I have an Android phone.

Last week, it got really weird. I think it's been hacked although I'm completely lost at how.

My first act was to set it back to factory defaults. The problem is that if they got a root kit installed on it, a rest like that won't do much good.

How good are cell phone root kits these days?

Any suggestions on how to make sure that it isn't currently vulnerable?

I'm actually tempted to get another cell phone, remove the SIM card in this one, and just use it on wifi as a VOIP phone. Even that, though, would be inadvisible if the attackers can still get to it.

did you sideload a shady APK? How do you think you got hacked?

What exactly is it doing that makes you think it got hacked?

Short of you (accidentally) doing something shady to your own phone, what makes you think you'd be the target of an outside actor?

AvsB said:

---

did you sideload a shady APK? How do you think you got hacked?

---

You really have me on that.

I had basic apps for things like e-mail and a calendar. I had no games on it at all. I rarely used the browser -- the last time was about three months ago and that was probably the first time in a year. And I had a second number on Google Voice with it, too. The flakiest app was probably Telegram.

I don't know that I ever used it to connect to a public wifi. I've seen iphones connect to any public wifi they see, but you had to intentionally tell mine to connect to a public wifi. However, I did connect to other people's wifis at their house to test their connection.

Sweet Kitten Feet said:

---

What exactly is it doing that makes you think it got hacked?

---

It suddenly started playing really loud and obnoxious pop-ups and it loaded some apps that I didn't load.

One thought that crossed my mind was that it had updated a normal app and the update had been compromised.

Naveronski said:

---

Short of you (accidentally) doing something shady to your own phone, what makes you think you'd be the target of an outside actor?

---

On computers, most hack attacks are automatic and not targeted at any one particular person. I assume that cell phones are the same.

Well, no. On computers most problems are due to the user clicking on a malicious link or otherwise installing malware.

On cell phones the user is again the weak link.

Naveronski said:

---

Well, no. On computers most problems are due to the user clicking on a malicious link or otherwise installing malware.

On cell phones the user is again the weak link.

---

You are correct that clicking on a malicious link is a serious problem. However, it is relatively rare that those malicious links are targeted at any one person. Sometimes they are, but usually they are automated attacks against large numbers of harvested addresses without being targeted at anyone in particular.

For example, I get plenty of e-mails daily to my IANA contact address. By about 1997 or so, that e-mail address was getting so much spam that it became unusable. I still have the address but have not been able to use it in years. In the last ten years, I've probably received only one or two legitimate e-mails to it of the hundreds of thousands it has received. It's hard to imagine those e-mails being targeted at me.

Another route is via home or small office routers. What most people don't realize is that home routers/firewalls are not very secure which makes the routers/firewalls a prime target for hackers. Many routers/firewalls, even very expensive commercial firewalls, have been found to have embedded usernames and passwords which allow anyone who knows them to connect. Once the router has been breached, then the attacker usually has easy access to anything and everything behind the router/firewall.

And, for what it's worth, a great many of the router attacks are automated and aren't directed at any particular targets. Sure, if you want to break into XYZ Ball Bearings, then you might go after their router.

Some years ago, a customer of ours had a router visible to the Internet. One day, that router got hit. It then started trying to hit other routers in our address space. Fortunately, we caught the attack within an hour and were able to stop it with only about six routers hit. Under no circumstances are any router of that brand allowed to be visible to the Internet any more. Nobody was directing the attack against any particular targets.

In another case, we connected one company to the Internet and from the start they were running about 60 megabits per second constantly. We quickly determined that one computer at that site was scanning blocks of addresses for open rdp (Microsoft Remote Desktop Protocol) services. This went on non-stop until we collected the data that we needed and started blocking all rdp traffic to and from their IP address. The targets were all over the place. Their port scanning was automated searching for vulnerable sites.

So yeah, if you are a celebrity or the company is an attack target for some reason, then there is a good chance that someone is directing the attack at you. In the vast majority of cases, the attackers are not targeting you directly.

I'd say that the initial attacks are typically a wide net cast, but if vulnerabilities are detected then individual attacks absolutely then take place. Most of your financial attacks occur this way. I've had my financial accounts targeted after a vulnerability was detected and I'm sure I'm not alone in that.

