Cleaning malware off an Android 5.02 phone

Search This thread
By:
Advanced…
A

ab1jx

Member
Nov 19, 2015
39
1
0
Heath, MA
I have a Motorola xt1527 which is rooted and I use it with AdAway which needs hosts file access. I also use EasyTether on it to tether over USB to a Raspberry Pi, which becomes a wifi AP, I use half a dozen phones, tablets, computers through it, ad-filtered I have a T-Mobile unlimited data plan, it's worked out well for a few years due to a lack of rural internet.

Along comes a new friend who claims I'm sending her SMS malware (ooo I've been hacked) so she keeps me blocked. Maybe the phone has something, the malware tools I've tried don't run under an Android version that old (5.02). How can I scan and clean the phone of malware? I've scanned and cleaned lots of Windows computers of viruses, mad a living at it for years. Same idea once you have the tools right?

Mostly the phone's an internet connection, I've rarely talked on it. It sits with the volume turned down. I did a few months start using MightyText, an app that runs on it and puts SMS from it on their website so I can access it remotely.
 
Last edited:
Solution
A
Well, I did a factory reset after all. The phone stayed rooted, the bootloader stayed unlocked, I just had to put easytether and adaway back in. Oh, and reinstall the Linux end of easytether for some reason. Up and running now, seems stable. The thing I'd miss most was being able to access my other computers by name over wifi while online. The ads are disgusting.
Sort by date Sort by votes
A

ab1jx

Member
Nov 19, 2015
39
1
0
Heath, MA
OK, I was hoping for a Windows-type solution. But here I am a retired IT guy with 27 years unix experience and a rooted Android phone. The first thing that jumps out at me is that ps ax shows nothing, only a header line. How? It is a Termux version/. On a similar but non-rooted phone ps ax shows processes as I'd expect, I can try to copy that one over.

Top shows me this but I'm not sure what shouldn't be there:
Code: 
User 1%, System 1%, IOW 0%, IRQ 0%
User 17 + Nice 0 + Sys 21 + Idle 1206 + IOW 1 + IRQ 0 + SIRQ 0 = 1245

