JohnCena

New Member
Joined
May 3, 2016
Messages
3
Reaction score
0
Current Phone Model
Galaxy Note 5 CDMA -- SM-N920V
My device has been infected with a RAT (Remote Access Trojan) or whatever the phone equivalent it. Here is my device info.

-----------------------------------------------------------------------------

Model: Samsung Galaxy Note 5 (CDMA) (SM-N920V)
Service Provider: Verizon
Board: universal7420
Hardware: Samsungexynos7420
Total RAM: 3664MB
Internal Storage: 23.47GB
Android Version: Marshmellow 6.0.1
API Lvl: 23
Security patch level: 2016-04-02
*Ask if you need more system info*

-----------------------------------------------------------------------------

I have factory reset my device multiple times, reset then encrypted, and full reset from encryption to factory by using the Kaspersky device nuke security function for if it gets stolen. I have scanned it with multiple top-rated virus and malware scanners with 0 results. I have scrambled all of my accounts passwords, disconnected my accounts from all devices, enabled 2-step verification for what has it, and I have done all of this running phone regularly and in safe mode. I have also scrambled my passwords from friend's computers, but since it logs me out on my phone when I do that it is virtually wasted time doing so. After all of this there are still signs of infection.

With this all signs point to a bug that gained SuperUserPrivledges and has installed itself as a system application. At least I hope that this is the case because if it is any deeper I will probably give up and decommission my phone I'm paying off for another year and a half which I morally can't cover by selling an infected device.

I would like to obtain a list of SysApps so that I can compare my list to the day-1 list to see if I can pinpoint the location to share the design/coding with White Hats for studying and prevention. I would also like to determine if it has only gotten as deep as a SysApp before I decide to go through the process of backing up all my data, changing the passwords on all my accounts, uninstall/reinstall OS, and then transfer data back onto my device, downloading all the apps, and logging into my accounts. It would also be nice to root my phone and remove it along with all the bloatware.

Is there anyway for SysApps to be hidden and not displayed in the app manager?

Is there anyway this bug is located somewhere that I've overlooked and it would survive what I've done besides SysApps? If so can user privileges access the location and remove the bug?

Thanks!


---------------------------------------------------------------------------------------------------------------------------------------------
Below details what RATs are and can do, the terms used by ratters and its community
---------------------------------------------------------------------------------------------------------------------------------------------
..........

I am what is known as a 'slave' for the one controlling the rat. Generally 'ratters' have a large stock of slaves that they can monitor whenever they please. There are also black markets where ratters buy, sell, and trade slaves on the deep web. The ratters can watch what they are doing on their device(s), view their surroundings through the cameras, obtain sensitive info with keyloggers, listen in on real-time phone conversations or have them all record to listen to later, turn on the microphone to listen in on what's going on around the phone, record video, take pictures, take screenshots, load docs onto device, copy/delete docs on device, restart device, flash images that cover the whole screen or just partially, can operate the device as if they were holding it with their pc/tablet which lags the phone and drains the battery, and can add additional tools from other viruses and remove them when they're done using them.

Ratting is used by some to gather personal info, login credentials, and media (nudes) then use what they gathered for financial gain. However there are some ratters who choose not to use personal info for financial gain or use compromised profiles for phishing campaigns so that there is no hard-evidence they have infected someone. This sect of ratters do make some money selling nudes, but they also harass their slaves by leaving unverifiable signs of their presence, make them believe a government agency is monitoring them, leave messages with victim's address, content of private conversation, or encouraging suicide; they will also send old draft emails to who they were addressed to, open new tabs with different sites in them, and will blackmail girls and sometimes guys with nudes and conversations that they will say they will release unless they do sexual acts on cam for them etc.

I'm sure with enough searching one could find a community that uses RATs for much darker reasons.
 

Mustang02

Diamond Member
Joined
Aug 8, 2010
Messages
7,534
Reaction score
5,052
Location
Ohio
Current Phone Model
Nexus 6P/5X
I can't tell if this is real or fake? How do you know you've been infected?
 
