5,606,530 Members 34,058 Now Online
XDA Developers Android and Mobile Development Forum

[Q] Suspicious Activity - Microphone activated and background MMS activity. Help!

Tip us?
 
gthing
Old
(Last edited by gthing; 22nd December 2013 at 11:17 PM.)
#1  
gthing's Avatar
Senior Member - OP
Thanks Meter 37
Posts: 773
Join Date: Feb 2007
Location: SL,UT
Exclamation [Q] Suspicious Activity - Microphone activated and background MMS activity. Help!

I am running a recent CM11 nightly on my Nexus 4. I have recently noticed some suspicious behavior. First, I installed a guitar tuner that I use a lot (gStrings) which would not start because it said the Microphone was being used by another app. This persisted through several reboots. I chalked it up to a bug with CM or and incompatibility with the latest Android and forgot about it.

Then, last night my prepaid balance lapsed and immediately I started receiving messages saying "Your MMS message could not be delivered. Insufficient prepaid balance." The problem is that I very rarely send MMS and I certainly haven't sent any in recent memory.



It could be a fluke, and the two above things may not be related, but it was enough to make me want to investigate further. I am planning on flashing back to stock just to be safe, but first I'd like some help tracking down whether or not there is an issue here or enough to believe my phone has been compromised somehow.

First I checked my logcat and noticed a few suspicious things:

I see several cancelNotification messages from MMS:App and several composemessageactivity calls from PackageManager. Here are a few from a time I wasn't sending any messages at all:

Code:
12-22 13:47:28.333 I/PackageManager(685): Adding preferred activity ComponentInfo{com.android.mms/com.android.mms.ui.ComposeMessageActivity} for user 0 :
12-22 13:47:28.373 I/PackageManager(685):   Scheme: "mms"
12-22 13:47:28.373 I/PackageManager(685): Adding preferred activity ComponentInfo{com.android.mms/com.android.mms.ui.ComposeMessageActivity} for user 0 :
12-22 13:47:28.454 I/PackageManager(685):   Scheme: "mmsto"
12-22 13:47:28.454 I/PackageManager(685): Adding preferred activity ComponentInfo
I also see calls to an MMS notification sound that I've never heard before. I also don't know what AwesomePlayer is (something built in to Android?):

Code:
12-22 15:39:34.304 D/AwesomePlayer(208): printFileName fd(44) -> /system/media/audio/notifications/F1_New_MMS.ogg
I pulled my mmssms.db from the phone and looked through it and didn't see anything that jumped out at me, but I admit I don't really know what I'm looking at.

Next I checked what apps have permissions for sending messages and didn't notice anything unusual. Google Voice and Twitter are the only user apps listed with access when I checked with xPrivacy (xPosed plugin). F-Secure App Permissions also show Twist, Google Search, Hangouts, and Google Play. But it looks like from the logcat the stock mms app is being called, so maybe something malicious wouldn't show up here?

I have not installed any apps I would consider "shady" and have never touched any pirated apps, but I do have a few installed from outside the play market. These are:
  • AdAway
  • dSploit
  • xPosed Installer
  • xPrivacy (xposed plugin)

Here is a complete list of apps installed on my device: http://snippi.com/s/uh08y66

I downloaded Webroot and AVG antivirus and ran scans. AVG flagged dSploit as a "potentially unwanted program" and warned that my device is rooted and I have 3rd party app installs allowed.

Is the above evidence enough to believe my phone is compromised or is there another possible explanation for the MMS activity? Like does T-Mobile maybe use some component of MMS to keep in communication with towers, etc?

Any ideas what else I can look at to try to get to the bottom of this before I flash back to stock?
Treo 650 -> Blackjack -> Tytn I -> Tytn 2 -> Palm Pre -> Hero -> Evo -> Evo 3D -> Galaxy Nexus -> Galaxy S III -> Nexus 4
The Following User Says Thank You to gthing For This Useful Post: [ Click to Expand ]
 
Qwerty123 \m/
Old
#2  
Qwerty123 \m/'s Avatar
Senior Member
Thanks Meter 400
Posts: 1,152
Join Date: Nov 2011
Location: xxxxxxxxx

 
DONATE TO ME
You that reddit guy form /r/android ?
My adivce. FULL CLEAN WIPE.
flash a stock 4.4.2 image.

Nexus 4 White 16GB w nipples
Current ROM : [JB 4.3][JWR66V]Cataclysm ROM - Android 4.3

Previous devices: Xperia Neo V - Xperia Arc S - Galaxy S 2 - MMX Canvas 2 - Galaxy Note - HTC One X - Nexus 4
 
gthing
Old
#3  
gthing's Avatar
Senior Member - OP
Thanks Meter 37
Posts: 773
Join Date: Feb 2007
Location: SL,UT
Quote:
Originally Posted by Qwerty123 \m/ View Post
You that reddit guy form /r/android ?
My adivce. FULL CLEAN WIPE.
flash a stock 4.4.2 image.
Yea same guy. I'm definitely going to wipe it. The reason I installed CM11 in the first place is because I was getting interested and trying to learn more about security - so I was hoping that I could gather a little more data on this and see if I could figure where I went wrong. I guess the lesson is the same one at the beginning of every spy movie: don't trust anyone. Especially the guy who says that to you.
Treo 650 -> Blackjack -> Tytn I -> Tytn 2 -> Palm Pre -> Hero -> Evo -> Evo 3D -> Galaxy Nexus -> Galaxy S III -> Nexus 4
 
republicano
Old
(Last edited by republicano; 23rd December 2013 at 10:01 AM.)
#4  
Senior Member
Thanks Meter 150
Posts: 657
Join Date: Mar 2010
get droidwall, firewall to block apps that don't or shouldn't access the net, I did this to block dolphin browser using my data when I wasn't aware, some apps send yourself txts, you notice this when receiving them in flight mode.

perhaps restore to an earlier backup.

I thought xposed framework had security flaws unless they fixed that, one reason why I never tried
 
bladebuddy
Old
#5  
bladebuddy's Avatar
Senior Member
Thanks Meter 90
Posts: 217
Join Date: Dec 2011
Don't you agree to c.m statistics when you flash C.M roms now if so it collects data and has to be sent some how.
Never looked into it myself and haven't run a c.m rom for a while but it's worth looking at.

Sent from my Nexus 4 using Tapatalk
Tags
malware, mms, security
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes