Android System Modified??

[dustin69]

I believe that my Android system might have been sabotaged and modified. I had a friend stay the night at my house and I did not put my phone away or hide it. It was left out all night while I slept and I believe that he accessed the phone and modified the system partition to create a remote access "Spy" gateway. I would like to know what tools/options are available to check for this and also to remove such spying software and restore the phone. Right now I do not have the phone rooted nor do I have access to a computer which I can install the Android SDK and Java JRE which I would need in order to root this phone (The Huawei Activa 4g) I do not want to just reverse this process but I want to figure out and establish to myself that it has been done or not so that I will know whether to trust this individual in the future. When you click on the Battery Usage the phone displays "ATF_Daemon" or something that I can't catch for a split second before showing it as Android System, which usually uses most of the battery. Any information on this matter would be very much appreciated.

2h 54m 49s on battery
Android System 88%
Maps 6%
Cell standby 4%
Display 2%

Also, the phone has already been factory reset but I do not believe that removed any of the "Spy"ware because if the ROM had been flashed or the system partition modified then a Factory Reset would not address these issues. The individual, I forgot to mention, had a laptop with him which would have easily granted him ADB access and all that good stuff. To note, information shown in "About phone"

ERI version: 1357
Model number: HUAWEI-M920
Android Version: 2.3.6
Kernel version: 2.6.35.11
(I do not believe this phone shipped with these Android/Kernal versions also?)
Build Number: M920V100R001C177B322SP11

(To note: Maps is using 6% of the battery and I have not ran it since reboot)

Android system shows these packages:
Fota Client
VPN Services
com.qualcomm.privinit
Security
Google Backup Transport
Android System
com.android.qualcomm
Settings
Status Bar
Settings Storage
Account and Sync Settings

IMEI: *(REMOVED OF COURSE)
Wi-Fi MAC Address: Unavailable
Bluetooth Address: Unavailable
Up time: 2:45:04
ICC ID: *(WHAT IS THIS -- IS IT SENSITIVIE TO POST????)

2h 54m 49s on battery
Android System 88%
Maps 6%
Cell standby 4%
Display 2%

 

[Hadron]

Hi Dustin,

I'm not sure why you believe that this "friend" has hacked spyware into your /system. Is it because you think that android system is using more power than usual? Remember that those are percentages, so if the phone is left screen off and idle system processes will show a high fraction. And the word "daemon" doesn't imply anything - in Linux speak a background system process that provides or monitors a particular service is a "daemon".

I can't confirm the precise os/kernel versions your phone would have come with, but who would upgrade those? That phone would have come with some 2.3 version.

The main thing is that adb does not give write access to system on an unrooted phone. So unless you are worried that he rooted the phone, installed spyware to system, then covered his tracks (e.g. by removing the superuser app) , I don't see how it could be done. If you want, try installing superuser from the Play Store - if the SU app works (type "su" in a terminal emulator and see whether it pops up and succeeds in granting permissions) then the system is rooted. Otherwise I think this is very unlikely.

 

[dustin69]

Android System using more power than usual is not my basis for beliving the Android system/kernal has been modified. Also I think this phone came with Android version 2.3.3. if I recall correctly. Right, I do know that daemon basically means system service but why would the phone display that and then switch to Android system? Also, there is an app in the Play Store that is called "Network" and when you launch it it displays "Unknown" in a grey box, which I believe this app is 'supposed' to indicate informations about your connection. Is there a way we can check the Android version that came from the phone maybe email the manufacturer? Just a thought.. I'm looking for ideas to figure this out. Also, I do believe that he could of very well rooted the phone and then unrooted it. Like I said, I was asleep that night for a good 8 hours and that would have been more than plenty of time to do whatever to the phone. I have not checked the Super User app on the phone but I did run Root Checker and it indicated the phone was not rooted, which is not a surprise but like I said given the time he would have had with the phone does not eliminate the possibility of what I believe. Also, if I rooted the phone myself what could I do to check the presence of modified system / kernal files?

 

[Digital Controller]

Android System using more power than usual is not my basis for beliving the Android system/kernal has been modified. Also I think this phone came with Android version 2.3.3. if I recall correctly. Right, I do know that daemon basically means system service but why would the phone display that and then switch to Android system? Also, there is an app in the Play Store that is called "Network" and when you launch it it displays "Unknown" in a grey box, which I believe this app is 'supposed' to indicate informations about your connection. Is there a way we can check the Android version that came from the phone maybe email the manufacturer? Just a thought.. I'm looking for ideas to figure this out. Also, I do believe that he could of very well rooted the phone and then unrooted it. Like I said, I was asleep that night for a good 8 hours and that would have been more than plenty of time to do whatever to the phone. I have not checked the Super User app on the phone but I did run Root Checker and it indicated the phone was not rooted, which is not a surprise but like I said given the time he would have had with the phone does not eliminate the possibility of what I believe. Also, if I rooted the phone myself what could I do to check the presence of modified system / kernal files?