OP
JohnCena

JohnCena

New Member
Joined
May 3, 2016
Messages
3
Reaction score
0
Current Phone Model
Galaxy Note 5 CDMA -- SM-N920V
I can't tell if this is real or fake? How do you know you've been infected?

Here is one of verifiable forms of evidence I have. With Google's two-step verification process after putting in the account password you are sent via SMS a randomly generated code you need to enter before accessing your account.

For me I will first receive the code from the 256447 line which is Google's then, while the entered code is processed, I receive an identical text with the same code from 754 263-1979. I contacted Google support asking if it is their line to which they ensured me it is not. I contacted them multiple more times just to make sure. For someone to know my google verification code they would need access to my text messages. Because I have disconnected my SMS messaging from cloud services so they wouldn't be backed-up the only possible answer is someone having access to my phone.

They also will leave drafts such as one titled "You have received a Youtube video!" and when I looked I had a new playlist with only one song labeled 'crazy'. One time I tried to communicate with a draft and put someone as a recipient at random; I made sure it saved as a draft. Ends up the email was sent through and the person was really confused. While messaging him on FB I was explaining my situation, one sentence stating "I don't think I even put your address in the recipient bar" then immediately after I sent it a copy of the message was sent again but this time without that sentence. I knew I put his name in it and so did whoever is monitoring me, so they chose to correct my statement.

I could go on about this but I suggest just looking up the subject and also dive into the deep web a little looking for info.

For now I just want my answers questioned instead of you all inquiring about the validity of what I say is happening.

EDIT: if you look the number up it is a VoiP with a Hollywood, Fl area code. There is also a whitepages page for it where people wrote reports of it which I believe were written by the person I'm dealing with. Sounds crazy but the reports were just saying it is Google Verification and not to worry about it while of course Google says otherwise.
 

Attachments

  • Screenshot_20160417-062034.jpg
    Screenshot_20160417-062034.jpg
    47.3 KB · Views: 216

CJM

Super Moderator
Staff member
Premium Member
Rescue Squad
Joined
Sep 12, 2010
Messages
10,610
Reaction score
1,752
Location
Mississippi Gulf Coast
Current Phone Model
Nexus 6
Twitter
https://twitter.com/Corey
Have you contacted Verizon to see if they can help? If the factory reset didn't work seems to me you need to go deeper. Maybe re-flash the phone's os

Tapped from a Nexus 6
 

Mustang02

Diamond Member
Joined
Aug 8, 2010
Messages
7,534
Reaction score
5,052
Location
Ohio
Current Phone Model
Nexus 6P/5X
Have you contacted Verizon to see if they can help? If the factory reset didn't work seems to me you need to go deeper. Maybe re-flash the phone's os

Tapped from a Nexus 6
I took
reset then encrypted, and full reset from encryption to factory by using the Kaspersky device nuke security function for if it gets stolen.
that as it was done but after reading it, maybe not. I don't know what Kaspersky device nuke would do, I don't trust 3rd party anything. I do everything manually on my phone. Grab stock OS image and flash it.
 
OP
JohnCena

JohnCena

New Member
Joined
May 3, 2016
Messages
3
Reaction score
0
Current Phone Model
Galaxy Note 5 CDMA -- SM-N920V
I took that as it was done but after reading it, maybe not. I don't know what Kaspersky device nuke would do, I don't trust 3rd party anything. I do everything manually on my phone. Grab stock OS image and flash it.

Where can I find stock OS image? And what exactly does flashing my device mean is happening to it?

I also do everything manually but I attempted it to see if, with admin access, the app would do a more thorough wipe of the device.

Kaspersky is a Russian software security group. With the security app you are able to set up, if the device is encrypted, for a data nuke to activate if the encryption password is put in wrong too many times or if you send a 12-digit pin you created to your line. It's pretty cool, the app will also recognize when the phone is being held by the thief then capture images of their face and send those files to your preset emails and SMS lines.
 

