Help Tablet has Been Hacked.... need help deciphering log..

[Ruffjock]

Today I believe my Samsung Tab-A which is rooted, was hacked...out of the blue the sreeen popped on and for several minutes I just watched but couldn't see anything being done as the last app I had used was still on the screen. I then opened my CatLog app and watched. I finally disconnected my wifi network a few minutes in but I believe the damage had already been done. Here is the the log file from the moment my tablet was accessed.

I am a Android newbie, but consider myself pretty tech savy. I believe this tablet has been or scheduled to be "provisioned" and "managed". Does anything stick out to anyone familiar with this? Can you tell what was done or how I would go about reversing it? I installed Avast but it didnt find anything.

Thanks for your your help.

I am attaching the Dmesg, Event, Last_Kmsg, and Pstore_console files......

 

[svim]

Are there any other indications your Tab A has indeed been compromised? If that example of the screen waking up by itself is the only real indicator, this sounds more like just some app got triggered into taking your device out of its sleep mode. I'd do a restart and then if the same thing occurs at least you know this could be something that needs to be looked into as opposed to just some one-off glitch. Has this happened previously or was today the first time? Have you installed any app that might be something that does any kind auto-update or done anything like shorten the time for your email app to check for new messages?

Regarding your tablet being rooted, how did you go about rooting it? Using the Odin utility and a custom Recovery like TWRP, or one of those one-click rooting apps like Kingo or Kingroot? The former is typically a safer method, the latter often involves the cruft that those one-click wonders tend to install that do things like add ad popups, change your browser home page, data mine your device, etc. -- things that typically use up system resources of their own (and could be responsible for waking up your device) unless you take the time to delete them right off.

 

[DonB]

Is this an 8" or a 10" Screen Tablet, so I can move this to the appropriate device section.

 

[Ruffjock]

This happened shortly after using the ring central cloud meeting app. There is no doubt after reading over the log files that this person hacked and has continued to
Hack and install now over 213 system apps. Everyday there are more new ones I can’t keep up.

Also I’m not sure how the tablet was rooted, I had One Click Root.com. Do it for

Also this is a 10” tab-A

 

[ocnbrze]

do you have those log files?

 

[svim]

Turn off WiFi to cut off your Tab A from any online access and remove those system-level apps that were installed by that alleged 'hacker'. Another issue you have to address is clean up whatever crap that one-click rooting app installed -- almost all the popular one-click rooting apps are sourced out of China and compromised telemetry is a very common issue when you use them. Regarding AV apps like Avast, whether your device is rooted or non-rooted, they get installed as a user-level app, which also means if you're going to rely on them to protect your device you need to keep in mind that user-level apps have only specific, very limited access to system-level processes. So any AV app will have full access to the user data partition (user-level permissions) but very little access to the operating system partitions (system-level permissions). So at this point you need to just hunker down and manually clean up your tablet, and don't forget when you root your device that gives not just you more access to operating system but also others.
Once you do get all those apps uninstalled, turn WiFi back on and install AFWall+, a root-required firewall app, from the Play Store.
https://play.google.com/store/apps/details?id=dev.ukanth.ufirewall&hl=en_US
It will require a little effort to configure it and set which apps and services you want to get WiFi and/or cellular connectivity but once set up it's a good way for you to manage your tablet's online connectivity. Note that root only firewall apps are able to access iptables, the integral firewall that's a part of the Linux kernel itself. So a firewall app like APWall+ gives you more ability to more system-level processes than if you use one of the other non-root firewall apps (that don't have any access to iptables and rely on a workaround, the resulting issue being full access to user-installed apps, very limited access to system-level apps/services.)

All of this is quite involved so another option is to backup all your saved files and data, do a Factory Reset (clears the user data partition), and re-flash with an appropriate Samsung stock ROM (writes over the multiple system partitions). This returns your tablet to it's original, non-rooted state, the benefit being any exploit whether installed on the user partition or one of the system partitions will gone.

 

[DonB]

I moved your thread here for now, if you give me the exact model I'll be able to move it to the proper channel, cheers