• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Malware/MitM/remote root that survives reset & new phone?

M

Moto0hno

Newbie
So this is sort of an ongoing issue I've had for a while. Now that I think back my (Cricket BL locked) Moto G7 Supra(Power) running unrooted Android 9 has been compromised for a while. It started out small and rather unnoticeable, a freeze here, a couple ads there. I didn't really notice or put two and two together at first.

Then maybe 6 weeks ago or so things started to ramp up almost exponentially. I noticed what seemed to be more ads, then came Chrome reverting to an earlier version 53, certificates coming across as legitimately signed but to incorrect domains, shortly thereafter more and more apps began disappearing from the home screen and app drawer, only to reappear like nothing had happened but I'd been logged out and they were all older versions and began updating themselves. Some apps/Android features flat out stopped working.

Now about two three weeks ago I noticed a couple times apps that would tell me I'm connected from Android 9.0 Pie, are saying I'm connected via 'Android 6.0.1 Marshmallow/AppleWebKit/Safari(version)/Chrome 53.x etc etc just completely wrong. First time I saw it I brushed it off, but it persisted and then came the disappearing act of my notifications despite everything in settings looking normal, I've nearly stopped receiving calls and texts, friends and family asking why I'm ignoring them when I didn't get anything, my data is through the roof, my bill is much higher even though I'm on Cricket's unlimited data plan.

I've lost access to my original Gmail account and with it nearly 8 years of contacts and info and one more after that I created, I performed a hard reset and it survived. I turned Auto sync after reset and backup off, turned off Find my Device, Google Pay, and 'Screen Lock Service's apps from Admin rights, tried reset again to no avail. Exhasutingly after that I just sent my phone in for a replacement to find the same issues again. Basically my entire phone and online presence has been owned.

At this point I need to flash my firmware back to stock I believe, I don't even know if that'll do it but it's the last card I have to play. And yet wouldn't take know, not only is my bootloader locked to Cricket, they won't give me the unlock code. Their website says they'll give it over after the Device you're using has been activated for 6 months. I've just replaced my old phone by warranty a week ago.

Not only that, my VPN log that I view in real time watching it speak with the net now tells me that CHILD_SA_android{1} establishes a connection with my phone for 31 million seconds before having to reauth, and my IP all of a sudden changes from the VPN version to something completely different? This is a tiny snippet from the log. I can get more just wanted to show the device that's changing my dns settings and setting up a proxy which is apparently cool with the VPN after it basically grabs a handshake with my phone.

Nov 2 03:34:12 15[NET] sending packet: from 10x.xxx.xx.xxx[41762] to 199.187.209.28[4500] (265 bytes)

I nearly forgot the app permissions. They're ridiculous, nearly every app I have now has some insane access, everything you'd normally expect all the way to detecting/making and recording/saving (I forget the terminology) phone calls and texts, receiving course and precise GPS regardless of my turning it off, read write all storage, detect and 'communicate with' other devices around me, the list goes on and on things I didn't even think were possible, I've not rooted my phone but it has complete root access.

This is much longer than I intended but I've Googled everything I can think of, I've reset my phone multiple times, called and went in to see Cricket, and even sent for a replacement phone and nothing had changed I'm at my wit's end, I could use some help before I throw this thing in a ditch and go completely analog and live in the woods Survivorman style. Thanks for reading and sticking with me to the end.
 
MoodyBlues said:
I'm very curious about something, namely the timeline from getting the replacement to finding it affected by the same problems. How quickly did that happen? And which Google account did you use when setting it up?
Click to expand...

The replacement phone began showing the same issues essentially right after setting it up, which really surprised me. I ended up creating an all new Google account for the device thinking that might help somehow. It didn't 😶
 
Thanks for the replies, I installed and ran Root Checker and it tells me I do not have root access. So, if Cricket won't grant me the bootloader unlock code, is there a workaround to root the device and flash the stock firmware? I've contacted Motorola in hopes they might have the ability and ran into a dead end there as well.
 
This sure sounds strange.

The first thing you mention is a few random ads appearing.

Let's start there.

There are only a few ways for malware to get onto an android- you install it or an app installs it.

So, you need to find it, and then figure out where it came from.

Finding it is easier than you may think.

Go into: (Your device options may differ, but the functions are the same.)

Settings
Apps
All Apps

Now scroll all the way to the very bottom of the apps list.

If you see ANY unnammed apps, and or apps without some sort of icon (apps without icons will not show up in your app drawer) then these are most likely your problem.

Force stop these things immediately.

Now look at their permissions, data used, memory useage, etc.

Uninstall these things.
I have never seen a legitimate app without an icon.

Now go into your file manager and search through the internal memory files inside the Android folder.

Look carefully for anything that you don't recognize. (This is tedious, but files can hide even after uninstalling an app.)

