said that the shop has to wipe the cache and other partitions to be sure of a complete wipe.
However I don't know how sophisticated the android malware got over the years, but flashing the whole system would have to do it, right?
-
However I don't know how sophisticated the android malware got over the years, but flashing the whole system would have to do it, right?
Cyanogenmod!
He believes that this guy (who is also sorta rich and has connections with police, according to him) can see what he writes through Facebook, SMS's and other kind of information and is tracking his activities.
If I was in his position I would sell the phone. I would try flashing the system, but if this guy has dodgy connections then I wouldn't trust the hardware. That's just me though...
-
Android malwares have gotten very sophisticated these days. (For example, the pretty awesome Keylogger which uses only the built-in gyroscope!)
A custom ROM such as Cyanogenmod could solve the problem but buying a new phone is still the best option.
Final thoughts: Tell your guy to buy a Nokia3310 :P I'd love to see malwares infecting that!
-
https://play.google.com/store/apps/details?id=org.malwarebytes.antimalware
-
https://play.google.com/store/apps/details?id=org.malwarebytes.antimalware
I am very skeptical when it comes to mobile antiviruses. And not just because of this (http://www.greenbot.com/article/2140008/google-pulls-scam-security-app-from-google-play.html). But I am also unsure how sophisticated AV for mobiles got as well...
I never trusted AVs anyway, so... :P Yes, selling the phone is a safest option, I've come to that conclusion too, but what are the other alternatives?
-
Android malwares have gotten very sophisticated these days. (For example, the pretty awesome Keylogger which uses only the built-in gyroscope!)
I think you mean turning the gyro into a microphone? It's just a theoretical attack from the snowden leaks, no proof it was ever used or that it works. They probably have much better root backdoors to listen to you from the real microphone.
In terms of removing malware from an android? I'm no expert but from what I understand there are parts of memory that cannot be flashed. I consider them all coming backdoored from the factory anyway.
If you're doing anything that you want to be kept private on an android you are batshit insane.
Like z3ro said buy a Nokia3310.
-
Yes, selling the phone is a safest option, I've come to that conclusion too, but what are the other alternatives?
Let's assume he wants to keep the operating system as it is, and wants to keep the phone. So flashing it or selling it is not an option, we are quite limited to what we could do. I doubt the attacker would have used generic malware to do what he's doing so antivirus wont really serve well here.
If it's rooted, great! Take advantage of this moment. Install a terminal emulator and install a terminal application capable of viewing tasks, such as 'htop'. A normal task manager wont work, we want something outside the traditional android environment. Find what tasks are running which shouldn't and kill them, find out why they are running and stop them (easier said than done).
Another idea is possibly to monitor network traffic. Find out where the data is going. You will:
- Get an idea as to what information is being sent across the network.
- Find the machine that's getting the information
After all this, phone should be unrooted asap! A rooted phone has more privileges and in effect will give more power to the malware.
Everything I said was meant in a hypothetical way, I'm not even sure what I said was even possible.
Good Luck Man!
-
If it's rooted, great! Take advantage of this moment. Install a terminal emulator and install a terminal application capable of viewing tasks, such as 'htop'. A normal task manager wont work, we want something outside the traditional android environment. Find what tasks are running which shouldn't and kill them, find out why they are running and stop them (easier said than done).
Another idea is possibly to monitor network traffic. Find out where the data is going. You will:
- Get an idea as to what information is being sent across the network.
- Find the machine that's getting the information
After all this, phone should be unrooted asap! A rooted phone has more privileges and in effect will give more power to the malware.
Interesting but you have to consider that if the malware already has root you are screwed no matter what.
You unroot it you are only locking yourself out of the system, the malware keeps the root.
As root it is also possible to create a fake root and hide processes from it, so I don't know if even that would help.
Sniffing the traffic is a good idea but if the attacker has any skill it will lead to nothing but proxies.
-
Sniffing the traffic is a good idea but if the attacker has any skill it will lead to nothing but proxies.
I suppose sniffing the traffic could give us an idea as to where that information is being originated from? Obviously the android device, but the packets could provide incite as to what process the malware belongs to?
-
I am very skeptical when it comes to mobile antiviruses. And not just because of this (http://www.greenbot.com/article/2140008/google-pulls-scam-security-app-from-google-play.html). But I am also unsure how sophisticated AV for mobiles got as well...
I never trusted AVs anyway, so... :P Yes, selling the phone is a safest option, I've come to that conclusion too, but what are the other alternatives?
Ok, if you don't trust the AV's, that's fine. Another alternative is flashing another firmware either the original,cynagonmod or just a factory reset is enough.
I have to say this, have you ever thought your friend might be ultra-paranoid, you didn't mention anything that would make him a potential target. Therefore, I assume he's just a typical citizen, so why the police would be interested in him?
-
I didn't say the police is interested in him, it's some dude that had his phone for half hour. He knows that this dude is seeing his messages, because apparently the attacker is blabbering to everyone about it, and people keep telling the victim things they shouldn't know. So that's why he thinks something is up. I mentioned to go to police and let them handle this with law, but he refused saying the attacker has ties with the police.
Also I'd imagine android malware could embed themselves into factory image too, like Windows malware does with System Restore?
-
I didn't say the police is interested in him, it's some dude that had his phone for half hour. He knows that this dude is seeing his messages, because apparently the attacker is blabbering to everyone about it, and people keep telling the victim things they shouldn't know. So that's why he thinks something is up. I mentioned to go to police and let them handle this with law, but he refused saying the attacker has ties with the police.