  PID PR CPU% S  #THR     VSS     RSS PCY UID      Name
22276  1   1% R     1   2492K   1040K unk root     top
  234  2   0% S    17  61400K   4696K  fg system   /system/bin/surfaceflinger
 1118  0   0% S   102 812644K  70464K  fg system   system_server
18663  0   0% D     1      0K      0K     root     mdss_fb0
19179  1   0% S    13 665164K  25664K  bg u0_a154  com.bb.microcpu
   81  0   0% S     1      0K      0K unk root     kswapd0
22236  0   0% S     1      0K      0K     root     kworker/u8:7
 1799  0   0% S    40 724580K  29968K  fg radio    com.android.phone
 1437  1   0% S    32 768988K  51668K  fg u0_a42   com.android.systemui
19102  2   0% S     1      0K      0K     root     kworker/2:0
18820  1   0% S     1      0K      0K     root     kworker/1:1
 5054  2   0% S    54 707472K  20284K  fg u0_a108  eu.easytether.pro:engine
    8  0   0% S     1      0K      0K unk root     rcu_preempt
   54  0   0% S     1      0K      0K unk root     system
  134  0   0% S     1      0K      0K unk root     cfinteractive
   12  1   0% S     1      0K      0K     root     ksoftirqd/1
21668  0   0% S     1      0K      0K     root     kworker/u8:3
   33  0   0% D     1      0K      0K     root     kworker/u9:0
20554  0   0% S     1   6216K    388K unk root     daemonsu:10101:20551
30175  2   0% S    93 839104K  48944K  bg u0_a105  com.estrongs.android.pop
   31  1   0% S     1      0K      0K     root     smsm_cb_wq
   34  1   0% S     1      0K      0K     root     rpm-smd
   35  1   0% S     1      0K      0K     root     kworker/u9:1
   36  0   0% S     1      0K      0K unk root     irq/47-cpr
   37  1   0% S     1      0K      0K     root     deferwq
   38  1   0% S     1      0K      0K     root     mpm
   49  1   0% S     1      0K      0K     root     writeback
   50  1   0% S     1      0K      0K     root     bioset
   51  1   0% S     1      0K      0K     root     crypto
   52  1   0% S     1      0K      0K     root     kblockd
   53  1   0% S     1      0K      0K unk root     khubd
   55  1   0% S     1      0K      0K unk root     irq/75-msm_iomm
   56  1   0% S     1      0K      0K unk root     irq/75-msm_iomm
   57  1   0% S     1      0K      0K unk root     irq/273-msm_iom
   58  1   0% S     1      0K      0K unk root     irq/274-msm_iom
   59  1   0% S     1      0K      0K unk root     irq/102-msm_iom
   60  1   0% S     1      0K      0K unk root     irq/102-msm_iom
   61  1   0% S     1      0K      0K unk root     irq/102-msm_iom
   62  1   0% S     1      0K      0K unk root     irq/102-msm_iom
   63  1   0% S     1      0K      0K unk root     irq/102-msm_iom
   64  1   0% S     1      0K      0K unk root     irq/102-msm_iom
   65  1   0% S     1      0K      0K unk root     irq/102-msm_iom
   66  1   0% S     1      0K      0K unk root     irq/102-msm_iom
   67  1   0% S     1      0K      0K unk root     irq/102-msm_iom
   68  1   0% S     1      0K      0K unk root     irq/102-msm_iom
   69  1   0% S     1      0K      0K unk root     irq/102-msm_iom
   70  1   0% S     1      0K      0K unk root     irq/102-msm_iom
   71  1   0% S     1      0K      0K unk root     irq/102-msm_iom
   72  1   0% S     1      0K      0K unk root     irq/102-msm_iom
   73  1   0% S     1      0K      0K unk root     irq/102-msm_iom
   74  1   0% S     1      0K      0K unk root     irq/102-msm_iom
   75  1   0% S     1      0K      0K unk root     irq/102-msm_iom
   76  1   0% S     1      0K      0K unk root     irq/102-msm_iom
   77  1   0% S     1      0K      0K unk root     irq/102-msm_iom
   78  1   0% S     1      0K      0K unk root     irq/102-msm_iom
   79  1   0% S     1      0K      0K     root     devfreq_wq
   80  1   0% S     1      0K      0K     root     cfg80211
   82  0   0% S     1      0K      0K unk root     fsnotify_mark
  101  1   0% D     1      0K      0K unk root     mdss_dsi_event
  102  1   0% S     1      0K      0K     root     apr_driver
  103  1   0% S     1      0K      0K     root     pil_vote_wq
  104  1   0% S     1      0K      0K     root     mem_share_svc
  105  1   0% S     1      0K      0K     root     qmi_hndl0000000
  106  1   0% S     1      0K      0K     root     msm_ipc_router
  107  1   0% S     1      0K      0K unk root     hwrng
  108  1   0% S     1      0K      0K     root     diag_real_time_
  109  2   0% S     1      0K      0K     root     diag_modem_data
  110  1   0% S     1      0K      0K     root     diag_lpass_data
  111  2   0% S     1      0K      0K     root     diag_wcnss_data
  112  1   0% S     1      0K      0K     root     diag_wq
  113  2   0% S     1      0K      0K     root     diag_usb_wq
  114  0   0% S     1      0K      0K     root     diag_cntl_wq
  115  0   0% S     1      0K      0K     root     diag_dci_wq
  116  1   0% S     1      0K      0K     root     kgsl-3d0
  117  1   0% S     1      0K      0K     root     kgsl-events
  118  1   0% S     1      0K      0K     root     governor_msm_ad
  119  1   0% S     1      0K      0K     root     kgsl_devfreq_wq
  120  1   0% S     1      0K      0K     root     proximity_als
  121  0   0% S     1      0K      0K unk root     spi0
  124  1   0% S     1      0K      0K     root     stml0xx_wq
  125  1   0% S     1      0K      0K     root     usbnet
  126  1   0% S     1      0K      0K     root     sharedmem_qmi_w
  127  1   0% S     1      0K      0K     root     qmi_hndl0000000
  128  1   0% S     1      0K      0K     root     k_gserial
  129  1   0% S     1      0K      0K     root     rmi_det_workque
  132  0   0% S     1      0K      0K     root     msm_cpp_workque
  133  0   0% S     1      0K      0K unk root     irq/322-max170x
  135  0   0% S     1      0K      0K unk root     irq/170-7824900
  136  0   0% S     1      0K      0K unk root     irq/253-7864900
  137  1   0% S     1      0K      0K unk root     irq/288-7864900
  158  1   0% S     1      0K      0K     root     binder
  159  1   0% S     1      0K      0K     root     usb_bam_wq
  160  1   0% S     1      0K      0K unk root     krfcommd
  161  0   0% S     1      0K      0K unk root     irq/461-wcnss
  162  0   0% S     1      0K      0K unk root     irq/429-modem
  163  0   0% S     1      0K      0K     root     msm_vidc_worker
  164  0   0% S     1      0K      0K     root     pm_workerq_venu