Yeah, there is some danger of eliminating files that your wanted apps may need, so you might want to rename them instead of deleting them.
Rename them, just add a 1, 2, 3, etc. or something within the name, so that:
A. You can leave it right there, in the folder where it goes.
B. It won't be recognized or used by any malware..
C. If it turnes out you need it you can just rename it back to the original, and it's good as new.

Now use your square button and clear your recent apps, then restart the phone.

When the phone reboots, check everything and see if it worked.

Hopefully solves your problem.
It is possible that your old phone was just returned right back to you if it passed some rudimentary testing on the company's part.

If all else fails, a good, cheap phone can be had at Wal-Mart for about $40.

It is possible that you can even find one that is compatible with your Cricket program.
Most companies will let you bring a compatible phone over to their system.
 
A few more things:

If you are using a launcher other than what came with the phone, it could be an issue.

Launchers have a ton of scary permissions, and basically have control of your entire device.

Stay away from any apps from CM, Cheetah Mobile,, or UC.
These apps look very cool, but are very shady and have been in trouble in the past.

If you must use an aftermarket launcher, then use a FOSS app instead.
FOSS means Free Open Source Software.

While you are at it, you could ditch Chrome as well.

There are many better browsers that are faster and more private.

FOSS apps can be found en mass on F-Droid, an alternative appstore that deals exclusively in such apps.
 
Last edited:
puppykickr said:
A few more things:
If you are using a launcher other than what came with the phone, it could be an issue.
Launchers have a ton of scary permissions, and basically have control of your entire device.
Stay away from any apps from CM, Cheetah Mobile,, or UC.
These apps look very cool, but are very shady and have been in trouble in the past.
If you must use an aftermarket launcher, then use a FOSS app instead.
FOSS means Free Open Source Software.
While you are at it, you could ditch Chrome as well.
There are many better browsers that are faster and more private.
FOSS apps can be found en mass on F-Droid, an alternative appstore that deals exclusively in such apps.
Click to expand...
 
If CM do a launcher then I'd avoid it, as I'd avoid anything from them. But decrying third party launchers generally is pure scaremongering with no basis in fact.

What you may not realise is that the majority of long-standing members here use third party launchers, or have done so for long periods, with only positive results.
 
Hadron said:
If CM do a launcher then I'd avoid it, as I'd avoid anything from them. But decrying third party launchers generally is pure scaremongering with no basis in fact.

What you may not realise is that the majority of long-standing members here use third party launchers, or have done so for long periods, with only positive results.
Click to expand...

I only warn against launchers that are not FOSS.

Believe me, I have tried many, many launchers.
I have a very specific list of needs and wants from a launcher.

These should not be hard to accomplish, but sadly they really are.

And no launcher with analytics or ads is going to cut it.

So if you reread my post, you will see that I specified that FOSS is best, but that if you really want something with more bells and whistles- stay far away from anything made by CM.

It appears that you agree with that, so obviously you know exactly what I am talking about.
 
puppykickr said:
If you must use an aftermarket launcher, then use a FOSS app instead.
Click to expand...
That's really a matter of personal taste, isn't it? :)

I'm one of the "majority of long-standing members" @Hadron mentioned who uses third-party launchers and, as he noted, with only positive results.
FOSS means Free Open Source Software.
Click to expand...
As a very early adopter of Linux (as in 1991, its epoch), I'm keenly aware of free--in every sense--open source software. But that doesn't mean I'm against paying for software.

As a totally Micro$oft-free person, I've never had to pay for my OS (well, I used to be stuck paying the 'Microsoft tax' on new computers, i.e., having them arrive with window$ pre-installed, which I immediately zapped; my most recent computers came with Linux installed--bye bye M$ tax!). Anyway, although my OS, Kubuntu Linux is free, I regularly donate to support it.

I pay for the Android apps I use because I like rewarding talented developers for the knowledge, time, creativity and effort it takes to make a great app. Plus...I don't do ads. :D
FOSS apps can be found en mass on F-Droid, an alternative appstore that deals exclusively in such apps.
Click to expand...
Most of us old-timers are very familiar with F-Droid, and have nothing against it. Again, it all comes down to personal taste.
 
Thanks again to everyone who's replied in trying to help. I'm facing a rather tough obstacle now and wondering if anyone has experienced this before or knows a workaround..

My wireless carrier (Cricket US) is withholding my BL unlock code, and Motorola was of no assistance either in obtaining this to be able to gain root access and install a custom ROM or flash firmware.

Has anyone experienced this with Cricket or any other carrier and found a way to force an unlock?

I'll absolutely be switching to another wireless carrier as soon as I'm able, and a word of forewarning to anyone thinking of using this service..don't. They're not worth the(practically lack of) customer support not to mention the persistent throttling.
 
Moto0hno said:
my bootloader locked to Cricket, they won't give me the unlock code. Their website says they'll give it over after the Device you're using has been activated for 6 months. I've just replaced my old phone by warranty a week ago.
Click to expand...
From your remarks about their *cough* 'customer service,' this may go nowhere, but...