Once the device is rooted, yes you could check these things out.

And anyhow I am confused why you would of spent the night at someones' place or he at your place, knowing he could be devious and do this to your device? Why not just ask him yourself?

You just don't mess up someones' expensive hardware just for laughs...at least i don't...

 

[Stigy]

I think the biggest thing to note is that if you are not rooted, your system partition cannot be modified so we can rule that out.

Do you see any apps you don't notice on your device?

 

[dustin69]

I made a bad judgement call on the matter of letting him come and spend the night without securing my phone, or period for the matter. By the way, the phone was only 2 days old or so when this happened. I asked him if he had done anything he should not have done but of course the only answer I received of course is "What are you talking about?", plus it would be rude to accuse someone without having any type of proof so that is why I would like to figure out of it has occured or not. I am going to install Super User and see if it grants root at the moment, but I do believe the phone could have been rooted and unrooted. Here is a list of apps that are running on the phone according to the "Running" screen

Settings 8.6mb
Pandora 29mb
A4A Radar 2.7mb
GO Launcher EX 25mb
GO Switch Widget 2.8mb
GO Weather EX 11mb
com.android.qualcomm 1.7mb (Which I have no clue what this is)
Fota Client 3.0mb (NO Clue)
Google Services 17mb\
Media
Android keyboard

Also under the "All" are some apps that I do not recognize or know what they are:

A4A Radar
Account and Sync Settings
Alerter 0.0kb (?????)
Android Keyboard
Android Live Wallpapers
Android System 0.0b
Anti Spy Mobile FREE
AppStore
BBVA US
Calculator
Calender
Calender Storage
Camera
Certificate Installer
Clock
com.android.provision (???)
com.android.qualcomm
com.qualcomm.permission.? (The rest of it is off screen)
com.qualcomm.privinit
Contacts
Contacts Storage
Dialer
Dialer Storage
Download Manager
Downloads
Drive
DRM Protected Content Storage
eBay
Email
Explorer
Fota Client
FoxFi
FoxFi AddOn
Gallery
Gmail
GO Launcher EX
Go Switch Widget
GO Weather EX
Google Backup Transport
Google Calender Sync
Google Contacts Sync
Google Partner Setup
Google Play Services
Google Play Store
Google Search
Google Services Framework
Wiper App

(hold on will post the rest in a minute)

 

[Stigy]

I made a bad judgement call on the matter of letting him come and spend the night without securing my phone, or period for the matter. By the way, the phone was only 2 days old or so when this happened. I asked him if he had done anything he should not have done but of course the only answer I received of course is "What are you talking about?", plus it would be rude to accuse someone without having any type of proof so that is why I would like to figure out of it has occured or not. I am going to install Super User and see if it grants root at the moment, but I do believe the phone could have been rooted and unrooted. Here is a list of apps that are running on the phone according to the "Running" screen

Settings 8.6mb
Pandora 29mb
A4A Radar 2.7mb
GO Launcher EX 25mb
GO Switch Widget 2.8mb
GO Weather EX 11mb
com.android.qualcomm 1.7mb (Which I have no clue what this is)
- Probably from your processor (Snapdragon of some sort).
Fota Client 3.0mb (NO Clue)
- This is an update service from HTC.
Google Services 17mb\
Media
Android keyboard

Also under the "All" are some apps that I do not recognize or know what they are:

A4A Radar
Account and Sync Settings
Alerter 0.0kb (?????)
- I'd guess this is just a running service that deals with alerts/wakelocks.
Android Keyboard
Android Live Wallpapers
Android System 0.0b
Anti Spy Mobile FREE
AppStore
BBVA US
Calculator
Calender
Calender Storage
Camera
Certificate Installer
Clock
com.android.provision (???)
- Either has to do with provisioning the device on the network or with Google.
com.android.qualcomm
com.qualcomm.permission.? (The rest of it is off screen)
com.qualcomm.privinit
Contacts
Contacts Storage
Dialer
Dialer Storage
Download Manager
Downloads
Drive
DRM Protected Content Storage
eBay
Email
Explorer
Fota Client
FoxFi
FoxFi AddOn
Gallery
Gmail
GO Launcher EX
Go Switch Widget
GO Weather EX
Google Backup Transport
Google Calender Sync
Google Contacts Sync
Google Partner Setup
Google Play Services
Google Play Store
Google Search
Google Services Framework
Wiper App

(hold on will post the rest in a minute)

I have bolded some stuff with explanations underneath and will do the same for your second post when you put it up.

