Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,781,962 Members 51,013 Now Online
XDA Developers Android and Mobile Development Forum

I have been Hacked!

Tip us?
 
Clawsman
Old
#1  
Senior Member - OP
Thanks Meter 4
Posts: 115
Join Date: Nov 2011
Default I have been Hacked!

Yeah..as the title says.. 3 weeks ago this hacker hacked into my network..
placed rootkits in all my 3 computers and then hacked its way to my Desire and my wifes iphone. good thing i had wireshark running same time.
So.. 5 units hacked with the method in like 1 houre. Bad luck for me i guess.
And kaspersky didnt give me any warnings at all. bye bye kaspersky.

Anyway... i flashed my desire's HBOOT just to be sure. after i did a check with "AutoKiller Memory Optimizer" all kinds of malware services was attached to most of my apps.
1- downgraded HBOOT
2- flashed stock HBOOT from alpharev
3- Changed recovery from CWM to 4EXT as i suspected the recovery being infected somehow.

I checkd my log... the hacker had removed some files and moved shell files from an folder to another as well as busybox and so on. it was so many i thought il be better of installing new ROM.
I tried with Gingervillain first... everything installed fine..
checking with "root explorer" i see same files that had been moved and added was still there.

OK.. i tried again..
full wipe with 4ext and then installed Runnymede.. still.. when i check my root partition most of the files still there and i get same results doing a root check.

any idees...? im not sure if my kernel is right. it should be, when i installed Runnymede. when checking kernel v.
it says.. "2.6.35.10_EBfixTP2WcLsSma2OcUvVddS35+droidzone@su pernova #11"
May be kernel rootkit? does the kernel start before recovery?

can someone plz confirm this?

baseband seem to be the same

any advise as for how to start from scratch will be much appreciated.
 
erklat
Old
#2  
erklat's Avatar
Senior Member
Thanks Meter 454
Posts: 2,444
Join Date: Nov 2010
Quote:
Originally Posted by Clawsman View Post
full wipe with 4ext and then installed Runnymede.. still.. when i check my root partition most of the files still there and i get same results doing a root check.
Full wipe wipes /cache, /data and /sd-ext to my knowledge. There is a possibility some of the files remain on /system. Use 4EXT to manually format each partition using format option.

Quote:
Originally Posted by Clawsman View Post
it says.. "2.6.35.10_EBfixTP2WcLsSma2OcUvVddS35+droidzone@su pernova #11"
That seems in order. Long name in attach marks modules added to that kernel.

Sent from my HTC Desire using Tapatalk
The Following User Says Thank You to erklat For This Useful Post: [ Click to Expand ]
 
Clawsman
Old
#3  
Senior Member - OP
Thanks Meter 4
Posts: 115
Join Date: Nov 2011
Ok
well.. i did the format manually in 4EXT.
I suspect some files still to be there..also some boot files containing malware script.
what file contains the boot script? i mean.. what file is the first to be triggered when booting in HBOOT. because many things in the recovery doesnt seem right. and the hboot fastrecovery starts with a delay.
Like when i want to partition or when i want to format all partitions except sd. Acts like it doesnt want to.

Anyway.. was just wondering if i could just adb and delete every file folder that is in in my phone and then flash recovery and ROM again.
Is that what RUU does?
is that something to recomend?
 
Bingley
Old
#4  
Bingley's Avatar
Senior Member
Thanks Meter 55
Posts: 530
Join Date: Jan 2011
Location: Netherfield
RUU is complete wipe of everything. /system, /hboot etc.
Download the correct one for your phone, *follow its instructions* (may need a gold card - google it) and run it on a clean pc.

Clean your pc ie format and reinstall after taking backups.

Then start again wit ha new hboot/rom setup.
Phone: Samsung S4 GT-I9505
Tablet: Lenovo S5000-H
The Following User Says Thank You to Bingley For This Useful Post: [ Click to Expand ]
 
andreigherghe
Old
(Last edited by andreigherghe; 2nd March 2012 at 11:54 PM.)
#5  
andreigherghe's Avatar
Recognized Developer
Thanks Meter 433
Posts: 243
Join Date: Dec 2010
Location: Fetești
Is that even possible? Infecting an Android phone via a Wi-fi network?

And Recovery shouldn't be able to get infected. I think ONLY /data can, and eventually /system if it's mounted as RW.

But on a wipe data gets deleted, and on a ROM install /system and boot (which holds the kernel and ramdisk) is deleted anyway.

RADIO starts before HBOOT. And there's absolutely no way they can be infected.

To be safe:

fastboot erase cache
fastboot erase system
fastboot erase boot
fastboot erase recovery *OVERKILL*

Then just do fastboot flash recovery {RECOVERY}

And there's nothing more you must do. HBOOT reflashing is 100% pointless.
SLCD Desire HBOOT 0.93 S-OFF

Developer of Androtility and Lynx.
Part of the ICS porting team for Desire
The Following 2 Users Say Thank You to andreigherghe For This Useful Post: [ Click to Expand ]
 
TVTV
Old
#6  
Senior Member
Thanks Meter 141
Posts: 327
Join Date: Jan 2010
Location: Bucharest
Maybe top-notch hackers are shifting their interest from hacking NASA, FBI and similar organizations in the US to hacking Android phones. Or maybe it's one of their favourite ways to have fun in their idle time. Who knows?