  166  0   0% S     1      0K      0K unk root     irq/321-fan5404
  167  1   0% S     1      0K      0K unk root     kcompact
  168  1   0% S     1      0K      0K     root     rq_stats
  169  1   0% S     1      0K      0K     root     bam_dmux_rx
  170  1   0% S     1      0K      0K     root     bam_dmux_tx
  171  1   0% S     1      0K      0K     root     k_bam_data
  172  1   0% S     1      0K      0K     root     f_mtp
  173  1   0% S     1      0K      0K unk root     file-storage
  174  0   0% S     1      0K      0K unk root     msm_thermal:hot
  175  2   0% S     1      0K      0K unk root     msm_thermal:fre
  176  2   0% S     1      0K      0K unk root     msm_thermal:the
  177  0   0% S     1      0K      0K unk root     mmcqd/0
  178  1   0% S     1      0K      0K unk root     mmcqd/0rpmb
  179  0   0% S     1      0K      0K unk root     mmcqd/1
  183  0   0% S     1      0K      0K unk root     jbd2/mmcblk0p42
  184  1   0% S     1      0K      0K     root     ext4-dio-unwrit
  186  0   0% S     1      0K      0K unk root     f2fs_gc-259:12
  190  0   0% S     1      0K      0K unk root     jbd2/mmcblk0p43
  191  0   0% S     1      0K      0K     root     ext4-dio-unwrit
  192  0   0% S     1      0K      0K unk root     jbd2/mmcblk0p31
  193  1   0% S     1      0K      0K     root     ext4-dio-unwrit
  194  0   0% S     1      0K      0K unk root     jbd2/mmcblk0p1-
  195  0   0% S     1      0K      0K     root     ext4-dio-unwrit
  196  0   0% S     1      0K      0K     root     ext4-dio-unwrit
  197  1   0% S     1      0K      0K     root     kworker/1:1H
  223  0   0% S     1      0K      0K     root     IPCRTR
  225  2   0% S     1      0K      0K     root     modem_IPCRTR
  229  2   0% S     5   8020K   2404K unk logd     /system/bin/logd
  230  0   0% S     1   1584K    188K  fg root     /sbin/healthd
  231  0   0% S     1   2368K    368K unk root     /system/bin/lmkd
  232  3   0% S     1   1176K    376K unk system   /system/bin/servicemanager
  233  3   0% S     3   5828K    516K unk root     /system/bin/vold
  236  0   0% S     2   3172K    324K unk system   /system/bin/rfs_access
  238  3   0% S     1   2888K    296K unk system   /system/bin/qseecomd
  245  0   0% S     5   6948K    308K unk nobody   /system/bin/rmt_storage
  246  2   0% S     1      0K      0K     root     kworker/2:1H
  251  3   0% S     1      0K      0K     root     kworker/3:1H
  257  1   0% S     1      0K      0K unk root     kauditd
  263  3   0% S     5   7100K    192K unk system   /system/bin/qseecomd
  279  0   0% S    20  38300K   1132K unk radio    /system/bin/rild
  281  1   0% S     2  14988K    312K  fg drm      /system/bin/drmserver
  284  1   0% S     1   1136K    304K unk install  /system/bin/installd
  286  0   0% S     1   4480K    424K  fg keystore /system/bin/keystore
  291  3   0% S    31  35156K    260K unk root     /system/bin/thermal-engine
  292  2   0% S     1   1760K    112K unk system   /system/bin/wcnss_service
  300  0   0% S     1   1808K    228K unk gps      /system/bin/loc_launcher
  303  3   0% S     4   8008K    360K unk system   /system/bin/ATFWD-daemon
  304  3   0% S     3  12772K    252K unk camera   /system/bin/mm-qcamera-daemon
  305  0   0% S     4   6484K    292K unk system   /system/bin/time_daemon
  306  0   0% S     3  10392K    284K  fg system   /system/bin/audiod
  318  0   0% S     1   1780K    112K unk diag     /system/bin/dropboxd
  352  0   0% S     2   4928K    444K unk radio    /system/bin/qmuxd
  356  3   0% S     2  33208K    396K unk system   /system/bin/mm-pp-daemon
  362  0   0% S     1    372K      4K unk mot_esdf /system/bin/esdpll
  381  0   0% S     7  11128K    348K unk radio    /system/bin/netmgrd
  396  2   0% S     2   8400K    264K unk mot_tcmd /system/bin/tcmd
  436  0   0% S     3   5832K    432K unk radio    /system/bin/qmi_motext_hook
  521  0   0% S     1      0K      0K     root     IPCRTR
  544  0   0% S     1      0K      0K     root     wcnss_IPCRTR
  667  0   0% S     1   1092K    112K unk root     daemonsu:mount:master
  673  0   0% S     1    912K    356K unk root     /sbin/ueventd
  802  1   0% S     4   4164K    236K unk root     daemonsu:master
  832  0   0% S     9  13248K    492K unk root     /system/bin/netd
  833  0   0% S    11  37972K   2816K  fg media    /system/bin/mediaserver
  834  3   0% S     1   1816K    264K unk radio    /system/bin/subsystem_ramdump
  835  2   0% S     6 654840K  14012K unk root     zygote
  933  0   0% S    22 833824K  33144K  bg u0_a16   com.google.android.gms.unstable
 1392  1   0% S     1      0K      0K unk root     VosWDThread
 1394  0   0% S     1      0K      0K unk root     VosMCThread
 1395  0   0% S     1      0K      0K unk root     VosTXThread
 1396  2   0% S     1      0K      0K unk root     VosRXThread
 1404  0   0% S    13 679772K  20844K  bg u0_a103  org.galexander.sshd
 1414  0   0% S     1      0K      0K unk root     wlan_logging_th
 1419  0   0% S     2   7464K    700K unk wifi     /system/bin/wpa_supplicant
 1455  3   0% S    14 664284K  12456K  fg system   com.motorola.process.slpc
 1488  0   0% S    15 667308K  13252K  fg u0_a40   com.motorola.slpc
 1523  1   0% S    18 669112K  15092K  fg u0_a24   com.motorola.modemservice
 1618  0   0% S    16 866176K  27032K  fg u0_a31   com.motorola.motodisplay
 1645  1   0% S    14 805156K  13884K  fg u0_a43   com.google.android.googlequicksearchbox:interactor
 1684  3   0% S    19 676008K  28652K  fg u0_a123  org.pocketworkstation.pckeyboard
 1758  1   0% S    22 677212K  23268K  fg system   com.motorola.process.system
 1777  3   0% S    14 665108K  12824K  fg radio    com.android.server.telecom
 1818  0   0% S    41 731924K  38816K  bg u0_a157  com.teslacoilsw.launcher
 1970  0   0% S     1      0K      0K unk root     loop0
 1971  3   0% S     1      0K      0K     root     kdmflush
 1983  2   0% S     1      0K      0K     root     bioset
 1984  2   0% S     1      0K      0K     root     kcryptd_io
 1985  2   0% S     1      0K      0K     root     kcryptd
 1986  2   0% S     1      0K      0K unk root     dmcrypt_write
 1987  2   0% S     1      0K      0K     root     bioset
 1988  1   0% S     1      0K      0K     root     ext4-dio-unwrit
 2028  0   0% S     1      0K      0K unk root     loop1
 2032  1   0% S     1      0K      0K     root     kdmflush