To be honest with you nothing looks malicious on there at all. It may just be you have never looked into the Running / All Apps section so some things seem out of place. Easiest way to check for root is to download a terminal emaulator and type su at the $ prompt. If it changes to # you have root, or you can download a SU app and see from there.

I'd say you are okay though.

 

[kevindroid]

no superuser no computer what did he do all this with

 

[ExtremeNerd]

You seem very adamant about your concerns, but they are likely unfounded. What you are proposing is a very intricate procedure which requires a lot of technical knowledge. You are looking for the conspiracy, in my opinion.

The kid you had stay the night would have had to research how to root your exact phone. There are only a handful of phones which use the same method. Even fewer are available without a computer. He had two days to figure this out, plan everything, convince you to allow him to stay the night, and execute.

He also needs to figure out how to build his own "spy" system. These aren't readily available. Not to be an ass, but I don't know if your information is important enough to put in that much effort. I understand wanting to protect yourself, but this is borderline paranoia.

This could be the thread of the year.

 

[Hadron]

So it sounds like your worry is based on the possibility rather than any evidence? Or is there some other reason?

There are a lot of apps and processes on a typical android phone. Some are part of the OS, some added by the manufacturer, and some added by the network. If you can suggest some you are concerned about people may be able to help, but don't expect to recognise them all.

As for rooting and unrooting, the normal way people unroot is by flashing a stock unrooted ROM, but that would remove any other system mods as well.

The idea that someone might root, then surgically undo this (while not expecting you to be checking in that detail anyway) sounds pretty extreme, and if they did they'd surely not change the OS or kernel in the process (far more visible than root is once superuser is removed). So while I can't prove it's physically impossible, it would require a huge effort and skills beyond most experienced rooters or developers, for gains that are not obvious.

 

[Hadron]

Qualcom are chip makers, and fota will be for Over The Air updates. So don't worry about those.

 

[dustin69]

He did have a laptop and could have Super User'ed himself and removed all of that afterwards. I did run Super User, which indicated the SU binary did not exist. But does that rule out the possibility that it could have been done and all of the tracks (i.e. root, su, etc.) been removed since he had unmetered access to the device for 8 hours while I slept. I will check into the terminal situation but if Super User said the SU binary is not there I don't think it will root me, right? I am, I must say, fairly new to Androids as I have only been using Android for about 4 months or any Smart Phone so I am unfamilar with some of the processes that are expected to ran by the OS.

Further reason to support my belief that this phone has been modified is that I have gone through some experiences over the last month or so (without going into detail) that would lead me to believe that this could of happened.

I know that a lot of research would have had to been put forth, especially since the phone was new and he had no way of knowing what kind of phone I would be buying. But I know for a fact that he had some knowledge of Linux (He had his laptop duel booted, so he was not a newbie when it came to computers or operating systems, and he was very fluent in knowledge during our discussion about computers, OSes, hardware, etc, so I do not believe it was out of his scope of knowledge to have been able to quickly done all this especially if he had done it with other individuals and phones in the past. Yeah it all sounds a little crazy and I am looking for the answer to "Is everything OK with my phone and OS" and "Was this phone and/or OS modified and can this individual be trusted at all in my house or my life in the future?" Those are the two questions I am really trying to get answered here.

ADD ON: Android Terminal Emulator reports su does not exist

 

[nickdalzell]

i suppose the only thing i can ask is what about the phone made you suspicious? is your 'friend' some kind of hacker and you're aware of that and assume he got hold of your phone? or is it doing things now that it never did before like suddenly crashing, self-rebooting a lot, or popping up ads where they don't normally show? are nude pictures showing in the gallery all of a sudden?

the apps you listed both on the device as well as running don't come off looking malicious to me, either. most of the ones you think are weird are part of the phone's network communication settings that give you access to your cellular network carrier.

 

[dustin69]

The phone was acting a little strange in the sense that the battery runs out faster than it used to, the situation I illustrated with "Unknown" in the grey box in the Network application, and the connection seems to turn on and off more than it did when I bought the phone. The System space seems to be a lot lower than it should be like as if there were hidden apps. Also is it possible for apps to hide themselves from the Android's stock "Running Applications" viewer?

Anyways, so if I had root, what could be done to verify the integrity and it's System partition as well as the Android Kernal and any installed packages?

