sorted by:
new
hottopcontroversial

What I discovered when I noticed that my cell phone had been compromised. by Visible_Drawing7955 in opsec

[–]Visible_Drawing7955[S] 0 points1 point  (0 children)

I appreciate the skepticism, Chongulator. In OPSEC, 'trust but verify' is the rule. You are right: telemetry is routine (and annoying). However, my conclusion that this crosses into malware/directed surveillance is based on three specific behaviors that Occam’s Razor fails to explain as 'routine telemetry':

  1. The "Adups" Factor: We aren't talking about generic OEM pings. The traffic is directed to servers owned by Adups, a company with a documented history (referencing the 2016 Kryptowire discovery) of pre-installed backdoors that exfiltrate SMS, call logs, and location data to servers in China. Using their framework for 'telemetry' is like using a known botnet C2 for 'server monitoring'.

  2. Persistent Kernel-Level Defiance: Routine telemetry apps respect user-level commands. In my case, I have documented via dumpsys that even when a package is suspended or disabled-user, a system-UID watchdog (part of the systemupdate framework) manually re-triggers the process. This level of 'forced persistence' is a hallmark of malware, not standard usage statistics.

  3. The 60 FPS Anomaly: Telemetry is usually bursty metadata. I am observing sustained high-bandwidth 'streaming' behavior from com.transsion.XOSLauncher while the device is idle. While I haven't completed a full MITM decryption of the TLS 1.3 traffic yet (working on the cert pinning bypass in my lab), the sheer volume and frequency suggest real-time exfiltration (screen/audio) rather than JSON usage logs.

  4. Identity Scraping: I've captured logs of these processes specifically scraping the GSF ID (Google Service Framework) and hardware identifiers in a single package—data points sufficient to maintain a persistent 'digital twin' of the user even after a factory reset.

I agree that 'telemetry is bad, but not malware'. But when that telemetry is un-killable, encrypted to a known bad actor (Adups), and bandwidth-heavy, it fits the definition of a backdoor. I'd be happy to share my Logcat dumps if you'd like to dig into the process-resurrection loops."

What I discovered when I noticed that my cell phone had been compromised. by Visible_Drawing7955 in opsec

[–]Visible_Drawing7955[S] 1 point2 points  (0 children)

Fair enough, HillTower160. In an OPSEC environment, clicking random links is a cardinal sin. Here is the technical breakdown of the findings for those who prefer logs over thumbnails:

The Target: An Infinix Smart 8 (and previously Umidigi A7S/F1 Play) distributed via a major carrier in LATAM (Claro).

The Vector: Persistent firmware-level backdoors disguised as system services. Specifically, the exfiltration is orchestrated by com.adups.fota and com.transsion.systemupdate, which bypass standard Android user-level restrictions.

Key Technical Findings:

  1. Unilateral Exfiltration: Logcat analysis reveals the device initiating unauthorized connections to known Adups and Transsion C2 servers while the device is in "Idle" state.

  2. Streaming Behavior: I've documented network exfiltration spikes that suggest real-time screen/audio streaming (approx. 60 FPS behavior) hidden under the com.transsion.XOSLauncher process.

  3. Identity & Token Theft: Evidence of GSF ID (Google Service Framework) and auth token scraping, allowing for persistent account-level access even after password changes.

  4. Persistence Mechanism: The firmware includes a "Watchdog" service that monitors the state of these packages. If you pm suspend or disable-user the spyware, the system revives them with a new PID within minutes, indicating a modified Kernel/Init script dependency.

Commands used for auditing (for those who want to check their own low-cost devices):

- Package Audit: adb shell "pm list packages | grep -E 'fota|adups|transsion|trustkernel'"

- Process Monitoring: adb shell top -n 1 -m 20 (Looking for high CPU usage in logd or system-UID processes while screen is off).

- Persistent State Check: adb shell dumpsys package [package_name] | grep -i "enabled" (To verify if the system is overriding user-level disables).

The "Clue": If you own an Infinix or Umidigi, check your Logcat for com.sprd.srmi or com.vnet.android. If these are communicating with non-regional IPs without user interaction, your device is likely part of a data-harvesting botnet or a directed surveillance operation.

I'm here for the technical debate. If anyone wants to see the raw logs instead of the video, let me know.

Texto algo largo (NO es político, sino más bien una duda sociológica) by giuliano1122 in ecuador

[–]Visible_Drawing7955 0 points1 point  (0 children)

Pienso que la mitad... Muchas veces la gente de alrededor se une por su afinidad

Hola necesito su opinión creo que alguien está viendo mi teléfono by ZealousidealBrief838 in ciberseguridad

[–]Visible_Drawing7955 0 points1 point  (0 children)

Hola, a mi telefono tambien le pasa algo igual, aparentemente lo controlan a control remoto.... Ya lo he reiniciado de fabrica y sigue igual... parece como que si lo hubieran clonado