Subreddit dedicated to the news and discussions about the creation and use of technology and its surrounding issues.
Android malware
Android news, reviews, tips, and discussions about rooting, tutorials, and apps. General discussion about devices is welcome. Please direct technical support, upgrade questions, buy/sell, app recommendations, and carrier-related issues to other subreddits.
Android news, reviews, tips, and discussions about rooting, tutorials, and apps. General discussion about devices is welcome. Please direct technical support, upgrade questions, buy/sell, app recommendations, and carrier-related issues to other subreddits.
Subreddit dedicated to the news and discussions about the creation and use of technology and its surrounding issues.
Android news, reviews, tips, and discussions about rooting, tutorials, and apps. General discussion about devices is welcome. Please direct technical support, upgrade questions, buy/sell, app recommendations, and carrier-related issues to other subreddits.
A place for major news from around the world, excluding US-internal news.
A place for major news from around the world, excluding US-internal news.
Privacy in the digital age (this is not a SECURITY subreddit, and PUBLIC data, closed source, etc is off-topic)
Android news, reviews, tips, and discussions about rooting, tutorials, and apps. General discussion about devices is welcome. Please direct technical support, upgrade questions, buy/sell, app recommendations, and carrier-related issues to other subreddits.
EDIT: 18-Apil-2023 - H618 Android TV boxes also infected (and possibly others) according to
A few months ago I purchased a box; it came with Android 10 (with working Play store) and an Allwinner H616 processor. It's a small-ish black box with a blue swirly graphic on top and a digital clock on the front. There's got to be thousands (or more!) of these boxes already in use globally.
There are and AliExpress.
This device's ROM turned out to be very very sketchy -- Android 10 is signed with test keys, and named "Walleye" after the Google Pixel 2. I noticed there was not much crapware to be found, on the surface anyway. If test keys weren't enough of a bad omen, I also found ADB wide open over the Ethernet port - right out-of-the-box.
I purchased the device to run among other things, and that's how I discovered just how nastily this box is festooned with malware. After running the Pi-hole install I set the box's DNS1 and DNS2 to and got a . The box was reaching out to many known, active malware addresses.
After searching unsuccessfully for a clean ROM, I set out to remove the malware in a last-ditch effort to make the T95 useful. I found layers on top of layers of malware using tcpflow
and nethogs
to monitor traffic and traced it back to the offending process/APK which I then removed from the ROM.
The final bit of malware I could not track down injects the system_server
process and looks to be deeply-baked into the ROM. It's pretty sophisticated malware, resembling in the way it operates. It's not found by any of the AV products I tried -- If anyone can offer guidance on how to find these hooks into system_server
please let me know here or via PM.
The closest I could come to neutralizing the malaware was to use Pi-hole to change the DNS of the command and control server, YCXRL.COM to 127.0.0.2. You can then monitor activity with netstat:
netstat -nputwc | grep 127.0.0.2 tcp6 1 0 127.0.0.1:34282 127.0.0.2:80 CLOSE_WAIT 2262/system_server tcp 0 0 127.0.0.2:80 127.0.0.1:34280 TIME_WAIT - tcp 0 0 127.0.0.2:80 127.0.0.1:34282 FIN_WAIT2 - tcp6 1 0 127.0.0.1:34282 127.0.0.2:80 CLOSE_WAIT 2262/system_server tcp 0 0 127.0.0.2:80 127.0.0.1:34280 TIME_WAIT - tcp 0 0 127.0.0.2:80 127.0.0.1:34282 FIN_WAIT2 - tcp6 1 0 127.0.0.1:34282 127.0.0.2:80 CLOSE_WAIT 2262/system_server tcp 0 0 127.0.0.2:80 127.0.0.1:34280 TIME_WAIT - tcp 0 0 127.0.0.2:80 127.0.0.1:34282 FIN_WAIT2 - tcp6 1 0 127.0.0.1:34282 127.0.0.2:80 CLOSE_WAIT 2262/system_server
I also had to create an iptables rule to redirect all DNS to the Pi-hole as the malware/virus/whatever will use external DNS if it can't resolve. By doing this, the C&C server ends up hitting the Pi-hole webserver instead of sending my logins, passwords, and other PII to a Linode in Singapore (currently 139.162.57.135 at time of writing).
