Where can I find a list of day-1 system apps for my device?

Discussion in 'Android Tech Support' started by JohnCena, May 3, 2016.

  1. JohnCena

    JohnCena New Member

    Joined:
    May 3, 2016
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Ratings:
    +0
    Current Phone Model:
    Galaxy Note 5 CDMA -- SM-N920V
    My device has been infected with a RAT (Remote Access Trojan) or whatever the phone equivalent it. Here is my device info.

    -----------------------------------------------------------------------------

    Model: Samsung Galaxy Note 5 (CDMA) (SM-N920V)
    Service Provider: Verizon
    Board: universal7420
    Hardware: Samsungexynos7420
    Total RAM: 3664MB
    Internal Storage: 23.47GB
    Android Version: Marshmellow 6.0.1
    API Lvl: 23
    Security patch level: 2016-04-02
    *Ask if you need more system info*

    -----------------------------------------------------------------------------

    I have factory reset my device multiple times, reset then encrypted, and full reset from encryption to factory by using the Kaspersky device nuke security function for if it gets stolen. I have scanned it with multiple top-rated virus and malware scanners with 0 results. I have scrambled all of my accounts passwords, disconnected my accounts from all devices, enabled 2-step verification for what has it, and I have done all of this running phone regularly and in safe mode. I have also scrambled my passwords from friend's computers, but since it logs me out on my phone when I do that it is virtually wasted time doing so. After all of this there are still signs of infection.

    With this all signs point to a bug that gained SuperUserPrivledges and has installed itself as a system application. At least I hope that this is the case because if it is any deeper I will probably give up and decommission my phone I'm paying off for another year and a half which I morally can't cover by selling an infected device.

    I would like to obtain a list of SysApps so that I can compare my list to the day-1 list to see if I can pinpoint the location to share the design/coding with White Hats for studying and prevention. I would also like to determine if it has only gotten as deep as a SysApp before I decide to go through the process of backing up all my data, changing the passwords on all my accounts, uninstall/reinstall OS, and then transfer data back onto my device, downloading all the apps, and logging into my accounts. It would also be nice to root my phone and remove it along with all the bloatware.

    Is there anyway for SysApps to be hidden and not displayed in the app manager?

    Is there anyway this bug is located somewhere that I've overlooked and it would survive what I've done besides SysApps? If so can user privileges access the location and remove the bug?

    Thanks!


    ---------------------------------------------------------------------------------------------------------------------------------------------
    Below details what RATs are and can do, the terms used by ratters and its community
    ---------------------------------------------------------------------------------------------------------------------------------------------
    ..........

    I am what is known as a 'slave' for the one controlling the rat. Generally 'ratters' have a large stock of slaves that they can monitor whenever they please. There are also black markets where ratters buy, sell, and trade slaves on the deep web. The ratters can watch what they are doing on their device(s), view their surroundings through the cameras, obtain sensitive info with keyloggers, listen in on real-time phone conversations or have them all record to listen to later, turn on the microphone to listen in on what's going on around the phone, record video, take pictures, take screenshots, load docs onto device, copy/delete docs on device, restart device, flash images that cover the whole screen or just partially, can operate the device as if they were holding it with their pc/tablet which lags the phone and drains the battery, and can add additional tools from other viruses and remove them when they're done using them.

    Ratting is used by some to gather personal info, login credentials, and media (nudes) then use what they gathered for financial gain. However there are some ratters who choose not to use personal info for financial gain or use compromised profiles for phishing campaigns so that there is no hard-evidence they have infected someone. This sect of ratters do make some money selling nudes, but they also harass their slaves by leaving unverifiable signs of their presence, make them believe a government agency is monitoring them, leave messages with victim's address, content of private conversation, or encouraging suicide; they will also send old draft emails to who they were addressed to, open new tabs with different sites in them, and will blackmail girls and sometimes guys with nudes and conversations that they will say they will release unless they do sexual acts on cam for them etc.

    I'm sure with enough searching one could find a community that uses RATs for much darker reasons.
     