Mustang02

Diamond Member
Joined
Aug 8, 2010
Messages
7,534
Reaction score
5,052
Location
Ohio
Current Phone Model
Nexus 6P/5X
I know who Kaspersky Lab company is. Their PC Antivirus used to be top notch.
What I didn't know is what their device nuke does or why someone would trust it?

You said you reset the device, what did you do exactly?
 

FoxKat

Premium Member
Premium Member
Joined
Apr 2, 2010
Messages
14,659
Reaction score
4,726
Location
Pennsylvania
Current Phone Model
Droid Turbo 2 & Galaxy S7
A factory data reset should have resolved this. As @Mustang02 asked, can you explain what you did exactly?

S5 tap'n
Not if the RAT gained SU and flashed a modified OS or Kernel. A factory data restore would only revert back to the OS and Kernel that's stored on the NV RAM.

I'm intrigued by all this but just like another member who posted recently that their phone has been hacked and people were spying on them, I question just how much truth is in the information you seem to be basing your suspicions on. I'd love to actually have the phone in hand and experience first hand what you are, not because I disbelieve you, but because I have at least a small suspicion what you are perceiving as a hack to the phone may actually be a hack to your accounts.

That said, is surely not entirely impossible. One thing is for sure, if you flash a new ROM and Kernel, and the phone (out accounts you access from it), continues to act as you've described then it's most surely not the phone.

By the way, I've received a two step verification code on my phone just a few weeks ago that was not requested by me (I don't even have two step authorization activated), and when I contacted Google they checked their servers and confirmed it did not come from them, so you may be a victim of spoofing. I've since deleted that message, and it looked exactly like yours, including the text.

Here are three more spoofs (unsolicited texts), I've received recently.

62b0e8eea2975730bad9ecb08bfb99d2.jpg
4aa0737a72c3c76121865331e09fe0f1.jpg
93f8747b28fd1ba696024508115a0444.jpg


Sent from my XT1585 using Tapatalk
 
Last edited:

mountainbikermark

Super Moderator
Staff member
Premium Member
Joined
Sep 5, 2010
Messages
7,421
Reaction score
3,867
Not if the RAT gained SU and flashed a modified OS or Kernel. A factory data restore would only revert back to the OS and Kernel that's stored on the NV RAM.

I'm intrigued by all this but just like another member who posted recently that their phone has been hacked and people were spying on them, I question just how much truth is in the information you seem to be basing your suspicions on. I'd love to actually have the phone in hand and experience first hand what you are, not because I disbelieve you, but because I have at least a small suspicion what you are perceiving as a hack to the phone may actually be a hack to your accounts.

That said, is surely not entirely impossible. One thing is for sure, if you flash a new ROM and Kernel, and the phone (out accounts you access from it), continues to act as you've described then it's most surely not the phone.

By the way, I've received a two step verification code on my phone just a few weeks ago that was not requested by me (I don't even have two step authorization activated), and when I contacted Google they checked their servers and confirmed it did not come from them, so you may be a victim of spoofing. I've since deleted that message, and it looked exactly like yours, including the text.

Here are three more spoofs (unsolicited texts), I've received recently.

62b0e8eea2975730bad9ecb08bfb99d2.jpg
4aa0737a72c3c76121865331e09fe0f1.jpg
93f8747b28fd1ba696024508115a0444.jpg


Sent from my XT1585 using Tapatalk

That second one is from Leomaster?
I've gotten a few that look like your third one as well over the years. They were attempts by a buddy to send photos from a link.

Support Our Troops!!!
Beast Mode 4
<><
 

Jonny Kansas

Administrator
Staff member
Rescue Squad
Joined
Jan 21, 2010
Messages
16,694
Reaction score
7,340
Location
Michigan's Upper Peninsula
Website
www.google.com
Current Phone Model
Pixel XL
Twitter
jonny_ks
Not if the RAT gained SU and flashed a modified OS or Kernel. A factory data restore would only revert back to the OS and Kernel that's stored on the NV RAM.