1672673217|ycxrl.com|POST /terminal/client/eventinfo HTTP/1.1|404|0 1672673247|ycxrl.com|POST /terminal/client/eventinfo HTTP/1.1|404|0 1672673277|ycxrl.com|POST /terminal/client/eventinfo HTTP/1.1|404|0 1672673307|ycxrl.com|POST /terminal/client/eventinfo HTTP/1.1|404|0 1672673907|ycxrl.com|POST /terminal/client/eventinfo HTTP/1.1|404|0 1672673937|ycxrl.com|POST /terminal/client/eventinfo HTTP/1.1|404|0 1672673967|ycxrl.com|POST /terminal/client/eventinfo HTTP/1.1|404|0 1672673997|ycxrl.com|POST /terminal/client/eventinfo HTTP/1.1|404|0
I'm not ok with just neutralizing malware that's still active, so this box has been removed from service until a solution can be found or I impale it with a long screwdriver and toss this Amazon-supplied malware-tainted bomb in the garbage where it belongs.
The main take-away here: Don't trust cheap Android boxes on AliExpress or Amazon that have firmware signed with test keys. They are stealing your data and (unless you can watch DNS logs) do so without a trace!
___________________________________________________________
EDIT: 15-Mar-2023 - Adding cleanup steps:
The botnet owners changed DNS on ycxrl.com to an invalid, private IP (192.168.9.1) ... so "stage 0" malware is running, but the pre-pwn3d malware is unable to download "stage 1" from ycxrl.com.
That is great news short-term, but they can change this back anytime they like to a real IP. I highly recommend you look at my or at minimum perform the following steps to prevent malware from showing up again when they change ycxrl.com back to a real IP.
Install ADB (If not already installed):
Assuming you're on Windows, to install ADB simply install first and install ADB using Choco:
choco install adb
macOS users have Homebrew to accomplish the same thing:
brew install android-platform-tools
Cleanup Steps:
-
Start with a factory-reset device
-
Set the root switch to enabled and restart the device
-
Go to Settings -> Network & Internet
-
Connect to WiFi/Ethernet (preferably with a static IP and no gateway to prevent internet access)
-
Get T95 IP address from WiFi/Ethernet settings, connect to the device and become root:
adb connect [T95 IP address]
-> * daemon not running; starting now at tcp:5037
-> * daemon started successfully
-> connected to 10.44.0.14:5555
adb root
-> restarting adbd as root
Stage 1's 'home' folder is /data/system/Corejava -- Defeat the malware by turning /data/system/Corejava into an immutable file instead:
adb shell rm -rf /data/system/Corejava
adb shell touch /data/system/Corejava
adb shell chmod 0000 /data/system/Corejava
adb shell /vendor/bin/busybox chattr +i /data/system/Corejava
Additionally, the following prevents from running, which is an extra, unrelated layer of malware:
adb shell pm uninstall --user 0 com.adups.fota
adb shell pm uninstall --user 0 com.ftest
adb shell pm uninstall --user 0 com.www.intallapp
adb shell rm -rf /data/data/com.adups.fota
adb shell touch /data/data/com.adups.fota
adb shell chmod 0000 /data/data/com.adups.fota
adb shell /vendor/bin/busybox chattr +i /data/data/com.adups.fota
The place for news articles about current events in the United States and the rest of the world. Discuss it all here.
Subreddit dedicated to the news and discussions about the creation and use of technology and its surrounding issues.
Subreddit dedicated to the news and discussions about the creation and use of technology and its surrounding issues.
The place for news articles about current events in the United States and the rest of the world. Discuss it all here.
This subreddit is for technical professionals to discuss cybersecurity news, research, threats, etc.
Android news, reviews, tips, and discussions about rooting, tutorials, and apps. General discussion about devices is welcome. Please direct technical support, upgrade questions, buy/sell, app recommendations, and carrier-related issues to other subreddits.
Subreddit dedicated to the news and discussions about the creation and use of technology and its surrounding issues.
The place to get help for questions you have related to your Android device and the Android ecosystem.