 2033  1   0% S     1      0K      0K     root     bioset
 2034  1   0% S     1      0K      0K     root     kcryptd_io
 2035  1   0% S     1      0K      0K     root     kcryptd
 2036  1   0% S     1      0K      0K unk root     dmcrypt_write
 2037  1   0% S     1      0K      0K     root     bioset
 2039  1   0% S     1      0K      0K     root     ext4-dio-unwrit
 2104  2   0% S     1      0K      0K unk root     loop2
 2106  1   0% S     1      0K      0K     root     kdmflush
 2107  1   0% S     1      0K      0K     root     bioset
 2108  1   0% S     1      0K      0K     root     kcryptd_io
 2109  1   0% S     1      0K      0K     root     kcryptd
 2110  3   0% S     1      0K      0K unk root     dmcrypt_write
 2111  1   0% S     1      0K      0K     root     bioset
 2112  1   0% S     1      0K      0K     root     ext4-dio-unwrit
 2249  2   0% S     1      0K      0K     root     loop4
 2250  2   0% S     1      0K      0K     root     kdmflush
 2251  2   0% S     1      0K      0K     root     bioset
 2252  2   0% S     1      0K      0K     root     kcryptd_io
 2253  1   0% S     1      0K      0K     root     kcryptd
 2254  1   0% S     1      0K      0K     root     dmcrypt_write
 2255  1   0% S     1      0K      0K     root     bioset
 2256  2   0% S     1      0K      0K     root     ext4-dio-unwrit
 2275  2   0% S     1      0K      0K     root     loop5
 2276  1   0% S     1      0K      0K     root     kdmflush
 2277  0   0% S     1      0K      0K     root     bioset
 2278  0   0% S     1      0K      0K     root     kcryptd_io
 2279  0   0% S     1      0K      0K     root     kcryptd
 2280  1   0% S     1      0K      0K     root     dmcrypt_write
 2281  0   0% S     1      0K      0K     root     bioset
 2282  1   0% S     1      0K      0K     root     ext4-dio-unwrit
 2283  0   0% S     1      0K      0K     root     loop6
 2284  0   0% S     1      0K      0K     root     kdmflush
 2285  0   0% S     1      0K      0K     root     bioset
 2286  0   0% S     1      0K      0K     root     kcryptd_io
 2287  0   0% S     1      0K      0K     root     kcryptd
 2288  2   0% S     1      0K      0K     root     dmcrypt_write
 2289  0   0% S     1      0K      0K     root     bioset
 2290  0   0% S     1      0K      0K     root     ext4-dio-unwrit
 2306  0   0% S     1      0K      0K     root     loop7
 2307  2   0% S     1      0K      0K     root     kdmflush
 2308  0   0% S     1      0K      0K     root     bioset
 2309  1   0% S     1      0K      0K     root     kcryptd_io
 2310  1   0% S     1      0K      0K     root     kcryptd
 2311  2   0% S     1      0K      0K     root     dmcrypt_write
 2312  1   0% S     1      0K      0K     root     bioset
 2313  2   0% S     1      0K      0K     root     ext4-dio-unwrit
 2315  0   0% S     1      0K      0K     root     loop8
 2316  2   0% S     1      0K      0K     root     kdmflush
 2317  2   0% S     1      0K      0K     root     bioset
 2318  2   0% S     1      0K      0K     root     kcryptd_io
 2319  2   0% S     1      0K      0K     root     kcryptd
 2320  2   0% S     1      0K      0K     root     dmcrypt_write
 2321  2   0% S     1      0K      0K     root     bioset
 2322  2   0% S     1      0K      0K     root     ext4-dio-unwrit
 2324  1   0% S     1      0K      0K     root     loop9
 2325  1   0% S     1      0K      0K     root     kdmflush
 2326  0   0% S     1      0K      0K     root     bioset
 2327  1   0% S     1      0K      0K     root     kcryptd_io
 2328  1   0% S     1      0K      0K     root     kcryptd
 2329  0   0% S     1      0K      0K     root     dmcrypt_write
 2330  1   0% S     1      0K      0K     root     bioset
 2331  1   0% S     1      0K      0K     root     ext4-dio-unwrit
 2334  0   0% S     1      0K      0K     root     loop10
 2335  2   0% S     1      0K      0K     root     kdmflush
 2336  0   0% S     1      0K      0K     root     bioset
 2337  0   0% S     1      0K      0K     root     kcryptd_io
 2338  0   0% S     1      0K      0K     root     kcryptd
 2339  0   0% S     1      0K      0K     root     dmcrypt_write
 2340  0   0% S     1      0K      0K     root     bioset
 2341  1   0% S     1      0K      0K     root     ext4-dio-unwrit
 2347  0   0% S     1      0K      0K     root     loop11
 2348  3   0% S     1      0K      0K     root     kdmflush
 2349  0   0% S     1      0K      0K     root     bioset
 2350  2   0% S     1      0K      0K     root     kcryptd_io
 2351  0   0% S     1      0K      0K     root     kcryptd
 2352  0   0% S     1      0K      0K     root     dmcrypt_write
 2353  1   0% S     1      0K      0K     root     bioset
 2354  2   0% S     1      0K      0K     root     ext4-dio-unwrit
 2363  0   0% S     1      0K      0K     root     loop12
 2364  2   0% S     1      0K      0K     root     kdmflush
 2365  0   0% S     1      0K      0K     root     bioset
 2366  0   0% S     1      0K      0K     root     kcryptd_io
 2367  0   0% S     1      0K      0K     root     kcryptd
 2368  2   0% S     1      0K      0K     root     dmcrypt_write
 2369  0   0% S     1      0K      0K     root     bioset
 2370  0   0% S     1      0K      0K     root     ext4-dio-unwrit
 2377  0   0% S     1      0K      0K     root     loop13
 2378  3   0% S     1      0K      0K     root     kdmflush
 2379  2   0% S     1      0K      0K     root     bioset
 2380  2   0% S     1      0K      0K     root     kcryptd_io
 2381  2   0% S     1      0K      0K     root     kcryptd
 2382  1   0% S     1      0K      0K     root     dmcrypt_write
 2383  2   0% S     1      0K      0K     root     bioset
 2384  3   0% S     1      0K      0K     root     ext4-dio-unwrit
 2427  2   0% S     1      0K      0K     root     loop14
 2428  0   0% S     1      0K      0K     root     kdmflush
 2429  1   0% S     1      0K      0K     root     bioset
 2430  2   0% S     1      0K      0K     root     kcryptd_io
 2431  3   0% S     1      0K      0K     root     kcryptd
    1  0   0% S     1   1044K    536K unk root     /init
 2433  0   0% S     1      0K      0K     root     bioset
 2434  0   0% S     1      0K      0K     root     ext4-dio-unwrit
 2453  1   0% S     1      0K      0K     root     loop15
 2454  2   0% S     1      0K      0K     root     kdmflush
