Potentially Malicious SMS

multiply8673

I just clicked on a potentially malicious MMS sent to my voip.ms app on a secondary user profile. It was a text from a random number with a simple landscape photo. Like an idiot, I clicked on the photo. I immediately deleted the voip.ms app (which had permissions for notifications, network, and contacts) and closed the user profile. What is the best course of action to take next? Should I delete the user profile or is the app sandboxing enough to mitigate any further risk?

ryrona

multiply8673 Like an idiot, I clicked on the photo.

What happened when you did that?

multiply8673 Should I delete the user profile or is the app sandboxing enough to mitigate any further risk?

The app sandboxing should be enough, in the sense that they would have to first find a working exploit against your app, and then also in addition to that find a working sandbox escape exploit, and having two zero-day vulnerabilities to chain like that is extremely rare. You would have to be a very attractive target for them to risk burning those zero-days on you.

However, I think it is good with some healthy paranoia. I would have done a secure factory reset on my phone if I had any reason to suspect an actual hacking attempt was made, even if I believed the hacking attempt had failed. And only to bring myself peace of mind that I definitely have managed to get rid of attacker from my device if it even was hacked in the first place.

gk7ncklxlts99w1

ryrona you've inspired me to make a post asking people if they've ever thought they were compromised and what they did!

multiply8673

Thank you for the answer. As I was trying to remember/reconstruct the exact sequence of events, it occurred to me that I may have far less to be concerned about than I initially thought.

It would appear that I did not click directly on a photo due to the way MMS messages are handled by my VOIP service. When I am sent an MMS message, I do not receive the message directly. Rather, Voip.ms sends me a link to the Voip.ms website where the message is stored.

So when I clicked on the MMS link, it launched Vanadium, which took me to the Voip.ms page where the photo was hosted. Nothing happened other than that the photo was displayed on a webpage in Vanadium, which I viewed, then promptly closed before freaking out.

I think that the image being viewed through a browser makes this all less concerning than I originally had thought.

ryrona

multiply8673 I think that the image being viewed through a browser makes this all less concerning than I originally had thought.

Web browsers can also have zero day vulnerabilities, including in their image parsing libraries, just like any other app can.

angela

If you have a high threat model (CEO of big company, government official, activist), it's possible you're being targeted. Who send random landscape photos as attachemnts? Can you get the photo back on another OS and analyze it in an amnesiac setting (outside of GOS) to look at the metadata? Most photos like that would have metadata. An accidental photo without it may be more likely to be crafted. If GOS can be expired by nation-state actors or others it would be such a high-value exploit that it would be guarded so closely. No one has even shown GOS hacked remotely like that however. If your threat model isnt extremely high, just ignore it.

multiply8673

I recovered the photo from my VOIP provider on a sandboxed Linux VM and uploaded it to MetaDefender. It would appear that it is not known to contain malicious code.

I was able to view the photo in the sandboxed environment and, with a reverse-image search, located a visually identical photo published on Feb 11, 2025 in a news article about the Monte Rio Redwoods forest, which is two days before the text was sent to me. I think it therefore unlikely that it would have been repurposed for a malicious attack so quickly, and was more probably simply a probe or attempt to get me to respond, in order to confirm that the line contains a live number. I also compared the metadata of the two files and found no differences between the two files.

It is still somewhat unsettling, especially after reading about all of the ways malware can be hidden in photos and evade malware scans: https://www.sentinelone.com/blog/hiding-code-inside-images-malware-steganography/

I'm going to be much more careful in the future.

Watermelon

multiply8673 You're confusing between steganography, which is the act of hiding data within other data, and a malicious piece of data that automatically exploits your device to do something bad or load further code. Steganography is more comparable to cryptography and it's not inherently malicious.

EDIT: If you ever worry about an exploit being sent to one of your apps, I recommend simply enabling the GrapheneOS per-app exploit mitigations for that app to the maximum (unless it's a preinstalled/system app), revoking its permissions down to the minimum (ditto), and rebooting. If it happens again then reboot again.

EDIT 2: Also enable secure app spawning and system crash notifications.

DeletedUser237

Watermelon Actually stego can and is being used to smuggle malware. It bypasses some basic .monitoring / scanning activities.

Watermelon

DeletedUser237 Actually stego can and is being used to smuggle malware

I didn't say it wasn't, but you're implying that malware can automatically execute in a context where no executable code should be loaded from an external source. We're talking about an SMS message that executes code. This should never happen, and if it does, it's not because the SMS contains malware, it's because it contains an exploit, which is not the same thing at all as steganography.

DeletedUser237 It bypasses some basic .monitoring / scanning activities.

Steganography is used in the hope of evading detection by antivirus. It doesn't definitely bypass it, it could fail. And evading detection by an antivirus by trying to hide the malicious code using steganography is still a different thing than putting an exploit in an SMS message.

DeletedUser237

Watermelon How do you know what code was there in the first place? Malware is not just an executable.

and stego is used not just to bypass AV, it can be used to bypass IDS, IPS, FW or WAF and other monitoring/prevention systems. And I never said it is successful at bypassing it. I just said it is used as one method of doing so. you're arguing about semantics , not grasping the concept we discuss.

Watermelon

DeletedUser237 How do you know what code was there in the first place?

I didn't say that and it's not relevant anyway.

DeletedUser237 Malware is not just an executable.

Malware = malicious software
Software (in this context) = executable program

DeletedUser237 stego is used not just to bypass AV, it can be used to bypass IDS, IPS, FW or WAF

All the same, doesn't matter.

DeletedUser237 I never said it is successful at bypassing it. I just said it is used as one method of doing so. you're arguing about semantics , not grasping the concept we discuss.

I grasp the concept very well. Steganography is not a form of attack, it's a form of obscurity. It's also inherently not fully successful because the malware needs to be changed into its unobscured form automatically at some point in order to execute with no human intervention once its entry point is executed. This is no different than using encryption — either the entire malware is encrypted and then it can't execute without the user knowing how to decrypt it, or most of it is encrypted but there's a component that decrypts it.

An exploit is not a form of obscurity to evade detection, it's a form of attack.

DeletedUser237

Watermelon

I grasp the concept very well.

Let's agree to disagree. This is not the place to continue this dispute.