You might want to speak to a person, and immediately ask for a supervisor. They're going to ask what's up. Tell them. Then ask for a waiver on that 6-month-device-possession-thing. Stress that if not for JUST getting a replacement, you would've met that requirement. It's just a technicality! Help them see that they should honor it. :) If they say they can't help, move up to a supervisor.

The thing is, I'm not sure any of that will help. I've just reviewed this thread, and your issue seems much farther-reaching than wiping a device will solve.

You said that you lost access to your original gmail account, and its 8 years of data. But how did you lose access? Please tell me exactly what you've tried and what the results were.

You've also said that your "online presence has been owned." In what ways, exactly, do you mean? Were your social media accounts hijacked? Have any bank accounts or credit cards been affected? Please tell us very precisely what you mean.

As for Cricket, I have no personal experience with them, but I can highly recommend Consumer Cellular. I switched to them early this year, after being with AT&T since the '90s. I know CC is associated with old geezers (like me!) but, seriously, their pricing is great and their all-US based customer service is stellar. I can't speak for their unlimited plans, possible throttling/capping/any stuff like that, as I neither have nor need unlimited use. I can say that what I'm paying for the plan I do have is almost unbelievably low. :o

Also, all of my smartphones have been Motorola. Just wanted to toss that out there.
 
MoodyBlues said:
That's really a matter of personal taste, isn't it? :)

I'm one of the "majority of long-standing members" @Hadron mentioned who uses third-party launchers and, as he noted, with only positive results.

As a very early adopter of Linux (as in 1991, its epoch), I'm keenly aware of free--in every sense--open source software. But that doesn't mean I'm against paying for software.

As a totally Micro$oft-free person, I've never had to pay for my OS (well, I used to be stuck paying the 'Microsoft tax' on new computers, i.e., having them arrive with window$ pre-installed, which I immediately zapped; my most recent computers came with Linux installed--bye bye M$ tax!). Anyway, although my OS, Kubuntu Linux is free, I regularly donate to support it.

I pay for the Android apps I use because I like rewarding talented developers for the knowledge, time, creativity and effort it takes to make a great app. Plus...I don't do ads. :D

Most of us old-timers are very familiar with F-Droid, and have nothing against it. Again, it all comes down to personal taste.
Click to expand...

As long as you consider your privacy and online safety to mearly be subjects of 'personal taste', then I guess so.

But there are many out there that do not grasp that a launcher, hmmm, such as Apex Launcher*, which is a great launcher (at least the 3.3.3 version was), can show only a 30MB memory usage- and yet when you put it on a more modern device that will give better detailed info you find that although the launcher itself only uses a nominal amount of memory, the stupid Google analytics in it are using 200MB constantly- 24-7.

This may not be an issue for someone that has no worry of what Google might be doing with this load of info, especially if one has a powerful device.

But what about someone who has an entry level 1 or 2GB phone?

So it would be much smarter, safer, better for your battery life, and make your device more efficient to not have all this useless to the user hidden rubbish running in the background- only because you wish to see some fancy stuff when the screen activates.

For those that can deal without a bunch of bells and whistles, and want a fast, efficient device, I recommend KISS.

*I used to love Apex Launcher. I found it after an extensive trial and error period of testing launchers.

Until I found out about its background activities I had it on all my devices, and even recommended it to others.

I always thought that the devices were junk, and that is why they were always crashing or freezing up.

Now that I am rid of that sort of ilk, all my devices are virtually crash free and many times faster.
Battery life has very noticibly increased.

And one more detail- paying for apps is fine, the devs need encouragement and to make a living.

But just because you pay for an app does not mean that the analytics built into them is eliminated or stops.

If one would use Blokada or NoRoot Firewall it would become obvious just how many times apps 'call home' and broadcast God knows what to God knows where.
 
Moto0hno said:
Thanks again to everyone who's replied in trying to help. I'm facing a rather tough obstacle now and wondering if anyone has experienced this before or knows a workaround..

My wireless carrier (Cricket US) is withholding my BL unlock code, and Motorola was of no assistance either in obtaining this to be able to gain root access and install a custom ROM or flash firmware.

Has anyone experienced this with Cricket or any other carrier and found a way to force an unlock?

I'll absolutely be switching to another wireless carrier as soon as I'm able, and a word of forewarning to anyone thinking of using this service..don't. They're not worth the(practically lack of) customer support not to mention the persistent throttling.
Click to expand...

Figure out which system Cricket operates on.

It will be either what AT&T uses or what Verizon uses.

Get a different phone that will work with Cricket, but is also compatible with whatever service you may switch to.

This allows you to pick out a device that has and does what you want, fits inside your price range, and allows you to switch later on without having to deal with a device that 'came with the plan'.

These phones are generally equivalent to the prize in a box of Cracker Jacks or a box of cereal, compared to what you could get for a very reasonable price elsewhere.
 
You must log in or register to reply here.
Back
Top Bottom