 2455  1   0% S     1      0K      0K     root     bioset
 2456  2   0% S     1      0K      0K     root     kcryptd_io
 2457  0   0% S     1      0K      0K     root     kcryptd
 2458  3   0% S     1      0K      0K     root     dmcrypt_write
 2459  3   0% S     1      0K      0K     root     bioset
 2460  0   0% S     1      0K      0K     root     ext4-dio-unwrit
 2486  1   0% S     1      0K      0K     root     loop16
 2487  3   0% S     1      0K      0K     root     kdmflush
 2488  2   0% S     1      0K      0K     root     bioset
 2489  3   0% S     1      0K      0K     root     kcryptd_io
 2490  3   0% S     1      0K      0K     root     kcryptd
 2491  1   0% S     1      0K      0K     root     dmcrypt_write
 2492  1   0% S     1      0K      0K     root     bioset
 2493  0   0% S     1      0K      0K     root     ext4-dio-unwrit
 2495  0   0% S     1      0K      0K     root     loop17
 2496  1   0% S     1      0K      0K     root     kdmflush
 2497  1   0% S     1      0K      0K     root     bioset
 2498  0   0% S     1      0K      0K     root     kcryptd_io
 2499  1   0% S     1      0K      0K     root     kcryptd
 2500  1   0% S     1      0K      0K     root     dmcrypt_write
 2501  1   0% S     1      0K      0K     root     bioset
 2502  3   0% S     1      0K      0K     root     ext4-dio-unwrit
 3040  0   0% S    37 727556K  46708K  bg u0_a23   com.android.mms
 3216  1   0% S    40 917812K  37732K  bg u0_a65   com.google.android.gm
 3222  1   0% S     1   3140K    244K unk root     daemonsu:10125
 3245  1   0% S    41 739544K  29152K  fg u0_a0    com.motorola.ccc
 3691  0   0% S    20 685044K  28176K  fg u0_a30   com.motorola.motocare
 7200  0   0% S     4   3600K    236K unk shell    /sbin/adbd
 7788  2   0% S    20 695804K  30240K  bg system   com.android.settings
 7870  0   0% S     1   1740K    184K unk root     /system/bin/debuggerd
16840  0   0% S     1      0K      0K     root     kworker/0:3
16923  3   0% S     1      0K      0K     root     kworker/3:0
18674  0   0% S     1      0K      0K     root     irq/320-synapti
18827  1   0% S    31 763360K  50008K  bg u0_a112  org.thoughtcrime.securesms
18919  0   0% S    16 717620K  27852K  bg u0_a105  .esfm
18970  0   0% S    15 667300K  24128K  bg u0_a13   android.process.media
19144  0   0% S     1      0K      0K     root     kworker/u8:8
19145  1   0% S     1      0K      0K     root     kworker/u8:9
19146  0   0% S     1      0K      0K     root     kworker/u8:10
19147  1   0% S     1      0K      0K     root     kworker/u8:11
19236  1   0% S    15 677456K  23028K  bg u0_a26   com.motorola.camera
19337  2   0% S    13 681784K  20160K  bg u0_a27   com.motorola.MotGallery2
19454  0   0% S    14 664316K  17688K  bg radio    com.qualcomm.qcrilmsgtunnel
19599  1   0% S    14 664388K  18108K  bg system   com.qualcomm.telephony
19652  3   0% S    13 713484K  21548K  bg u0_a105  com.estrongs.android.pop:local
20064  1   0% S     1   3224K   1412K  fg u0_a101  /data/data/com.termux/files/usr/bin/bash
20551  2   0% S     1   1052K    336K  fg u0_a101  /system/xbin/su
20560  1   0% S     1   1144K    608K unk root     tmp-mksh
20756  1   0% S     1      0K      0K     root     kworker/1:0
20828  3   0% S     1      0K      0K     root     kworker/3:2
20829  2   0% S     1      0K      0K     root     kworker/2:2
21101  0   0% S     1      0K      0K     root     kworker/0:0
21390  1   0% S    14 669556K  22424K  bg u0_a16   com.google.process.gapps
21533  1   0% S    24 706452K  42332K  bg u0_a102  bbc.mobile.news.ww
21666  1   0% S     1      0K      0K     root     kworker/u8:1
21667  0   0% S     1      0K      0K     root     kworker/u8:2
21788  1   0% S     1      0K      0K     root     kworker/1:2
21804  0   0% S     1      0K      0K     root     kworker/u8:4
21805  0   0% S     1      0K      0K     root     kworker/u8:5
21806  0   0% S     1      0K      0K     root     kworker/u8:6
21903  2   0% S     1      0K      0K     root     kworker/2:1
22237  1   0% S     1      0K      0K     root     kworker/u8:12
22275  0   0% S     1      0K      0K     root     kworker/0:1
30503  0   0% S   105 1193908K  80704K  bg u0_a16   com.google.android.gms
30534  0   0% S    58 912720K  81020K  fg u0_a16   com.google.android.gms.persistent
31478  0   0% S    30 706660K  44316K  fg u0_a101  com.termux
31515  1   0% S     1   3220K    264K  fg u0_a101  /data/data/com.termux/files/usr/bin/bash
31538  0   0% S     1   1052K    308K  fg u0_a101  /system/xbin/su
31541  0   0% S     3   6212K     92K unk root     daemonsu:10101
31543  2   0% S     1   5192K    220K unk root     daemonsu:10101:31538
31547  1   0% S     1   1140K    392K unk root     tmp-mksh
32327  0   0% S     1   1092K    320K  fg u0_a105  su
32332  0   0% S     2   6212K    104K unk root     daemonsu:10105
32336  1   0% S     1   1120K    400K unk root     tmp-mksh
32376  0   0% S     1   1000K    220K unk root     /data/data/com.estrongs.android.pop/files/libestool2.so
32411  0   0% S     3   3032K    216K  fg u0_a105  /data/data/com.estrongs.android.pop/files/libestool2.so
 2432  0   0% S     1      0K      0K     root     dmcrypt_write
    2  0   0% S     1      0K      0K     root     kthreadd
    3  0   0% S     1      0K      0K     root     ksoftirqd/0
    5  0   0% S     1      0K      0K     root     kworker/0:0H
    6  0   0% D     1      0K      0K     root     kworker/u8:0
    7  0   0% S     1      0K      0K     root     migration/0
    9  0   0% S     1      0K      0K unk root     rcu_bh
   10  2   0% S     1      0K      0K unk root     rcu_sched
   11  1   0% S     1      0K      0K     root     migration/1
   14  1   0% S     1      0K      0K     root     kworker/1:0H
   15  2   0% S     1      0K      0K     root     migration/2
   16  2   0% S     1      0K      0K     root     ksoftirqd/2
   18  2   0% S     1      0K      0K     root     kworker/2:0H
   19  3   0% S     1      0K      0K     root     migration/3
   20  3   0% S     1      0K      0K     root     ksoftirqd/3
   22  3   0% S     1      0K      0K     root     kworker/3:0H
   23  1   0% S     1      0K      0K     root     khelper
   24  1   0% S     1      0K      0K     root     netns
   29  0   0% S     1      0K      0K     root     kworker/0:1H
   30  1   0% S     1      0K      0K     root     smd_channel_clo