I'm intrigued by all this but just like another member who posted recently that their phone has been hacked and people were spying on them, I question just how much truth is in the information you seem to be basing your suspicions on. I'd love to actually have the phone in hand and experience first hand what you are, not because I disbelieve you, but because I have at least a small suspicion what you are perceiving as a hack to the phone may actually be a hack to your accounts.

That said, is surely not entirely impossible. One thing is for sure, if you flash a new ROM and Kernel, and the phone (out accounts you access from it), continues to act as you've described then it's most surely not the phone.

By the way, I've received a two step verification code on my phone just a few weeks ago that was not requested by me (I don't even have two step authorization activated), and when I contacted Google they checked their servers and confirmed it did not come from them, so you may be a victim of spoofing. I've since deleted that message, and it looked exactly like yours, including the text.

Here are three more spoofs (unsolicited texts), I've received recently.

62b0e8eea2975730bad9ecb08bfb99d2.jpg
4aa0737a72c3c76121865331e09fe0f1.jpg
93f8747b28fd1ba696024508115a0444.jpg


Sent from my XT1585 using Tapatalk
If it is, in fact, the account that are hacked, it's a great idea to change passwords as well.

Sent from my Note 4
 

FoxKat

Premium Member
Premium Member
Joined
Apr 2, 2010
Messages
14,659
Reaction score
4,726
Location
Pennsylvania
Current Phone Model
Droid Turbo 2 & Galaxy S7
That second one is from Leomaster?
I've gotten a few that look like your third one as well over the years. They were attempts by a buddy to send photos from a link.

Support Our Troops!!!
Beast Mode 4
<><
Yeah, I removed the leomaster one, thinking it might have been legit.

Sent from my XT1585 using Tapatalk
 

FoxKat

Premium Member
Premium Member
Joined
Apr 2, 2010
Messages
14,659
Reaction score
4,726
Location
Pennsylvania
Current Phone Model
Droid Turbo 2 & Galaxy S7
Try this...
How to Uninstall Malware from Your Android Device « Android Gadget Hacks

Based on what I'm reading, if you have a RAT, it will show on the downloads list of apps, and if it's installed as an administrator app then the uninstall button will be greyed out, further proof it's a RAT. It can be uninstalled via Safe Mode, and even if it's an administrator app, you can disable it in Safe Mode and then uninstall it.
Sent from my XT1585 using Tapatalk
 

Mustang02

Diamond Member
Joined
Aug 8, 2010
Messages
7,534
Reaction score
5,052
Location
Ohio
Current Phone Model
Nexus 6P/5X
Not if the RAT gained SU and flashed a modified OS or Kernel. A factory data restore would only revert back to the OS and Kernel that's stored on the NV RAM.

I'm intrigued by all this but just like another member who posted recently that their phone has been hacked and people were spying on them, I question just how much truth is in the information you seem to be basing your suspicions on. I'd love to actually have the phone in hand and experience first hand what you are, not because I disbelieve you, but because I have at least a small suspicion what you are perceiving as a hack to the phone may actually be a hack to your accounts.

That said, is surely not entirely impossible. One thing is for sure, if you flash a new ROM and Kernel, and the phone (out accounts you access from it), continues to act as you've described then it's most surely not the phone.

By the way, I've received a two step verification code on my phone just a few weeks ago that was not requested by me (I don't even have two step authorization activated), and when I contacted Google they checked their servers and confirmed it did not come from them, so you may be a victim of spoofing. I've since deleted that message, and it looked exactly like yours, including the text.

Here are three more spoofs (unsolicited texts), I've received recently.

62b0e8eea2975730bad9ecb08bfb99d2.jpg
4aa0737a72c3c76121865331e09fe0f1.jpg
93f8747b28fd1ba696024508115a0444.jpg


Sent from my XT1585 using Tapatalk
As am I. I've never seen or heard of anyone on Android being infected like this. Most look like malware from going to a bad site, sideloading apks, or installing something that had malware in it.
 
Top