"vaultkeeperd" / "kgclient" wakelock when blocking *.secb2b.com

[Starbase 12]

Today I faced the problem that the CPU-load was permanently higher than normal approx about 5 minutes after booting up. The device didn't get cold and consumed about 16% of the battery in one hour. A wakelock. With the help of "top" I found out, that it has something to do with what's called "vaultkeeperd" and/or "com.samsung.android.kgclient".

While searching a bit around I found an interesting looking folder called LOGS with some files in it: "/data/user/0/com.samsung.android.kgclient/files/LOGS/".

From there I was able to see the following:

2023-06-05 20:37:43 : 16956|17878 : [Alarm] created : PROCESS_CHECK period: 180000 network condition: true
2023-06-05 20:37:44 : 16956|17878 : @setRlcClientData() [-5]Error from VaultKeeper (write/ -106)
2023-06-05 20:37:44 : 16956|17878 : [Alarm] created : RETRY period: 300000 network condition: true
2023-06-05 20:37:44 : 16956|17878 : [Retry Cause] Cannot connect to Cert Server
2023-06-05 20:37:44 : 16956|16956 : updated list: add? true, [com.samsung.android.kgclient.action.STARTMESSAGETOCHECKLOCK]
2023-06-05 20:37:44 : 16956|17878 : updated list: add? false, []
2023-06-05 20:37:44 : 16956|17878 : onHandleIntent action : com.samsung.android.kgclient.action.STARTMESSAGETOCHECKLOCK
2023-06-05 20:37:44 : 16956|17878 : [Alarm] created : PROCESS_CHECK period: 180000 network condition: true
2023-06-05 20:37:44 : 16956|17878 : @setRlcClientData() [-5]Error from VaultKeeper (write/ -106)
2023-06-05 20:37:45 : 16956|17878 : [Alarm] created : RETRY period: 300000 network condition: true
2023-06-05 20:37:45 : 16956|17878 : [Retry Cause] Cannot connect to Cert Server
2023-06-05 20:37:45 : 16956|16956 : updated list: add? true, [com.samsung.android.kgclient.action.STARTMESSAGETOCHECKLOCK]
2023-06-05 20:37:45 : 16956|17878 : updated list: add? false, []
2023-06-05 20:37:45 : 16956|17878 : onHandleIntent action : com.samsung.android.kgclient.action.STARTMESSAGETOCHECKLOCK

My first idea was that "AFwall+" might have something to do with it. But in this case it was "AdAway". During the initial setup of AdAway, I obviously carelessly blocked some suspicious looking URLs. Compares to Netguard you can't see what App requested which URL.

At hybrid-analysis.com I saw, that among other URL's some with "*.secb2b.com" are getting contacted. It seems to have something to do with Samsungs MDM solution. After whitelisting this URL the issue was gone.

I never did something with ADB and Android before. Maybe someday my post will help someone with a similar problem. I'm also happy about further tips and tricks to solve such wakelock issues faster.

Regards
Chris

 

[Starbase 12]

If you're using AFWall+ or another firewall solution please also ensure that you allow network access to "Device Services" (ID: 10079) .