OK, so I do a list from my similar phone that's never had a sim, load them into SqlLite maybe to find some normal processes. Google the ones that are unique to see what they are.
 
Last edited:
Upvote 0 Downvote
A

ab1jx

Member
Nov 19, 2015
39
1
0
Heath, MA
Lookout seems about like what I had in mind, but it didn't find anything other than that the phone is rooted. It did find a trojan on another one I was trying it out on. Delighted that it runs under Android 5.02
 
Upvote 0 Downvote
X

xdabookam

Member
Feb 8, 2015
14
2
Had problems with a phone getting infected by trojans which were installing via play services and finally tracked it down to ES file explorer. Strange thing is that I use the exact same .apk on other phones, tablets and tv boxes with no issues (the root of which I was able to track down with the help of lookups of hmma.baidu.com in the logs of my DNS server on the LAN).
Two approaches I used to check for viruses were:

1. Dump flash to a backup and then mount the .ext4 backups files on a Linux machine and run clamscan which did not find much. I've not tried a commercial windows virus scanner which might be more successful.

2. Scanned using virustotal by uploading binaries, executables,
apps & apk etc from /data and /system in multipart zip files (the service has an upload file size limit).
Virustotal found more infected files. Only issue with this scanning method is even some lineageos binaries are flagged infected or suspect.
 
Upvote 0 Downvote
A

ab1jx

Member
Nov 19, 2015
39
1
0
Heath, MA
Clamscan twice now tells me it scanned 0 files but took 15+ minutes to do it. Trying clamscan -ar dir now. Eating more cpu at least. If this would work clamscan could be made into an apk. Haven't gotten to virustotal yet. I copied the same dirs to an sd card, scanning that. segfault, oh-oh.

clamscan -ar sdcard0 > scanlog.txt 2>&1
That worked better:

----------- SCAN SUMMARY -----------
Known viruses: 8604195
Engine version: 0.103.3
Scanned directories: 414
Scanned files: 1950
Infected files: 0
Data scanned: 1847.28 MB
Data read: 1364.57 MB (ratio 1.35:1)
Time: 4435.304 sec (73 m 55 s)
Start Date: 2022:01:20 21:18:41
End Date: 2022:01:20 22:32:36

But it didn't find anything.

One of the things the victim mentioned was camera activity, so I googled and sure enough you can get a hacking kit (free?). Runs the camera, runs down the battery, makes noises. https://minspy.com/phone-hack/how-to-hack-someones-phone-camera/ Creep.

Review at https://thinkcomputers.org/the-best-free-spy-app-for-android-minspy-review/ The one ray of sunshine is that the hacker has to get his hands physically on the phone for at least 5 minutes. And probably a factory reset will wipe it out. So if you're really worried have a few phones and switch the sim around and factory reset them like every day.
 
Last edited:
Upvote 0 Downvote
A

ab1jx

Member
Nov 19, 2015
39
1
0
Heath, MA
OK, I've uploaded and scanned 5 GB of stuff without finding much of significance. This article https://spyic.com/phone-hack/hacking-apps-for-android/ shows how common and easy phone hacking is. This one talks a little about prevention and cleanup https://www.kaspersky.com/resource-center/threats/how-to-stop-phone-hacking

But these aren't viruses, so malware detection might work. But looking at processes running might work better, which you can do with Termux and top, even without rooting. ps ax on this phone shows nothing, which is suspicious. Top looks normal unless it's not showing system tasks and the bad guys are hiding there. But there are 390 or so tasks running, I'm working at parsing that output and loading into a database.
 
Upvote 0 Downvote
A

ab1jx

Member
Nov 19, 2015
39
1
0
Heath, MA
Well, I did a factory reset after all. The phone stayed rooted, the bootloader stayed unlocked, I just had to put easytether and adaway back in. Oh, and reinstall the Linux end of easytether for some reason. Up and running now, seems stable. The thing I'd miss most was being able to access my other computers by name over wifi while online. The ads are disgusting.
 
Upvote 0 Downvote
Solution
A

ab1jx

Member
Nov 19, 2015
39
1
0
Heath, MA
I was able to do ps ax using an old termux version and see processes running just fine after I reset it. It does seem a little slow and I get about 1 new spam a day, which may be trying to get me to click on the link and infect the phone.

All the phone's secrets should be laid bare here and malware should be apparent i I knew what to look for.

