• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

Question Fraudulent credit card transaction after installing ported TWRP and xiaomi.eu ROM. Malware in TWRP bootloader?

Search This thread
Aug 10, 2012
18
6
Hello everyone,
I would like to share something with you.
I got a Mi 11X and unlocked the bootloader officially. The Phone uses a A/B partition system making installation of bootloader and custom ROM little difficult.
I used RUN_TWRP_Toolkit downloaded from here.

I downloaded xiaomi.eu from official site and installed.
Everything was going well until i received a couple of messages from my bank on 15/10/21 about my credit card being used for 4 transactions over a period of 4 mins.
IMG_20211015_011740.jpg
IMG_20211015_011801.jpg


I blocked my card and spoke with the bank. Apparently the transactions WERE authorized using OTP received on my phone. They were for the exact same amount and occurred within a span of few mins as evident from this email I received from Axis bank.

1634289142597.png


I failed to understand how this happened. No one has my credit card details or access to my phone. My phone is NOT rooted, no apps installed from malicious sources. Only 5 apps have read SMS permission and all were installed from playstore - Amazon, Flipkart, Gpay, Swiggy, Whatsapp.

I was wondering if someone could shed some light on this issue. I also doubt whether the TWRP installed has something to do with this and whether its possible that it has some malicious code installed? Can anyone like scan the file?

Any help would be greatly appreciated.
Thank you
 

Attachments

  • twrp.img
    128 MB · Views: 28
  • Like
Reactions: arvindgr and Maxx9

Maxx9

Member
Sep 7, 2021
23
6
Xiaomi Mi 11i
I think this is unofficial fake twrp toolkit problem , xiaomi eu rom is is not the problem, you shouldn’t use unofficial port or Twrp port of unofficial
Hello everyone,
I would like to share something with you.
I got a Mi 11X and unlocked the bootloader officially. The Phone uses a A/B partition system making installation of bootloader and custom ROM little difficult.
I used RUN_TWRP_Toolkit downloaded from here.

I downloaded xiaomi.eu from official site and installed.
Everything was going well until i received a couple of messages from my bank on 15/10/21 about my credit card being used for 4 transactions over a period of 4 mins.
View attachment 5433609View attachment 5433611

I blocked my card and spoke with the bank. Apparently the transactions WERE authorized using OTP received on my phone. They were for the exact same amount and occurred within a span of few mins as evident from this email I received from Axis bank.

View attachment 5433617

I failed to understand how this happened. No one has my credit card details or access to my phone. My phone is NOT rooted, no apps installed from malicious sources. Only 5 apps have read SMS permission and all were installed from playstore - Amazon, Flipkart, Gpay, Swiggy, Whatsapp.

I was wondering if someone could shed some light on this issue. I also doubt whether the TWRP installed has something to do with this and whether its possible that it has some malicious code installed? Can anyone like scan the file?

Any help would be greatly appreciated.
Thank you
Yes unofficial twrp toolkit can be a problem coz i used xiaomi eu rom and its working fine without any issues…unofficial port or unofficial twrp might contain some sort of viruses or malware that’s possible…and always download files from official source, developer or site.
 
Last edited by a moderator:
  • Like
Reactions: arvindgr
Aug 10, 2012
18
6
I think this is unofficial fake twrp toolkit problem , xiaomi eu rom is is not the problem, you shouldn’t use unofficial port or Twrp port of unofficial

Yes unofficial twrp toolkit can be a problem coz i used xiaomi eu rom and its working fine without any issues…unofficial port or unofficial twrp might contain some sort of viruses or malware that’s possible…and always download files from official source, developer or site.
There is no official twrp for Poco f3/redmi k40/mi 11x.
 

soneji

Senior Member
Apr 13, 2009
50
40
Hello everyone,
I would like to share something with you.
I got a Mi 11X and unlocked the bootloader officially. The Phone uses a A/B partition system making installation of bootloader and custom ROM little difficult.
I used RUN_TWRP_Toolkit downloaded from here.

I downloaded xiaomi.eu from official site and installed.
Everything was going well until i received a couple of messages from my bank on 15/10/21 about my credit card being used for 4 transactions over a period of 4 mins.
View attachment 5433609View attachment 5433611

I blocked my card and spoke with the bank. Apparently the transactions WERE authorized using OTP received on my phone. They were for the exact same amount and occurred within a span of few mins as evident from this email I received from Axis bank.

View attachment 5433617

I failed to understand how this happened. No one has my credit card details or access to my phone. My phone is NOT rooted, no apps installed from malicious sources. Only 5 apps have read SMS permission and all were installed from playstore - Amazon, Flipkart, Gpay, Swiggy, Whatsapp.

I was wondering if someone could shed some light on this issue. I also doubt whether the TWRP installed has something to do with this and whether its possible that it has some malicious code installed? Can anyone like scan the file?