A subreddit dedicated to hacking and hackers. Constructive collaboration and learning about exploits, industry standards, grey and white hat hacking, new hardware and software hacking technology, sharing ideas and suggestions for small business and personal security.
Where you can find the latest tech news, trends, and updates in PH
Planning to buy iphone 13 this end of March, gift ko lang para sa sarili ko. pero sa 33k+ na presyo maraming Android phones out there that have better specs than iphone 13. sa tingin niyo po ba mas worth it ba kunin ang iphone 13.
Reasons that I want that iphone 13 are:
-
Camera 2.Gamimh capabilities
-
security
is that enough reason to push my budget to buy iphone 13? please help need a genuine advice. Thank you sa mga sasagot
The place for news articles about current events in the United States and the rest of the world. Discuss it all here.
The place to get help for questions you have related to your Android device and the Android ecosystem.
Hi,
My avast has started flagging the app 'Android system' as a malware.
I have checked Malwarebytes and Sophoros but both are coming back as no issues.
Is the above an issue with Avast? It has never flagged up before. I found 'Android system' on the apps but I am unable to force stop/disable but I believe this is because it is a main component for the phone working?
Welcome to r/SingaporeRaw Community. Public speech in Singapore is heavily regulated, where the average Redditporean will often feel silenced and muted. r/SingaporeRaw is a safe haven for Redditporeans to share and post freely without fear of censorship. Feel free to share your thoughts, experiences, and opinions here, and we hope you have a good time !
-
A community for sharing and promoting free/libre and open-source software (freedomware) on the Android platform. This means software you are free to modify and distribute, such as applications licensed under the GNU General Public License, BSD license, MIT license, Apache license, etc., and software that isn’t designed to restrict you in any way. Think of free software as free as in freedom of speech, not free potatoes.
members -
The largest independent, community-run forum for discussions related to Chromebooks and everything else ChromeOS.
members -
Android news, reviews, tips, and discussions about rooting, tutorials, and apps. General discussion about devices is welcome. Please direct technical support, upgrade questions, buy/sell, app recommendations, and carrier-related issues to other subreddits.
members -
Subreddit dedicated to the news and discussions about the creation and use of technology and its surrounding issues.
members -
Android news, tips, and tricks. Anything Android security, Android hacking (rooting), and customization are welcome. Adjacent topics are also welcome.
members -
The place to get help for questions you have related to your Android device and the Android ecosystem.
members -
This subreddit was founded to get people to visit each others websites, videos, etc for free traffic. If you have media that you'd like to have receive more attention, post it here!
members -
**24 Hour Support** is a community focused on helping solve technical issues **FAST**. So fast we even set up a chat room for instantaneous help!
members -
A subreddit dedicated to hacking and hackers. Constructive collaboration and learning about exploits, industry standards, grey and white hat hacking, new hardware and software hacking technology, sharing ideas and suggestions for small business and personal security.
members -
Privacy in the digital age (this is not a SECURITY subreddit, and PUBLIC data, closed source, etc is off-topic)
members -
Stumped on a tech problem? Ask the community and try to help others with their problems as well. Note: Reddit is dying due to terrible leadership from CEO /u/spez. Please use our Discord server instead of supporting a company that acts against its users and unpaid moderators.
members -
/r/netsec is a community-curated aggregator of technical information security content. Our mission is to extract signal from the noise — to provide value to security practitioners, students, researchers, and hackers everywhere.
members -
Subreddit for the Ottawa Pokemon Go community. Discord Server: https://discord.gg/PokeGoOttawa
members -
This subreddit is for tips/locations (any way to help out others) who are playing Pokemon GO in Montreal, QC.
members -
This subreddit is for technical professionals to discuss cybersecurity news, research, threats, etc.
members -
The place for news articles about current events in the United States and the rest of the world. Discuss it all here.
members -
The goal of /r/tech is to provide a space dedicated to the intelligent discussion of innovations and changes to technology in our ever changing world. We focus on high quality news articles about technology and informative and thought provoking self posts.
members -
Cyber protection for every one. Malwarebytes believes that when people and organizations are free from threats, they are free to thrive. Need support? ➡️ support.malwarebytes.com
members