PID TTY STAT TIME COMMAND
1 ? S 0:01 /init
2 ? S 0:00 [kthreadd]
3 ? S 0:00 [ksoftirqd/0]
5 ? S< 0:00 [kworker/0:0H]
6 ? D 0:00 [kworker/u8:0]
7 ? S 0:00 [migration/0]
8 ? S 0:00 [rcu_preempt]
9 ? S 0:00 [rcu_bh]
10 ? S 0:00 [rcu_sched]
11 ? S 0:00 [migration/1]
12 ? S 0:00 [ksoftirqd/1]
14 ? S< 0:00 [kworker/1:0H]
15 ? S 0:00 [migration/2]
16 ? S 0:00 [ksoftirqd/2]
18 ? S< 0:00 [kworker/2:0H]
19 ? S 0:00 [migration/3]
20 ? S 0:00 [ksoftirqd/3]
21 ? S< 0:00 [kworker/3:0]
22 ? S< 0:00 [kworker/3:0H]
23 ? S< 0:00 [khelper]
24 ? S< 0:00 [netns]
25 ? S< 0:00 [kworker/1:1]
26 ? S< 0:00 [kworker/3:1]
28 ? S< 0:01 [kworker/0:1]
29 ? S< 0:00 [kworker/0:1H]
30 ? S< 0:00 [smd_channel_clo]
31 ? S< 0:00 [smsm_cb_wq]
32 ? S 0:00 [kworker/u8:1]
33 ? D< 0:00 [kworker/u9:0]
34 ? S< 0:00 [rpm-smd]
35 ? S< 0:00 [kworker/u9:1]
36 ? S 0:00 [irq/47-cpr]
37 ? S< 0:00 [deferwq]
38 ? S< 0:00 [mpm]
40 ? S 0:00 [kworker/u8:3]
49 ? S< 0:00 [writeback]
50 ? S< 0:00 [bioset]
51 ? S< 0:00 [crypto]
52 ? S< 0:00 [kblockd]
53 ? S 0:00 [khubd]
54 ? S 0:00 [system]
55 ? S 0:00 [irq/75-msm_iomm]
56 ? S 0:00 [irq/75-msm_iomm]
57 ? S 0:00 [irq/273-msm_iom]
58 ? S 0:00 [irq/274-msm_iom]
59 ? S 0:00 [irq/102-msm_iom]
60 ? S 0:00 [irq/102-msm_iom]
61 ? S 0:00 [irq/102-msm_iom]
62 ? S 0:00 [irq/102-msm_iom]
63 ? S 0:00 [irq/102-msm_iom]
64 ? S 0:00 [irq/102-msm_iom]
65 ? S 0:00 [irq/102-msm_iom]
66 ? S 0:00 [irq/102-msm_iom]
67 ? S 0:00 [irq/102-msm_iom]
68 ? S 0:00 [irq/102-msm_iom]
69 ? S 0:00 [irq/102-msm_iom]
70 ? S 0:00 [irq/102-msm_iom]
71 ? S 0:00 [irq/102-msm_iom]
72 ? S 0:00 [irq/102-msm_iom]
73 ? S 0:00 [irq/102-msm_iom]
74 ? S 0:00 [irq/102-msm_iom]
75 ? S 0:00 [irq/102-msm_iom]
76 ? S 0:00 [irq/102-msm_iom]
77 ? S 0:00 [irq/102-msm_iom]
78 ? S 0:00 [irq/102-msm_iom]
79 ? S< 0:00 [devfreq_wq]
80 ? S< 0:00 [cfg80211]
81 ? S 0:26 [kswapd0]
82 ? S 0:00 [fsnotify_mark]
101 ? D 0:00 [mdss_dsi_event]
102 ? S< 0:00 [apr_driver]
103 ? S< 0:00 [pil_vote_wq]
104 ? S< 0:00 [mem_share_svc]
105 ? S< 0:00 [qmi_hndl0000000]
106 ? S< 0:00 [msm_ipc_router]
107 ? S 0:01 [hwrng]
108 ? S< 0:00 [diag_real_time_]
109 ? S< 0:00 [diag_modem_data]
110 ? S< 0:00 [diag_lpass_data]
111 ? S< 0:00 [diag_wcnss_data]
112 ? S< 0:00 [diag_wq]
113 ? S< 0:00 [diag_usb_wq]
114 ? S< 0:00 [diag_cntl_wq]
115 ? S< 0:00 [diag_dci_wq]
116 ? S< 0:00 [kgsl-3d0]
117 ? S< 0:00 [kgsl-events]
118 ? S< 0:00 [governor_msm_ad]
119 ? S< 0:00 [kgsl_devfreq_wq]
120 ? S< 0:00 [proximity_als]
121 ? S 0:00 [spi0]
124 ? S< 0:00 [stml0xx_wq]
125 ? S< 0:00 [usbnet]
126 ? S< 0:00 [sharedmem_qmi_w]
127 ? S< 0:00 [qmi_hndl0000000]
128 ? S< 0:00 [k_gserial]
129 ? S< 0:00 [rmi_det_workque]
132 ? S< 0:00 [msm_cpp_workque]
133 ? S 0:00 [irq/322-max170x]
134 ? S 0:02 [cfinteractive]
135 ? S 0:00 [irq/170-7824900]
136 ? S 0:00 [irq/253-7864900]
137 ? S 0:00 [irq/288-7864900]
158 ? S< 0:00 [binder]
159 ? S< 0:00 [usb_bam_wq]
160 ? S< 0:00 [krfcommd]
161 ? S 0:00 [irq/461-wcnss]
162 ? S 0:00 [irq/429-modem]
163 ? S< 0:00 [msm_vidc_worker]
164 ? S< 0:00 [pm_workerq_venu]
167 ? S 0:00 [irq/321-fan5404]
168 ? S 0:00 [kcompact]
169 ? S< 0:00 [rq_stats]
170 ? S< 0:00 [bam_dmux_rx]
171 ? S< 0:00 [bam_dmux_tx]
172 ? S 0:00 [kworker/u8:4]
173 ? S< 0:00 [k_bam_data]
174 ? S< 0:00 [f_mtp]
175 ? S 0:00 [file-storage]
176 ? S 0:00 [msm_thermal:hot]
177 ? S 0:00 [msm_thermal:fre]
178 ? S 0:00 [msm_thermal:the]
179 ? S 0:46 [mmcqd/0]
180 ? S 0:00 [mmcqd/0rpmb]
181 ? S 0:01 [mmcqd/1]
184 ? S 0:00 [jbd2/mmcblk0p42]
185 ? S< 0:00 [ext4-dio-unwrit]
187 ? S 0:00 [f2fs_gc-259:12]
191 ? S 0:00 [jbd2/mmcblk0p43]
192 ? S< 0:00 [ext4-dio-unwrit]
193 ? S 0:00 [jbd2/mmcblk0p31]
194 ? S< 0:00 [ext4-dio-unwrit]
195 ? S 0:00 [jbd2/mmcblk0p1-]
196 ? S< 0:00 [ext4-dio-unwrit]
197 ? S< 0:00 [ext4-dio-unwrit]
199 ? S< 0:00 [kworker/1:1H]
224 ? S< 0:00 [IPCRTR]
226 ? S< 0:00 [modem_IPCRTR]
231 ? S 0:00 /sbin/healthd
232 ? S 0:01 /system/bin/lmkd
233 ? S 0:01 /system/bin/servicemanager
234 ? Sl 0:00 /system/bin/vold
