Need help in busting a hacker/spyware

Search This thread

Aryan5555

Member
Aug 10, 2022
6
0
Someone has installed a spyware named "mobile tracker free" on my sister's phone. Apparently, the app requires the hacker to sign in using their email account and the email id is stored locally too.
I have discovered the spyware app and opened it. The email id is normally visible on the app dashboard itself but it is promoting me to update the app. Now the problem is, to update the app you have to uninstall the previous version and then reinstall new one. I am afraid this will remove all the data related to the hacker.

How should I go about it? Should I backup all the data and then try to find the email id in the backup? Or is there a way to disable the prompt so that I can normally see the details?

I desperately need help. Thanks in advance. 🙏
 

Renate

Recognized Contributor / Inactive Recognized Dev
Feb 3, 2012
3,617
1,603
Boston
www.temblast.com
Nexus 7 (2013)
Moto E5
If you do an install with:
Code:
adb install -r whatever.apk
It shouldn't delete any data. But you can never know.

If this device is rooted just go to /data/data/mobiletrackerfree and save all the data on your desktop.
If this is a stupid app all the details would be visible in an XML file, probably in shared_prefs
Code:
# cat /data/data/mobiletrackerfree/shared_prefs/*
* mobiletrackerfree = use actual package name
 

Aryan5555

Member
Aug 10, 2022
6
0
If you do an install with:
Code:
adb install -r whatever.apk
It shouldn't delete any data. But you can never know.

If this device is rooted just go to /data/data/mobiletrackerfree and save all the data on your desktop.
If this is a stupid app all the details would be visible in an XML file, probably in shared_prefs
Code:
# cat /data/data/mobiletrackerfree/shared_prefs/*
* mobiletrackerfree = use actual package name
They install the actuall app through a shell app and they have also changed their package name from m.secu.children, as per this teardown, to mobile.moniter.child2022, so they are asking to uninstall the old version, I guess. How do I ensure that the data is not lost?

Also, I tried sniffing their packets in the hopes of getting the email id but apparently they are blocking it somehow.

The device is not rooted.
 

Aryan5555

Member
Aug 10, 2022
6
0
If you do an install with:
Code:
adb install -r whatever.apk
It shouldn't delete any data. But you can never know.

If this device is rooted just go to /data/data/mobiletrackerfree and save all the data on your desktop.
If this is a stupid app all the details would be visible in an XML file, probably in shared_prefs
Code:
# cat /data/data/mobiletrackerfree/shared_prefs/*
* mobiletrackerfree = use actual package name
You are right, they have stored all the data on a file called user.xml in shared_prefs. I installed the app on an emulator and found out. But the actual device is not rooted, how do I do it on that one?
Image link: https://photos.app.goo.gl/rhta7zsHGrqhLQXbA
 

Renate

Recognized Contributor / Inactive Recognized Dev
Feb 3, 2012
3,617
1,603
Boston
www.temblast.com
Nexus 7 (2013)
Moto E5
Well, did you cat user.xml? Does it have the bogus email you typed in or is it encrypted/hashed?

If they are changing the package name, they will just ask you to re-enter the drop email address.

You need to root this.

I agree though, this is a personal friend of hers who has access to the device.
 

Aryan5555

Member
Aug 10, 2022
6
0
Well, did you cat user.xml? Does it have the bogus email you typed in or is it encrypted/hashed?

If they are changing the package name, they will just ask you to re-enter the drop email address.

You need to root this.

I agree though, this is a personal friend of hers who has access to the device.
Agreed, only someone with physical access to her phone can do this.

No, user.xml is stored unencrypted.

Now the good thing is she is still on Android 11, hope I can access the data folder somehow.

If not, how do I root it without losing the data?
 

Aryan5555

Member
Aug 10, 2022
6
0
It's a OnePlus Nord running Android 11.

The scammer apparently got to know that we had discovered the app, and logged it out remotely. So no more email address in plaintext.

However, I am in contact with the Spyware Devs and they are cooperating.

They are using Cloudflare and Zendesk, so not very tough to track them down. I am going to report them to the concerned authorities in my country irrespective of whether they give me a name or not.
 

Oswald Boelcke

Senior Moderator / Moderator Committee
Staff member
Someone has installed a spyware named "mobile tracker free" on my sister's phone. Apparently, the app requires the hacker to sign in using their email account and the email id is stored locally too.
I have discovered the spyware app and opened it. The email id is normally visible on the app dashboard itself but it is promoting me to update the app. Now the problem is, to update the app you have to uninstall the previous version and then reinstall new one. I am afraid this will remove all the data related to the hacker.

How should I go about it? Should I backup all the data and then try to find the email id in the backup? Or is there a way to disable the prompt so that I can normally see the details?

I desperately need help. Thanks in advance. 🙏
Hello and good afternoon, @Aryan5555

Welcome to XDA. I hope you'll always find and get the support you require.

However, prior to your next posting please read the guidances that are stuck on top of every forum like
and the others. I've moved the thread to Android Q&A.

Thanks for your cooperation!
Regards
Oswald Boelcke
Senior Moderator