  2. Mustang02

    Mustang02 Diamond Member

    Joined:
    Aug 8, 2010
    Messages:
    7,627
    Likes Received:
    5,116
    Trophy Points:
    1,563
    Location:
    Ohio
    Ratings:
    +6,074
    Current Phone Model:
    Nexus 6P/5X
    I can't tell if this is real or fake? How do you know you've been infected?
     
  3. JohnCena

    JohnCena New Member

    Joined:
    May 3, 2016
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Ratings:
    +0
    Current Phone Model:
    Galaxy Note 5 CDMA -- SM-N920V
    Here is one of verifiable forms of evidence I have. With Google's two-step verification process after putting in the account password you are sent via SMS a randomly generated code you need to enter before accessing your account.

    For me I will first receive the code from the 256447 line which is Google's then, while the entered code is processed, I receive an identical text with the same code from 754 263-1979. I contacted Google support asking if it is their line to which they ensured me it is not. I contacted them multiple more times just to make sure. For someone to know my google verification code they would need access to my text messages. Because I have disconnected my SMS messaging from cloud services so they wouldn't be backed-up the only possible answer is someone having access to my phone.

    They also will leave drafts such as one titled "You have received a Youtube video!" and when I looked I had a new playlist with only one song labeled 'crazy'. One time I tried to communicate with a draft and put someone as a recipient at random; I made sure it saved as a draft. Ends up the email was sent through and the person was really confused. While messaging him on FB I was explaining my situation, one sentence stating "I don't think I even put your address in the recipient bar" then immediately after I sent it a copy of the message was sent again but this time without that sentence. I knew I put his name in it and so did whoever is monitoring me, so they chose to correct my statement.

    I could go on about this but I suggest just looking up the subject and also dive into the deep web a little looking for info.

    For now I just want my answers questioned instead of you all inquiring about the validity of what I say is happening.

    EDIT: if you look the number up it is a VoiP with a Hollywood, Fl area code. There is also a whitepages page for it where people wrote reports of it which I believe were written by the person I'm dealing with. Sounds crazy but the reports were just saying it is Google Verification and not to worry about it while of course Google says otherwise.
     

    Attached Files:

  4. CJM

    CJM Super Moderator
    Staff Member Rescue Squad Premium Member

    Joined:
    Sep 12, 2010
    Messages:
    10,594
    Likes Received:
    1,668
    Trophy Points:
    558
    Location:
    Mississippi Gulf Coast
    Ratings:
    +1,810
    Current Phone Model:
    Nexus 6
    Twitter:
    https://twitter.com/Corey
    Have you contacted Verizon to see if they can help? If the factory reset didn't work seems to me you need to go deeper. Maybe re-flash the phone's os

    Tapped from a Nexus 6
     
  5. Mustang02

    Mustang02 Diamond Member

    Joined:
    Aug 8, 2010
    Messages:
    7,627
    Likes Received:
    5,116
    Trophy Points:
    1,563
    Location:
    Ohio
    Ratings:
    +6,074
    Current Phone Model:
    Nexus 6P/5X
    I took
    that as it was done but after reading it, maybe not. I don't know what Kaspersky device nuke would do, I don't trust 3rd party anything. I do everything manually on my phone. Grab stock OS image and flash it.
     
    • Like Like x 1
  6. JohnCena

    JohnCena New Member

    Joined:
    May 3, 2016
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Ratings:
    +0
    Current Phone Model:
    Galaxy Note 5 CDMA -- SM-N920V
    Where can I find stock OS image? And what exactly does flashing my device mean is happening to it?

    I also do everything manually but I attempted it to see if, with admin access, the app would do a more thorough wipe of the device.

    Kaspersky is a Russian software security group. With the security app you are able to set up, if the device is encrypted, for a data nuke to activate if the encryption password is put in wrong too many times or if you send a 12-digit pin you created to your line. It's pretty cool, the app will also recognize when the phone is being held by the thief then capture images of their face and send those files to your preset emails and SMS lines.
     
