Hardware & Technical Phone hacked (repurposed) by spyware – for real!

[WR3ND]

Edit: Or maybe it's just a very weird bug – see my second post further down.

Not going to risk it either way though!

...

I was going to send my wife a text when my phone was about to die, so I clicked on my Google messenger app, but instead of it launching as normal, I was prompted for a supposed update to the Samsung messenger app. As soon as I clicked allow or accept or whatever, my phone took a picture through the camera app completely by itself (through no prompt from me) loaded up the messenger app, and appeared to be going to send the just taken picture to one of my recent message contacts, though not my most recent one. By this point I was holding the power button and had force-powered off the phone.

I'm a very security-conscious person and have worked professionally in IT related cyber security in the past. I do not visit questionable sites on my phone nor install third-party apps from untrusted sources, nor any third-party apps on this particular phone, for that matter.

The contact I mentioned earlier that the picture looked like it was being sent to? My father who works in the aerospace industry. Hopefully his phone hasn't also been compromised. Many years ago (like two decades worth now) I received a phishing message that appeared like it was from him via MSN Messenger, which this current event reminds me of.

So the (mostly rhetorical) questions are:
Do I factory reset and root the phone and install pure Android on it direct from Google, assuming I can and the phone will still work with my provider?
Leave the power off and hand the phone over to security experts (this is a personal phone that does not contain any highly sensitive information)?
Was I, this phone, or my father specifically targeted and if so by whom and for what reason?
This is what I saw unfolding live with my own eyes – what else may have happened that I haven't seen?
Should I just get a "dumb" phone since that's all I really need anyway in a personal phone (I have other mobile "smart" devices I don't use as a personal phone)?

Either way, I thought this might serve as a good warning to my fellows on the forums here that these sort of things can and do happen, even to us security-aware types.

Cheers.

 

[Manticore]

Hi. Nice to see you but sorry to hear about this. I believe there have been some Google/Android hacks around in the news:

Samsung, Huawei, and Google Phones Vulnerable to Zero-Day Bug

October 7, 2019
10:46 am

A newly-discovered bug has left at least 18 widely-sold Android phones open to hackers, including the Samsung S9 and Google Pixel 2 series.
The bug is known as a zero-day vulnerability, meaning that Android-owner Google was blissfully unaware of its existence until about a week ago. What's worse is that the bug is currently being exploited by hackers — including, allegedly, by Israeli cybersecurity NSO Group.

Samsung, Huawei, Google Phones Vulnerable to Zero-Day Bug | Tech.co

Google's Project Zero team has uncovered a new bug that is leaving a selection of popular Android phones completely exposed.

tech.co

 

[Morbad]

Do I factory reset and root the phone and install pure Android on it direct from Google, assuming I can and the phone will still work with my provider?
Leave the power off and hand the phone over to security experts (this is a personal phone that does not contain any highly sensitive information)?

If it were a PC, I'd wipe every storage device attached to it, erase and reflash all firmware ROMs, and load my last known clean backups.

Since I know considerably less about phones, I'd probably just physically destroy the phone and reset the passwords of any accounts I'd ever accessed with it...unless I was curious enough to want some data forensics done on it.

Was I, this phone, or my father specifically targeted and if so by whom and for what reason?

Statistically, almost certainly not, but you'd know better than we would if there was reason someone would want to.

This is what I saw unfolding live with my own eyes – what else may have happened that I haven't seen?

Potentially anything the phone has been in a position to record could have been sent to a third party.

 

[WR3ND]

Thanks for the responses. I did a bit more looking around and it looks like there might be a chance (my instincts tell me it's a rather slim chance, but never the less...) it's related to a very weird bug or set of bugs between the Samsung messenger app and my particular service provider. Naturally I'm not going to risk it either way though, as of course this did behave very much like some sort of issue with trojan spyware.

This makes me wonder though if it might be a misbehaving backdoor emergency "feature" built into the software/firmware. Even if it is just a bug, I certainly don't want my phone taking pictures and sending them to people on my contacts list or people I've had text conversations with by itself! My goodness.

Cheers.

 

[WR3ND]

Just to let you guys know, earlier that same day I was able to get a hold of my wife via e-mail from a different e-mail address of mine and have her call my father to let him know not to click on any weird links or attachments I... my phone might have sent him.

