Android malware types and removal

[Kulverstukas]

So, a guy I know told me he's convinced he has some sort of malware on his Samsung smartphone. He says that he once gave his phone to some dude he knows to call someone, he had it for about half an hour in another room and since then, other people tell him about things only he should know. He believes that this guy (who is also sorta rich and has connections with police, according to him) can see what he writes through Facebook, SMS's and other kind of information and is tracking his activities.
I know this is possible to do, but I am unsure of removal methods. At that moment I suggested to go to police about it, but he refused, saying he has ties with the cops. I suggested then to bring the phone to a repair sweatshop and have it dewormed flashed by a new stock system (phone is also stock as he has it), said that the shop has to wipe the cache and other partitions to be sure of a complete wipe.

However I don't know how sophisticated the android malware got over the years, but flashing the whole system would have to do it, right?

[Syntax990]

However I don't know how sophisticated the android malware got over the years, but flashing the whole system would have to do it, right?

Cyanogenmod!

He believes that this guy (who is also sorta rich and has connections with police, according to him) can see what he writes through Facebook, SMS's and other kind of information and is tracking his activities.

If I was in his position I would sell the phone. I would try flashing the system, but if this guy has dodgy connections then I wouldn't trust the hardware. That's just me though...

[z3ro]

Android malwares have gotten very sophisticated these days. (For example, the pretty awesome Keylogger which uses only the built-in gyroscope!)

A custom ROM such as Cyanogenmod could solve the problem but buying a new phone is still the best option.

Final thoughts: Tell your guy to buy a Nokia3310    I'd love to see malwares infecting that!

[Axon]

https://play.google.com/store/apps/details?id=org.malwarebytes.antimalware

[Kulverstukas]

https://play.google.com/store/apps/details?id=org.malwarebytes.antimalware

I am very skeptical when it comes to mobile antiviruses. And not just because of this. But I am also unsure how sophisticated AV for mobiles got as well...
I never trusted AVs anyway, so... Yes, selling the phone is a safest option, I've come to that conclusion too, but what are the other alternatives?

[d4rkcat]

Android malwares have gotten very sophisticated these days. (For example, the pretty awesome Keylogger which uses only the built-in gyroscope!)

I think you mean turning the gyro into a microphone? It's just a theoretical attack from the snowden leaks, no proof it was ever used or that it works. They probably have much better root backdoors to listen to you from the real microphone.

In terms of removing malware from an android? I'm no expert but from what I understand there are parts of memory that cannot be flashed. I consider them all coming backdoored from the factory anyway.
If you're doing anything that you want to be kept private on an android you are batshit insane.
Like z3ro said buy a Nokia3310.

[Syntax990]

Yes, selling the phone is a safest option, I've come to that conclusion too, but what are the other alternatives?

Let's assume he wants to keep the operating system as it is, and wants to keep the phone. So flashing it or selling it is not an option, we are quite limited to what we could do. I doubt the attacker would have used generic malware to do what he's doing so antivirus wont really serve well here.

If it's rooted, great! Take advantage of this moment. Install a terminal emulator and install a terminal application capable of viewing tasks, such as 'htop'. A normal task manager wont work, we want something outside the traditional android environment. Find what tasks are running which shouldn't and kill them, find out why they are running and stop them (easier said than done).

Another idea is possibly to monitor network traffic. Find out where the data is going. You will:

• Get an idea as to what information is being sent across the network.
• Find the machine that's getting the information

After all this, phone should be unrooted asap! A rooted phone has more privileges and in effect will give more power to the malware.

Everything I said was meant in a hypothetical way, I'm not even sure what I said was even possible.

Good Luck Man!

[d4rkcat]

If it's rooted, great! Take advantage of this moment. Install a terminal emulator and install a terminal application capable of viewing tasks, such as 'htop'. A normal task manager wont work, we want something outside the traditional android environment. Find what tasks are running which shouldn't and kill them, find out why they are running and stop them (easier said than done).

Another idea is possibly to monitor network traffic. Find out where the data is going. You will:

• Get an idea as to what information is being sent across the network.
• Find the machine that's getting the information

After all this, phone should be unrooted asap! A rooted phone has more privileges and in effect will give more power to the malware.

Interesting but you have to consider that if the malware already has root you are screwed no matter what.
You unroot it you are only locking yourself out of the system, the malware keeps the root.
As root it is also possible to create a fake root and hide processes from it, so I don't know if even that would help.
Sniffing the traffic is a good idea but if the attacker has any skill it will lead to nothing but proxies.

[Syntax990]

Sniffing the traffic is a good idea but if the attacker has any skill it will lead to nothing but proxies.

I suppose sniffing the traffic could give us an idea as to where that information is being originated from? Obviously the android device, but the packets could provide incite as to what process the malware belongs to?

[Axon]

I am very skeptical when it comes to mobile antiviruses. And not just because of this. But I am also unsure how sophisticated AV for mobiles got as well...
I never trusted AVs anyway, so... Yes, selling the phone is a safest option, I've come to that conclusion too, but what are the other alternatives?

Ok, if you don't trust the AV's, that's fine. Another alternative is flashing another firmware either the original,cynagonmod or just a factory reset is enough.

I have to say this, have you ever thought your friend might be ultra-paranoid, you didn't mention anything that would make him a potential target. Therefore, I assume he's just a typical citizen, so why the police would be interested in him?

[Kulverstukas]

I didn't say the police is interested in him, it's some dude that had his phone for half hour. He knows that this dude is seeing his messages, because apparently the attacker is blabbering to everyone about it, and people keep telling the victim things they shouldn't know. So that's why he thinks something is up. I mentioned to go to police and let them handle this with law, but he refused saying the attacker has ties with the police.

Also I'd imagine android malware could embed themselves into factory image too, like Windows malware does with System Restore?

[Axon]

I didn't say the police is interested in him, it's some dude that had his phone for half hour. He knows that this dude is seeing his messages, because apparently the attacker is blabbering to everyone about it, and people keep telling the victim things they shouldn't know. So that's why he thinks something is up. I mentioned to go to police and let them handle this with law, but he refused saying the attacker has ties with the police.

Also I'd imagine android malware could embed themselves into factory image too, like Windows malware does with System Restore?

Ok ok ok. The only option I see here is one of the two.
1- Cyanogenmod
2- A new mobilephone

[Syntax990]

Ok ok ok. The only option I see here is one of the two.
1- Cyanogenmod
2- A new mobilephone

+1

[d4rkcat]

According to this flashing your ROM does not format the /system/ partition.
Advanced malware can survive a flashing. probably unlikely though, but I wouldn't risk it.
Option 2 FTW.

[Axon]

Nokia3310* FTW ??

Please tell me this is a joke