How old is the phone? Is the battery swelling? I've seen this behavior on multiple of my user's phones when the battery is shot / swelling

Okay, so... either you're the specific victim of a very complicated cyber attack - or you clicked on a malicious link - and now your phone is showing popup ads?

cryption said:

---

How old is the phone? Is the battery swelling? I've seen this behavior on multiple of my user's phones when the battery is shot / swelling

---

It's maybe two or three years old. I got it after accidentally washing my previous phone with my levis.

Naveronski said:

---

Okay, so... either you're the specific victim of a very complicated cyber attack - or you clicked on a malicious link - and now your phone is showing popup ads?

---

For it to be the browser, it would have had to have been waiting for a long time.

I also hadn't added an app in about six or seven months.

I did update the apps not long ago. It makes more sense that one of the updates had been hacked.

eric76 said:

---

Naveronski said:

---

Okay, so... either you're the specific victim of a very complicated cyber attack - or you clicked on a malicious link - and now your phone is showing popup ads?

---

For it to be the browser, it would have had to have been waiting for a long time.

I also hadn't added an app in about six or seven months.

I did update the apps not long ago. It makes more sense that one of the updates had been hacked.

---

Do you not use the browser on your phone?

Naveronski said:

---

eric76 said:

---

Naveronski said:

---

Okay, so... either you're the specific victim of a very complicated cyber attack - or you clicked on a malicious link - and now your phone is showing popup ads?

---

For it to be the browser, it would have had to have been waiting for a long time.

I also hadn't added an app in about six or seven months.

I did update the apps not long ago. It makes more sense that one of the updates had been hacked.

---

Do you not use the browser on your phone?

---

The first time I used it was when I had covid in May-June 2020.

The second time was a few months ago when our Internet connection was out for about four days.

On my cell phone, I occasionally go over one tab to many to the left and Google Chrome pops up. I hate that.

About the only apps I generally use are Telegram, Proton Mail, ProtonVPN, Proton Calendar, Proton Pass, and Signal, none of them on a daily basis -- most days I don't use the cell phone at all.

Just because you don't actively open the browser app doesn't mean you don't use the browser -- any of your mail or text apps could have a link that loads the browser (and depending on your phone there could be a stock browser in addition to Google Chrome).

Just factory reset the phone if you are worried about it. Seems like overkill to assume it's some advanced under-the-radar root hack that can circumvent a factory reset but at the same time is loudly announcing with pop-up ads that it's on your phone.

Chances are you either clicked a malicious link, installed an unofficial app masquerading as an official one, or installed an app that has spyware/malware (eg. a QR scanner I used a long time ago was known for installing spyware).

Proposition Joe said:

---

Just because you don't actively open the browser app doesn't mean you don't use the browser -- any of your mail or text apps could have a link that loads the browser (and depending on your phone there could be a stock browser in addition to Google Chrome).

Just factory reset the phone if you are worried about it. Seems like overkill to assume it's some advanced under-the-radar root hack that can circumvent a factory reset but at the same time is loudly announcing with pop-up ads that it's on your phone.

Chances are you either clicked a malicious link, installed an unofficial app masquerading as an official one, or installed an app that has spyware/malware (eg. a QR scanner I used a long time ago was known for installing spyware).

---

I did install an app last spring or early summer. Think that was it?

My only e-mail address that gets much e-mail is my IANA contact address, but I would never consider checking it on a cell phone. I work hard to avoid getting spam to my ProtonMail account and it gets almost none.

As for worrying about a root kit, that's not the case at all. The issue is that it can happen and if it does the attackers can pretty much get control of everything.

I sometimes wonder if I am too paranoid. My servers, if they have routable IP addresses at all, require either two ssh keys or one ssh key and the password (minimum password on the servers is set to something like 25 characters) if logging in from a US address. If logging in from abroad, they require a password and two ssh keys.

I will never fault anyone for being too paranoid with their digital protection.

That being said, does it make any logical sense that something embedded deep into your phone is stealing all of your important data but has also decided to loudly announce the intrusion with "really loud and obnoxious pop-ups"?

Any one siphoning off your valuable data isn't going to announce it. Chances are you simply clicked a malicious link or the like and you have run-of-the-mill malware. Do a factory reset and move on.