I'm still not entirely sure what I'm going to do with the phone (bin it, keep it around for spare electronic components to tinker with, or whatnot), though I did go ahead and factory reset it and through some roundabout methods I was able to unpair it from my Google account (disable FRP Lock) by setting up a temporary wi-fi network and password for my Google account while limiting the phone's other cellular and internet connectivity. I've also changed other relevant passwords and such.

I probably have it a bit easier than others would in this regard since my various accounts and the like are already fairly compartmentalized/isolated and I don't use things like mainstream social media platforms.

Happy trails. o7

 

[Robin of Spiritwood]

Lacking the relevant expertise, I stick to dumb phones exclusively. The cheapest ones available. I usually buy a pair at a time, so there's a spare battery and extra compatible charger.

It has reduced my targetability as a robbery victim too.

This simple approach isn't suitable for most people though.

 

[WR3ND]

Not a bad idea, especially considering I don't use the social media apps and the like anyway.

Right now I'm looking at maybe picking up the Nokia 3310 3G. It has rudimentary internet browning capabilities and a very basic 2MP rear camera, which I suppose might be handy in a pinch, but other than that it seems like an alright "dumb" phone. Even if I don't settle on it, it might be nice as a backup. The main downside of it though is that I'm not sure how long 3G GSM will be supported on mobile networks here in the States.

Having looked into it a bit, I'm rather surprised by the relative lack of decent "dumb" phones out there these days. Something like the newest version of the Nokia 105 (2019 model) isn't offered in the States, for example, and appears to only support 2G. Of the handful of "dumb" phones on the market here, the majority seem to be made by less well known brands and aimed at the elderly.

Taking a step back, I do kind of wonder how long rectangular touch screen mini tablets will stay in fashion. Nothing against them in particular, it just seems a little bizarre to me that there isn't much more on offer from the big names, all offering more or less the same sort of thing just with different specs on the internals and cameras. Oh, and bezels; I forgot about bezels.

The serving of irony here is laid on rather thick...

Spoiler

"First world problems," or something like that, I guess.

Cheers.

 

[JohnMalowski]

They also wanted to hack my phone the other day through one application.They wanted to hack me when I played in an online casino at ilucki.com I am very disappointed with the security of this application. I will seek protection from such attacks.

 

[Vasco Sapien]

I use a dumb phone now. I've moved away from Smart phones and Surveillance Capitalism.

 

[znôrt]

you did the right thing but, still, that behavior sounds like a really odd hack, either the supposed trojan was malfunctioning or was more like trolling than a serious threat. why would a trojan reveal itself just for sending a random picture to a random contact? might be just an attempt at spreading, but very poor at that.

can you reproduce that behavior? are you sure it wasn't a miss-click or that you just had wet hands?

that said ... no, no phone available to the public can be trusted nowadays. handle with extreme care and suspicion, and never ever have anything sensible on it (makes me cringe whenever i see someone paying for stuff with their phone). i have a 'secure phone' (as for business standards) and i haven't even set up a pin, there will never be anything here i need to protect, because i know very well i couldn't.

 

[WR3ND]

I agree it was very strange, and no, I had dry hands and wasn't fumbling around on the phone and the like. I've seen my share of buggy malicious type software in testing, so I'm not too surprised by that aspect of it, though it might just be a bug in the phone's stock app and firmware. Seems like an oddly specific one though with some high functionality if it can launch the camera app by itself, take a picture by itself, then attach it to a message by itself in another app.

I don't know for sure either way what the cause was, but yeah, I can't really trust it.

 

[Stigbob]

Lacking the relevant expertise, I stick to dumb phones exclusively. The cheapest ones available. I usually buy a pair at a time, so there's a spare battery and extra compatible charger.

It has reduced my targetability as a robbery victim too.

This simple approach isn't suitable for most people though.

I used to use the two wallet trick in properly scary places. You have your real wallet with important stuff in it stuck somewhere other than a back pocket, and a second cheap one with a bit of local currency and random store cards with no personal details at all.

In the event of getting mugged just give them the cheap wallet they make a bit of a profit you don't lose anything worth having.