[Bounty $500] My note 10+ was hacked with stalkerware

[dangerruss]

My phone was infected with stalkerware, they had access to my files, could view what was on my screen, listen into my mic, view my cameras remotely, everything! It's incredibly creepy! From what I can tell they somehow loaded q hacked version of Google Chrome and or android web viewer. After getting suspicious I downloaded Kaspersky and ran a scan, I found 2 versions of Google Chrome on my phone one of them had the dual messenger app icon on it. The other one said it wasn't a current version from the apps store. I Uninstallerd and downloaded the current version through the app store. I tried to see if a packet sniffer would lead me to them but I think I was too late by that point. I also pulled the Chrome app qnd decompiler it. There was some weird things in there like ignore playstore version but nothing that I could find that would lead me to who was watching me. Is there anything I can still do that will lead me to who did this? I have a strong idea of who it was but need evidence so I can prosecute them. Any help would be appreciated. Im putting up a 500 dollar bounty if anyone can help me get some solid evidence.

 

[HyperChick]

My phone was infected with stalkerware, they had access to my files, could view what was on my screen, listen into my mic, view my cameras remotely, everything! It's incredibly creepy! From what I can tell they somehow loaded q hacked version of Google Chrome and or android web viewer. After getting suspicious I downloaded Kaspersky and ran a scan, I found 2 versions of Google Chrome on my phone one of them had the dual messenger app icon on it. The other one said it wasn't a current version from the apps store. I Uninstallerd and downloaded the current version through the app store. I tried to see if a packet sniffer would lead me to them but I think I was too late by that point. I also pulled the Chrome app qnd decompiler it. There was some weird things in there like ignore playstore version but nothing that I could find that would lead me to who was watching me. Is there anything I can still do that will lead me to who did this? I have a strong idea of who it was but need evidence so I can prosecute them. Any help would be appreciated. Im putting up a 500 dollar bounty if anyone can help me get some solid evidence.

Try logging into your Google account from a computer. Look at what devices have access to your account. I looked at mine a couple of months ago and saw a phone I never owned on AT&T. Funny thing is I have NEVER had AT&T. I've always and still have Verizon. I immediately removed, blocked and reported the device.

 

[dangerruss]

Try logging into your Google account from a computer. Look at what devices have access to your account. I looked at mine a couple of months ago and saw a phone I never owned on AT&T. Funny thing is I have NEVER had AT&T. I've always and still have Verizon. I immediately removed, blocked and reported the device.

That was the first thing I tried. Didn't find anything unfortunately. These a holes are good.

 

[HyperChick]

That was the first thing I tried. Didn't find anything unfortunately. These a holes are good.

Did you run a log of your IP addresses?

 

[dangerruss]

Did you run a log of your IP addresses?

Not until after the connection was severed. My first thought was to run a virus scan. The only thing I found was an application was installed feb 1st and the clean version of chrome stopped uploading on Feb 1st.

 

[dangerruss]

Why are there two of these? And how did they use dual messenger to install doubles? I've disabled all of them.

 

[HyperChick]

Not until after the connection was severed. My first thought was to run a virus scan. The only thing I found was an application was installed feb 1st and the clean version of chrome stopped uploading on Feb 1st.

Did you delete the corrupt Chrome already? The IP history may be in there...
you wish to find your IP address Internet history, you can easily do so directly from your Internet browser.

Step 1
Open your Internet browser, and click on "Tools" located in the horizontal menu bar at the top of the window.

Step 2
Click on "Internet Options"
Step 3
Click on "Settings" located beneath the "Browsing History" subheading.
Step 4
Click on the "View Files" button to find your IP address Internet history.

 

[REtails]

If you post the chrome apk that you dumped or anything else that you have that was related to the "infected" files, they might be helpful in looking for clues.

 

[dangerruss]

These are the apk files that I suspect could have been infected. Unfortunately I didn't pull them until after they were updated. But I believe there is still a change log kind of manifest if you decompile them.

 

[dangerruss]

On mobile? Im not seeing those options

Did you delete the corrupt Chrome already? The IP history may be in there...
you wish to find your IP address Internet history, you can easily do so directly from your Internet browser.

Step 1
Open your Internet browser, and click on "Tools" located in the horizontal menu bar at the top of the window.

Step 2
Click on "Internet Options"
Step 3
Click on "Settings" located beneath the "Browsing History" subheading.
Step 4
Click on the "View Files" button to find your IP address Internet history.

 

[REtails]

From what I can see, those apks unfortunately appear to be normal un-tampered files. The manifest I believe you are referring to is a component of the apk that dictates things like permissions and interfaces, but it does not perform any sort of logging or historical record sadly, as the entire apk is replaced when an app is updated or installed over an existing installation.

I am not sure how much cleaning you have done of your device since it happened, but aside from clues or records which might be available from various services you use (finding connected accounts that aren't yours, history of any account activities that weren't initiated by you, etc), your next best bet would probably be to dig through the files on the device in search of anything that shouldn't be there. Hopefully there is still some artifact of the infection which could potentially point towards its origin. I will follow this thread, happy to dig through files in my spare time.

 

[dangerruss]

Does anyone know if android keeps a log of installs or qnything in the root folder perhaps?

 

[OnnoJ]

Isn't there a relation between duplicate app instances and secure folder?

 

[dangerruss]

Isn't there a relation between duplicate app instances and secure folder?

Yes but I've never set up secure folder. Never felt a need to.

 

[blackhawk]

First thing I do is a factory reset (and hope that gets it) and reset the Google password.
Keep that bloody device 100% isolated from your PC and data backup copies including the SD card*. Wipe the SD card in the device before the reload and again after the reload. Do NOT connect the card or phone to your PC before the new load is proven clean. Load data directly to SD card from the PC then to the 10+ just in case.
Try to piece together when and what did it but that is a secondary concern. Consider it a drill.

Better get while the gettings good... that level of being compromised means no time to lose ditching the OS. I most likely wipe the SD card too and use one of the clean data backups I keep for just such an event. Torch all data on the device.
If it gets into your backup data copies you're boned.
OSs are 100% expendable, critical data is not.

*you can scan it with everything on the planet and still miss trojans, tainted jpegs/pngs, etc if no definitions exist yet. Expect multiple hidden infections now and go full nuke.
Isolating the infection to that device is only priority. It's possible the infection(s) are already on one or more backups and/or your PC. That's why it's important to keep multiple time staggered backups on multiple electronically isolated hdds.
I keep a 3 tier backup and my PC is never internet connected.
Keep your head and limit the spread...