Galaxy S9 Hacked at the root

[Strgzer13]

I have the ATT variant of the Galaxy S9 and it has been hacked. The files go all the way to the root directory. I have tried wiping the cache partition and factory resetting but to no avail. What can I do? I want who ever it is that controlling my phone out and I want to make sure there isn't a way back in for them.

 

[Hadron]

You can download the stock firmware from Sammobile.com and reflash the phone. That followed by a factory reset (if it doesn't do a reset in the process - I'm not a Samsung expert) will remove anything from the phone because it completely overwrites the system.

As for not getting back in, without knowing how they got in in the first place that's impossible to say. It is not easy to get into the root of an up-to-date S9 in the first place. But the two most likely routes for any infection are either through a trojan (i.e. you installed an app that contains hidden malware - unlikely if you only install from the Play Store, highly likely if you download "free" copies of paid apps from the web) or that your Google or Samsung account has been compromised. So I would suggest taking steps to secure both of those (change passwords, enable two-factor authentication if you haven't already done so, check what devices have been used to access them, de-authorise any you aren't 100% sure are secure, etc). But don't do this from a compromised phone, and don't reconnect a cleaned phone to these accounts until you are sure they are secured.

When you say "the files go all the way to the root directory" can you see them, or is this an assumption or inference? If you can see things that you cannot remove what are they? This might help someone identify the cause (though in fairness I must also say that we get many people reporting that they've discovered something suspicious which is in fact completely normal, so I have to reserve judgement until we know more).

 

[Strgzer13]

You can download the stock firmware from Sammobile.com and reflash the phone. That followed by a factory reset (if it doesn't do a reset in the process - I'm not a Samsung expert) will remove anything from the phone because it completely overwrites the system.

As for not getting back in, without knowing how they got in in the first place that's impossible to say. It is not easy to get into the root of an up-to-date S9 in the first place. But the two most likely routes for any infection are either through a trojan (i.e. you installed an app that contains hidden malware - unlikely if you only install from the Play Store, highly likely if you download "free" copies of paid apps from the web) or that your Google or Samsung account has been compromised. So I would suggest taking steps to secure both of those (change passwords, enable two-factor authentication if you haven't already done so, check what devices have been used to access them, de-authorise any you aren't 100% sure are secure, etc). But don't do this from a compromised phone, and don't reconnect a cleaned phone to these accounts until you are sure they are secured.

When you say "the files go all the way to the root directory" can you see them, or is this an assumption or inference? If you can see things that you cannot remove what are they? This might help someone identify the cause (though in fairness I must also say that we get many people reporting that they've discovered something suspicious which is in fact completely normal, so I have to reserve judgement until we know more).

After applying the cache wipe and factory reset I downloaded the free version of ES File Manger from Google Store. I began to look around a little bit and found several files in the root level the had words like clone children and cache dump to several captive portals that had tasks to about seven other devices that I counted before I stopped digging around. I also found screen shots of my lock screen and home screen as well as copies of my contacts lists and photos. I found several audio recording of times when I wasn't on the phone and a lot of hidden files to ARM and ARM64 that I believe are two users since a lot of the tasks were sent to these entities. I don't have the personalization services enabled on my phone so I'm assuming that it's not Samsung or Google collecting this info.

 

[Hadron]

ARM is "Acorn Risc Machines", who are the company who design the cpu architecture used in almost all Android smartphones (and ARM64 = 64 bit ARM architecture). So stuff relating to ARM you should not worry about (and hidden files is pretty much standard practice for things that the user should rarely if ever have to look at).

Some of the other stuff is less clear, e.g. why there might be audio recordings or screenshots (but stuff like that surely would be removed by a factory reset?). On my device ES won't show me anything in the root level anyway so I can't check any of that stuff (my Pixel isn't rooted, and none of my own file browsers will show me stuff in the root level. But I'd heard people say that ES did on their unrooted devices so just tried it on mine, but for me it still doesn't).

Unfortunately terms like "clone children" could also be legitimate, and not being a Samsung expert I've no idea what their own software normally does (they do tend to duplicate everything), so I can't be sure whether the other stuff you describe is legitimate or not. Maybe someone else will be able to.