 

[nickdalzell]

all i know is my phone tends to glitch and none of it is attributed to spyware/malware, but the fact it's a cheap, entry-level device with a sub-par processor. in my case my battery life varies from perfect (if in wifi only, airplane mode) to horrid (having GPS, 3G, cellular data, wifi, and apps running in the background) to even more horrid (lockscreen doesn't time out so screen stays on in my pocket, etc) and my phone self-reboots a few times a day, i often get random 'low disk space' notifications and then all of a sudden the space is back to normal. i just consider it part of Android. weird stuff happens. but i'd only worry if you get calls from your contacts asking why you called and hung up, or if you get odd ads in the gallery, notification area, (download airpush detector in the market/play store to be sure) or if porn shows up in your gallery. or you get strange calls or text messages--all of these are signs of spyware/infections.

i had a Nokia once that had a fancy keyboard and it started acting strange after a pet deer took a bite out of the keyboard while i was emailing someone and it didn't do any visible damage, but i often got calls from friends asking why i called and hung up--apparently it was damaged to the point it self-dialed contacts (stuck keys?) but i don't consider battery drains, some force-closes and running services you listed as strange--i live with them daily. and my phone is always with me.

i'm a bit of a 5th Amendment proponent myself. i usually keep the GPS turned off as i don't like the idea of my location being broadcasted to who-knows-where.

 

[dustin69]

I don't think I would consider those things 'normal, acceptable Android functioning' even for an entry level device. I do not want my Android acting buggy at all especially when the OS seems to be so solid. Also in relations to GPS that does not have much to do with this thread I have had my phone make Emergency phone calls that I did not initiate a couple of times. Not sure what that was about.. I forgot to mention that earlier. Also I had one call end with an individual and the timer did not go off and someone whom was "beeping in" and I had missed the call, was on the other line when I hung up.

 

[dustin69]

Does it have another function? I was recomended the app by the same individual.

 

[nickdalzell]

i get calls from robots often (502-256-7522) that ends up being a collection agency for the last owner of my number but that's normal, my phone reboots itself which is a known issue, and that old Nokia self-dialed due to the damage it got. but if any were infected with malware you can expect more than a few glitches and random events.

if your phone runs something like Android 2.1 or earlier, glitches are part of it. Eclair and Cupcake sucked compared with the more refined later builds that are in higher end devices. rooting a phone and messing around causes issues too. sometimes carrier bloatware can cause malfunctions, heck even a Virgin Mobile phone came out of the box with three airpush ad bots installed. however i have yet to have any android device that is perfectly stable. i've used both iOS, RIM OS, Symbian, 'dumb' phone software, and Android, and i'm not going to hide the truth that Android has lags and issues at times. it's open source. it's based in Linux. it has glitches.

when i mentioned GPS, it was referring to the more likely chance that if your friend wanted to hack your phone, he'd have more success in enabling Latitude and GPS and setting up both his phone and yours to where he could see where you were and spy on you via that app. that seems more likely than rooting a phone, installing adware/malware, unrooting it and passing it back to you

 

[Hadron]

Do you have an "emergency call" button on your lockscreen? If so that's likely to be the cause of your emergency calls (some event wakes screen, emergency call button pressed...).

 

[chanchan05]

Just wondering, I doubt your friend did anything due to the ff:

1. Does he have a motive? You didn't mention any. Its not like the "friend" was some crazy ex or something is he/she?

2. The list you posted does not have anything weird in it.

3. Spyware apps of the level you describe often need to have the phone rooted to work AFAIK. Your claim of "he may have super-usered it then removed the tell-tale stuff" won't hold. The moment he removes the root/superuser, the stuff he placed that requires root would stop working.

But of course its still your call. If you really are worried, root the device then flash it with some other ROM. Nothing would survive that AFAIK.

 

[dustin69]

Good idea, about flashing the ROM. But also I still want to establish IF this was done or not perhaps by MD5 checksum on all Android system files and packages? Ideas?

 

[ExtremeNerd]

Good idea, about flashing the ROM. But also I still want to establish IF this was done or not perhaps by MD5 checksum on all Android system files and packages? Ideas?

This is getting worse and worse each post I read. Do you realize how much knowledge it takes to build a ROM from source for a specific device AND then program a malware app which avoids ALL typical android security? This is a ridiculous though.

MD5 is used to ensure an entire file was downloaded. It has nothing to do with hacking.

Your phone is fine.

 

[chanchan05]

The level of security breach the OP is posting is something that would take weeks of research, beta testing and stuff. As far as I can see, there is nothing wrong with the phone, and if you think your "friend" would be doing things like that, why are you even talking to the person? Honestly, there is nothing wrong with your phone. Probably some app gone rogue or something. Just flash it and there would be nothing left and give yourself peace of mind.

 

[Crashdamage]

What you are so worried about is about as likely as finding Sasquatch or a zombie attack. Agree with chanchan05 - nothing you have posted shows any sign of system modification or spyware. Increased power drain means nothing, there's many possible innocent reasons for that.

Relax and enjoy your phone.

 

[Mostly Harmless]

Why not just do a factory reset and call it a day?

This thread sounds like it's from a bad James Bond movie, what could you friend possible want off of your phone? Do you bank with larger amounts of money? Hold classified information on your phone? If you are really worried just do a factory reset.