235 ? S<l 0:17 /system/bin/surfaceflinger
237 ? Sl 0:00 /system/bin/rfs_access
239 ? S 0:00 /system/bin/qseecomd
240 ? S< 0:00 [kworker/3:1H]
246 ? Sl 0:00 /system/bin/rmt_storage
247 ? S< 0:00 [kworker/2:1H]
269 ? S 0:00 [kauditd]
290 ? Sl 0:00 /system/bin/qseecomd
297 ? S 0:00 /system/bin/debuggerd
299 ? Sl 0:00 /system/bin/rild
300 ? Sl 0:00 /system/bin/drmserver
302 ? S 0:00 /system/bin/installd
304 ? S 0:00 /system/bin/keystore /data/misc/keystore
308 ? S<l 0:00 /system/bin/thermal-engine
309 ? S 0:00 /system/bin/wcnss_service
317 ? S 0:00 /system/bin/loc_launcher
319 ? Sl 0:00 /system/bin/ATFWD-daemon
320 ? Sl 0:00 /system/bin/mm-qcamera-daemon
321 ? Sl 0:00 /system/bin/time_daemon
322 ? S<l 0:00 /system/bin/audiod
330 ? S 0:00 /system/bin/dropboxd
339 ? Sl 0:00 /system/bin/mm-pp-daemon
341 ? S 0:00 /system/bin/esdpll -w
342 ? Sl 0:00 /system/bin/tcmd
348 ? Sl 0:00 /sbin/adbd --root_seclabel=u:r:su:s0
354 ? Sl 0:00 /system/bin/qmuxd
389 ? Sl 0:00 /system/bin/netmgrd
423 ? Sl 0:00 /system/bin/qmi_motext_hook 6 10 18 0
480 ? D 0:01 [mdss_fb0]
512 ? S< 0:00 [IPCRTR]
627 ? S 0:00 [irq/320-synapti]
706 ? S 0:00 daemonsu:mount:master
793 ? Sl 0:00 daemonsu:master .....
820 ? S< 0:00 [kworker/2:2]
821 ? S 0:00 /sbin/ueventd
824 ? Sl 0:03 /system/bin/netd
825 ? Sl 0:06 /system/bin/mediaserver
826 ? S 0:00 /system/bin/subsystem_ramdump 1 0
827 ? Sl 0:09 zygote
1112 ? S<l 1:16 system_server
1296 ? S< 0:00 [kworker/0:4]
1313 ? S< 0:00 [kworker/1:2]
1418 ? Sl 0:09 com.android.systemui
1424 ? Sl 0:00 com.motorola.process.slpc
1468 ? Sl 0:00 com.motorola.slpc
1551 ? Sl 0:00 com.motorola.motodisplay
1579 ? Sl 0:04 com.google.android.googlequicksearchbox:interactor
1603 ? Sl 0:09 com.google.android.inputmethod.latin
1672 ? Sl 0:02 com.motorola.process.system
1689 ? Sl 0:00 com.android.server.telecom
1709 ? Sl 0:00 com.motorola.modemservice
1727 ? Sl 0:03 com.android.phone
1745 ? Sl 0:10 com.google.android.googlequicksearchbox
1850 ? Sl 0:42 com.google.android.gms.persistent
2297 ? Sl 0:16 com.google.android.googlequicksearchbox:search
2415 ? S 0:00 [kworker/u8:5]
2449 ? S< 0:00 [wcnss_IPCRTR]
3035 ? SLl 0:09 org.mozilla.firefox
3150 ? Sl 0:00 org.mozilla.firefox:tab15
3730 ? S 0:00 [kworker/u8:6]
3731 ? S 0:00 [kworker/u8:7]
3732 ? S 0:00 [kworker/u8:8]
4020 ? Sl 0:00 com.motorola.setup
4037 ? Sl 0:02 com.motorola.ccc
4078 ? Sl 0:26 com.google.android.gms
4538 ? S 0:00 daemonsu:10098 .....
4740 ? Sl 0:13 android.process.media
4921 ? Sl 0:01 com.motorola.motocare
5058 ? Sl 0:00 com.qualcomm.telephony
5098 ? Sl 0:00 com.qualcomm.qcrilmsgtunnel
5430 ? S 0:00 [kworker/u8:9]
5431 ? S 0:00 [kworker/u8:10]
5432 ? S 0:00 [kworker/u8:11]
5433 ? Sl 0:30 com.google.android.apps.nbu.files
5660 ? Sl 0:06 com.google.android.gms.unstable
6486 ? Sl 0:00 com.motorola.MotGallery2
6510 ? Sl 0:00 com.motorola.camera
6650 ? Sl 0:00 eu.easytether.pro:engine
6845 ? Sl 0:05 com.google.android.youtube
8321 ? Sl 0:00 com.android.defcontainer
9100 ? Sl 0:13 com.android.vending
9266 ? S< 0:00 [kworker/2:0]
9270 ? S 0:00 [kworker/u8:12]
9302 ? S< 0:00 [kworker/3:2]
9311 ? Sl 0:00 com.google.process.gapps
9430 ? Sl 0:09 com.termux
9493 pts/0 Ss 0:00 /data/data/com.termux/files/usr/bin/bash -l
9533 ? S 0:00 [kworker/0:0]
9542 ? S<l 0:03 com.android.chrome
9612 ? S 0:00 [kworker/0:2]
9645 ? S< 0:00 [kworker/1:0]
9649 ? S 0:00 [kworker/2:1]
9654 pts/0 R+ 0:00 ps ax
 
Last edited:
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

P
[Q] Mt65xx Android Phone Driver
Replies
52
Views
523K
N
ngzek
KidCarter93
  • Sticky
**What phone should I buy next?** -- Not sure what device to buy? Ask here!
Replies
13K
Views
955K
F
Fytdyh
immortalneo
  • Sticky
[HELP THREAD] Ask ANY Question. Noob Friendly.
Replies
49K
Views
2M
SubwayChamp
SubwayChamp
S
How to put cheat codes in Gta sanandreas for android??
Replies
133
Views
662K
K
Kuya TanTan
H
[Q] Rooting Chinese Spreadtrum Phone w/ Android 4.0.3
Replies
201
Views
252K
E
enrique57

New posts