Also I'd imagine android malware could embed themselves into factory image too, like Windows malware does with System Restore?
Ok ok ok. The only option I see here is one of the two.
1- Cyanogenmod
2- A new mobilephone
-
Ok ok ok. The only option I see here is one of the two.
1- Cyanogenmod
2- A new mobilephone
+1
-
According to this (https://android.stackexchange.com/questions/6541/can-a-factory-reset-fix-malware-problem) flashing your ROM does not format the /system/ partition.
Advanced malware can survive a flashing. probably unlikely though, but I wouldn't risk it.
Option 2 FTW.
-
Nokia3310* FTW ??
(http://windowsphonebrasil.com.br/wp-content/uploads/2014/04/nokia-3310.jpg)
Please tell me this is a joke :D
-
1- Cyanogenmod
Why Cyanogenmod? I know it's great, I used it before, but for a regular phone user stock is sufficient, or is there some hidden thing about it?
-
I think you mean turning the gyro into a microphone? It's just a theoretical attack from the snowden leaks, no proof it was ever used or that it works. They probably have much better root backdoors to listen to you from the real microphone.
In terms of removing malware from an android? I'm no expert but from what I understand there are parts of memory that cannot be flashed. I consider them all coming backdoored from the factory anyway.
If you're doing anything that you want to be kept private on an android you are batshit insane.
Like z3ro said buy a Nokia3310.
Nope. Keylogger.. like in KEYLOGGER :P
http://www.techhive.com/article/239577/a_smartphone_keylogger_using_the_built_in_gyroscope.html
Maybe there are more 'physical' methods to capture data from a smartphone? Food For Thought.
-
Why Cyanogenmod? I know it's great, I used it before, but for a regular phone user stock is sufficient, or is there some hidden thing about it?
I run stock. But, the only thing I even needed root for was my PS3 controller. It works great for the emulators, I game all night at work.
Although, I don't like lolipop. Running Jellybean, fuck the ram hungry updates. Not to mention the write access it fucks over. Wanna FTP??? Lolipop says fuck you....
-
Nope. Keylogger.. like in KEYLOGGER :P
http://www.techhive.com/article/239577/a_smartphone_keylogger_using_the_built_in_gyroscope.html
Maybe there are more 'physical' methods to capture data from a smartphone? Food For Thought.
Wow, cool stuff, thanks for the share.
71.5% accuracy in 10-key number pad is kind of crap though, and I suspect that if they tested more people the accuracy would decrease, but still that is some amazing research.
I saw something different about the gyro:
https://www.reddit.com/r/netsec/comments/2e3m5c/using_the_gyroscope_to_record_sound_without/
-
Why Cyanogenmod? I know it's great, I used it before, but for a regular phone user stock is sufficient, or is there some hidden thing about it?
Cyanogenmod is just an open source version of Android. It's security tends to be better and it's users get much more power over their device. Cyanogenmod doesn't come with bloatware like Android. It's been tweaked for better performance and in general is just the better one of the two.
I would recommend it to all Android users, even the non-technical ones.
-
Cyanogenmod is just an open source version of Android. It's security tends to be better and it's users get much more power over their device. Cyanogenmod doesn't come with bloatware like Android. It's been tweaked for better performance and in general is just the better one of the two.
I would recommend it to all Android users, even the non-technical ones.
Cyanogenmod is a nice ROM, personally I prefer:
AOKP (http://aokp.co/) - Looks cool and is light, customizable.
SlimROM (http://www.slimroms.net/) - Super light and snappy android experience.
-
Let's not derail this, kk. Question was about android malware types and defense.
-
Let's not derail this, kk. Question was about android malware types and defense.
LOL you are the one who asked about cyanogenmod!
Anyway back to malware on Android.
Malwares bad, mkay?
-
Let's not derail this, kk. Question was about android malware types and defense.
I'lll "put us back on track". Cyanogenmod along with the ROM's that D4rkcat said are good alternatives to Android.
This is not just because of the performance and usage benefits but also because certain malware (I'm inclusively referring to malware that targets Android's Kernel) will have little to no effect on it's incompatible code.
-
Let's not derail this, kk. Question was about android malware types and defense.
I think the main question was about the alternative options your friend might have to avoid being watched according to his claims. Nevertheless, since android is an open source and it allows for third party apps to be downloaded, this makes android valnurable to various types of malware.
http://www.forbes.com/sites/gordonkelly/2014/03/24/report-97-of-mobile-malware-is-on-android-this-is-the-easy-way-you-stay-safe/
And how to defend yourself against the growing threats of android malwares It doesn't take a bright mind to figure it out.
1- Always have an AV and anti malware on your mobilephone, I know they aren't effective 100%, but at least they do their job.
2- Never download third party apps. Avoid downloading apps from random websites.
3- Examine the permissions of the apps on your phone, there are some apps for android that require no permissions but allow you to examine the permissions given to all the installed apps, this helps to detect an app with suspicious permissions.
https://play.google.com/store/apps/details?id=com.ovmobile.appopslauncher
I think this paper is also informative.
http://www.ijcsit.com/docs/Volume%205/vol5issue02/ijcsit20140502216.pdf
This is what I think are the main steps to defend yourself against android malwares, I claim no experience, I'm just an android user since 2012.
Signed: Axon
:D