  7. Mustang02

    Mustang02 Diamond Member

    Joined:
    Aug 8, 2010
    Messages:
    7,627
    Likes Received:
    5,116
    Trophy Points:
    1,563
    Location:
    Ohio
    Ratings:
    +6,074
    Current Phone Model:
    Nexus 6P/5X
    I know who Kaspersky Lab company is. Their PC Antivirus used to be top notch.
    What I didn't know is what their device nuke does or why someone would trust it?

    You said you reset the device, what did you do exactly?
     
    • Like Like x 2
  8. cr6

    cr6 Super Moderator
    Staff Member

    Joined:
    Apr 1, 2011
    Messages:
    8,356
    Likes Received:
    5,878
    Trophy Points:
    1,778
    Location:
    NW Rocky Mtn region
    Ratings:
    +6,708
    Current Phone Model:
    Galaxy S7 Edge
    Twitter:
    @dronewolfmedia
    A factory data reset should have resolved this. As @Mustang02 asked, can you explain what you did exactly?

    S5 tap'n
     
  9. FoxKat

    FoxKat Premium Member
    Premium Member

    Joined:
    Apr 2, 2010
    Messages:
    14,806
    Likes Received:
    4,751
    Trophy Points:
    838
    Location:
    Pennsylvania
    Ratings:
    +5,290
    Current Phone Model:
    Droid Turbo 2 & Galaxy S7
    Not if the RAT gained SU and flashed a modified OS or Kernel. A factory data restore would only revert back to the OS and Kernel that's stored on the NV RAM.

    I'm intrigued by all this but just like another member who posted recently that their phone has been hacked and people were spying on them, I question just how much truth is in the information you seem to be basing your suspicions on. I'd love to actually have the phone in hand and experience first hand what you are, not because I disbelieve you, but because I have at least a small suspicion what you are perceiving as a hack to the phone may actually be a hack to your accounts.

    That said, is surely not entirely impossible. One thing is for sure, if you flash a new ROM and Kernel, and the phone (out accounts you access from it), continues to act as you've described then it's most surely not the phone.

    By the way, I've received a two step verification code on my phone just a few weeks ago that was not requested by me (I don't even have two step authorization activated), and when I contacted Google they checked their servers and confirmed it did not come from them, so you may be a victim of spoofing. I've since deleted that message, and it looked exactly like yours, including the text.

    Here are three more spoofs (unsolicited texts), I've received recently.

    [​IMG][​IMG][​IMG]

    Sent from my XT1585 using Tapatalk
     
    #9 FoxKat, May 5, 2016
    Last edited: May 5, 2016
  10. mountainbikermark

    mountainbikermark Super Moderator
    Staff Member Premium Member

    Joined:
    Sep 5, 2010
    Messages:
    7,455
    Likes Received:
    3,886
    Trophy Points:
    1,563
    Ratings:
    +4,348
    That second one is from Leomaster?
    I've gotten a few that look like your third one as well over the years. They were attempts by a buddy to send photos from a link.

    Support Our Troops!!!
    Beast Mode 4
    <><
     
  11. Jonny Kansas

    Jonny Kansas Administrator
    Staff Member Rescue Squad

    Joined:
    Jan 21, 2010
    Messages:
    16,468
    Likes Received:
    7,038
    Trophy Points:
    1,278
    Location:
    Michigan's Upper Peninsula
    Ratings:
    +8,379
    Current Phone Model:
    Pixel XL
    Twitter:
    jonny_ks
    If it is, in fact, the account that are hacked, it's a great idea to change passwords as well.

    Sent from my Note 4
     
    • Like Like x 1
  12. FoxKat

    FoxKat Premium Member
    Premium Member

    Joined:
    Apr 2, 2010
    Messages:
    14,806
    Likes Received:
    4,751
    Trophy Points:
    838
    Location:
    Pennsylvania
    Ratings:
    +5,290
    Current Phone Model:
    Droid Turbo 2 & Galaxy S7
    Yeah, I removed the leomaster one, thinking it might have been legit.

    Sent from my XT1585 using Tapatalk
     
Search tags for this page

a rat dat snoofs passwords