Any help would be greatly appreciated.
Thank you
I compared the TWRP.IMG with the one available and there is no difference.

fc /b twrp.img "TWRP-3.5.2-alioth-Nebrassy.img"
Comparing files twrp.img and TWRP-3.5.2-ALIOTH-NEBRASSY.IMG
FC: no differences encountered

So it has to be some other malware which has taken over your phone
 
  • Like
Reactions: Raunaksaha2008

blackhawk

Senior Member
Jun 23, 2020
6,375
2,059
The less people who use a rom or an apk the less eyes there are on it and less feedback.
Most rootkits are installed by the user...
 

blackhawk

Senior Member
Jun 23, 2020
6,375
2,059
Virus scan did find some trojans with severe risk. I scanned with defender + offline scan + Malwarebytes. The threats could be removed and subsequent scans didn't find anything else. I don't think there's any threat anymore.
The worst ones are the ones you can't detect because there's no definition or they can evade detection. Once a hacker gains access they can download other nastier payloads. Worse if they get into the database they can implant malicious scripts.
It's one thing to find a trojan preloader that's still dormant as opposed to one that's active. The former can be safely removed, neutralizing it. The later maybe, maybe not.

If I find or suspect an active virus or rootkit, it's reload time, that day. I isolate that device and it's database from my backups until proven clean. The worst damage it can do is breach the backup databases. Not acceptable... so I nuke the load with extreme prejudice to confine the damage. Malicious scripted jpegs that damage the folder their in can be cleaned up once you delete the jpeg(s). I never had any antivirus detect them... wysiwyg. Had one on my Android about 2 years ago. Had one on XPpro about 15 years ago.

Pie and above is pretty secure unless you download or install the malware. Windows not as much... I keep my PC offline.
Never underestimate a hacker's resourcefulness, overkill is best.
 
  • Like
Reactions: ApexPrime

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    Hi, i understood how it happened finally. No malware here. It was something in my laptop
    1
    Virus scan did find some trojans with severe risk. I scanned with defender + offline scan + Malwarebytes. The threats could be removed and subsequent scans didn't find anything else. I don't think there's any threat anymore.
    The worst ones are the ones you can't detect because there's no definition or they can evade detection. Once a hacker gains access they can download other nastier payloads. Worse if they get into the database they can implant malicious scripts.
    It's one thing to find a trojan preloader that's still dormant as opposed to one that's active. The former can be safely removed, neutralizing it. The later maybe, maybe not.

    If I find or suspect an active virus or rootkit, it's reload time, that day. I isolate that device and it's database from my backups until proven clean. The worst damage it can do is breach the backup databases. Not acceptable... so I nuke the load with extreme prejudice to confine the damage. Malicious scripted jpegs that damage the folder their in can be cleaned up once you delete the jpeg(s). I never had any antivirus detect them... wysiwyg. Had one on my Android about 2 years ago. Had one on XPpro about 15 years ago.

    Pie and above is pretty secure unless you download or install the malware. Windows not as much... I keep my PC offline.
    Never underestimate a hacker's resourcefulness, overkill is best.
    1
    I failed to understand how this happened. No one has my credit card details or access to my phone. My phone is NOT rooted, no apps installed from malicious sources. Only 5 apps have read SMS permission and all were installed from playstore - Amazon, Flipkart, Gpay, Swiggy, Whatsapp.
    always download from official websites, threads on XDA are scanned for any malicious links, android is very safe unless u have a malicious app pushed in ur system apps, always check ur app list for unnamed weird-looking apps, as for windows it has never and will never be safe it's designed like that.
  • 2
    Hello everyone,
    I would like to share something with you.
    I got a Mi 11X and unlocked the bootloader officially. The Phone uses a A/B partition system making installation of bootloader and custom ROM little difficult.
    I used RUN_TWRP_Toolkit downloaded from here.

    I downloaded xiaomi.eu from official site and installed.
    Everything was going well until i received a couple of messages from my bank on 15/10/21 about my credit card being used for 4 transactions over a period of 4 mins.
    IMG_20211015_011740.jpg
    IMG_20211015_011801.jpg


    I blocked my card and spoke with the bank. Apparently the transactions WERE authorized using OTP received on my phone. They were for the exact same amount and occurred within a span of few mins as evident from this email I received from Axis bank.

    1634289142597.png


    I failed to understand how this happened. No one has my credit card details or access to my phone. My phone is NOT rooted, no apps installed from malicious sources. Only 5 apps have read SMS permission and all were installed from playstore - Amazon, Flipkart, Gpay, Swiggy, Whatsapp.

    I was wondering if someone could shed some light on this issue. I also doubt whether the TWRP installed has something to do with this and whether its possible that it has some malicious code installed? Can anyone like scan the file?

    Any help would be greatly appreciated.
    Thank you
    2
    Theoretically fake twrp can install apk, spywares etc.. I will look at this image
    .maybe found something
    2
    There is no official twrp for Poco f3/redmi k40/mi 11x.
    no, but people use the twrp img posted on this forum and flash it manually instead of using that toolkit you linked, which I've never seen before until now. pretty sure the image/script included in that toolkit has been injected with malicious code.
    2
    I would strongly advice not to download anything outside xda forums. XDA had many good devs out here that had many experience to detect threats as such fraud.
    1
    Theoretically fake twrp can install apk, spywares etc.. I will look at this image
    .maybe found something
    Thank you very much. You can check the download link also. I just attached the .IMG file but it came with many files inside a zip