Anyways, here's a Thanks from me, mr. Andrei, for your contribution to this community.
HTC One SV c525u (K2_UL), stock 4.2.2 & Sense 5, no root;
Ex: HTC Desire PVT-4, lightweight CM 7.2.0.1, Oxygen r2 HBOOT, 4EXT Touch 1.0.0.5 RC5;
Ex: HTC Touch 3G T3232, stock ROM;

If it ain't broke, don't fix it!
 
andreigherghe
Old
#7  
andreigherghe's Avatar
Recognized Developer
Thanks Meter 433
Posts: 243
Join Date: Dec 2010
Location: Fetești
Quote:
Originally Posted by TVTV View Post
Maybe top-notch hackers are shifting their interest from hacking NASA, FBI and similar organizations in the US to hacking Android phones. Or maybe it's one of their favourite ways to have fun in their idle time. Who knows?

Anyways, here's a Thanks from me, mr. Andrei, for your contribution to this community.
I do what i can. There are many devs that know much more than me. Your thanks are appreciated

For me it's still strange, tho. Only data and system could be "infected"

Take a look at this: http://forum.xda-developers.com/show....php?t=1399076

It's a scheme i made on how HTC and Nexus devices work. (How they boot, what are the individual partitions, etc)
SLCD Desire HBOOT 0.93 S-OFF

Developer of Androtility and Lynx.
Part of the ICS porting team for Desire
The Following User Says Thank You to andreigherghe For This Useful Post: [ Click to Expand ]
 
andQlimax
Old
#8  
andQlimax's Avatar
Senior Member
Thanks Meter 845
Posts: 2,359
Join Date: Jul 2010
Location: Rome

 
DONATE TO ME
Quote:
Originally Posted by Clawsman View Post
Yeah..as the title says.. 3 weeks ago this hacker hacked into my network..
placed rootkits in all my 3 computers and then hacked its way to my Desire and my wifes iphone. good thing i had wireshark running same time.
So.. 5 units hacked with the method in like 1 houre. Bad luck for me i guess.
And kaspersky didnt give me any warnings at all. bye bye kaspersky.

Anyway... i flashed my desire's HBOOT just to be sure. after i did a check with "AutoKiller Memory Optimizer" all kinds of malware services was attached to most of my apps.
1- downgraded HBOOT
2- flashed stock HBOOT from alpharev
3- Changed recovery from CWM to 4EXT as i suspected the recovery being infected somehow.

I checkd my log... the hacker had removed some files and moved shell files from an folder to another as well as busybox and so on. it was so many i thought il be better of installing new ROM.
I tried with Gingervillain first... everything installed fine..
checking with "root explorer" i see same files that had been moved and added was still there.

OK.. i tried again..
full wipe with 4ext and then installed Runnymede.. still.. when i check my root partition most of the files still there and i get same results doing a root check.

any idees...? im not sure if my kernel is right. it should be, when i installed Runnymede. when checking kernel v.
it says.. "2.6.35.10_EBfixTP2WcLsSma2OcUvVddS35+droidzone@su pernova #11"
May be kernel rootkit? does the kernel start before recovery?

can someone plz confirm this?

baseband seem to be the same

any advise as for how to start from scratch will be much appreciated.
An example of those infecting file?? What file in your root partition?? What path? Rom files are only on /system

Inviato dal mio Galaxy Nexus usando Tapatalk
Google Nexus 5 | Stock Rom | Rooted | Xposed
Galaxy Nexus GSM GT-I9250 (maguro) | yakju | TWRP 2.4.1.0 | BOOTLOADER PRIMEMD04 | RADIO XXLJ1 | Stock JWR66Y 4.3 + Root
HTC Desire GSM A8181 (bravo) AMOLED| PVT1 | HBOOT 0.93.1000 S-OFF CM7r1 | 4EXT Touch Recovery | RADIO 32.56.00.32U_5.17.05.23 | CM 7 Nightly | A2SD 512MB EXT4
Nokia N70

Delayed Push Notifications? Push Notifications Fixer
 
pirlouyt
Old
#9  
Junior Member
Thanks Meter 0
Posts: 9
Join Date: Mar 2012
I never use a anti virus and until now never have a problem...As i know!
 
Clawsman
Old
#10  
Senior Member - OP
Thanks Meter 4
Posts: 115
Join Date: Nov 2011
Well it happened to me..
I have deleted everything.. I remember i checkd my log, and busybox files was moved to the system folder.. And all kinds of services was attached to Google map, calender, Facebook, wifi apps, market, etc..
And new apps installed like vpn, cam apps, recorders.. etc

Im currently using the free lookout...
And want to Buy a security tool.
Any advice Will be much appreciated.

Sent from my HTC Desire using xda premium

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes