Compromised Phone Factory Reset

memyselfandi

My phone was potentially compromised by a shared charger on a train. Although Auditor and Scan Device show no signs of tampering, I still want to set up it up new just to be on the safe side.

When a phone is compromised, does a factory reset and reinstallation of GrapheneOS resolve the issue? Or could the phone's hardware be compromised beyond ''repair''?

matchboxbananasynergy

You can factory reset from recovery if you want to be sure: https://support.google.com/pixelphone/answer/4596836?hl=en#zippy=%2Cwith-your-phones-buttons-advanced

Curious

matchboxbananasynergy May I ask is it normal that when using factory reset from recovery mode it throws erros:
--Wiping data...
ERROR: recovery: libfs_mgr failed to open /sys/fs/f2fs/features/linear_lookup: Permission denied
ERROR: logwrapper: cannot log to file /dev/fscklogs/log
ERROR: recovery: Open failed: /metadata/ota: No such file or directory

Then classing formatting /data
Formating /metadata
etc. is happending
...
Data wipe complete

Chronicos

I have this same problem and I'm wondering the same thing, when I factory reset it seems like system files are still intact and have not reset.

Can any 1 shine some information on this please?

de0u

Chronicos "Factory reset" does not reset the device to the way it was when it was at the factory -- despite the name. That is infeasible for various technical reasons.

What "factory reset" does is to cryptographically wipe the user data partition. The system partition remains, and is used to set up a new owner account for the device.

Chronicos

Thanks for that, is there a way to check if the system partition is compromised?

de0u

Chronicos is there a way to check if the system partition is compromised?

https://grapheneos.org/install/web#verifying-installation

Watermelon

Chronicos Thanks for that, is there a way to check if the system partition is compromised?

Chronicos Thanks my key matches for pixel9a, how ever I have some suspect processes running with permissions I can't change(greyed out)

Technically, the key fingerprint lets you verify the identity of the installed operating system, and OS integrity is already checked using this key every time you reboot.

If the key fingerprint matches what GrapheneOS publishes, ~~you haven't done anything dangerous on the OS like granting apps the device admin permission or disabling secure app spawning,~~ and the OS is up-to-date, then I suggest you to stop worrying. You're ~~most likely~~ looking at benign stuff and misinterpreting it as a bad sign. (Edit: you said you did a factory reset.)

Chronicos

de0u

Thanks my key matches for pixel9a, how ever I have some suspect processes running with permissions I can't change(greyed out)

de0u

Chronicos I have some suspect processes running with permissions I can't change(greyed out)

That report is not yet actionable by this forum. Providing details of the "suspect processes" might be productive.

de0u

Chronicos I have some suspect processes running with permissions I can't change(greyed out)

Chronicos https://i.ibb.co/8Lg2G1dR/Screenshot-20260202-194933.png

Those aren't running processes. Those are somewhat-misleading permission displays for built-in system applications. See: https://discuss.grapheneos.org/d/30749-google-play-store-question-regarding-the-all-permissions-menu

The bottom line is that it isn't possible to "audit" parts of GrapheneOS by looking at app permission lists. In part that's because the vast majority of GrapheneOS code isn't applications -- it's things like system services that aren't apps (e.g., the Bluetooth stack), device drivers, the kernel, etc. The only way to meaningfully audit the system components is by reading the source code. That may be uncomfortable, but it's the situation. It is absolutely not an indication of compromise that built-in system applications have permissions that can't be revoked from the Settings UI.

Chronicos

@de0u thanks, here are some which are concerning to me as I can't change any of the permissions, I have a few more too.

Chronicos

de0u
Thanks is there away to check the source code? I have other signs my handset is compromised.

Flickering screen when keyboard is present
Call quality is questionable
Rethinkdns showing connections to country's like Brazil , Belgium, Romania and services like amazonaws, firebase.
I received a text message from an unknown mobile number before all this started happening which seemed to be in Arabic so i could not read it, this was on a brand new sim card and number with a brand new pixel 9a with grapheneos installed, only 4 people had the number, 2 of which where close family members.

Watermelon

Chronicos Thanks is there away to check the source code? I have other signs my handset is compromised.

You say you verified the fingerprint displayed at boot and it matches. This means you're running the exact same code that everyone else runs, built from the same source code. How would checking the source code help, unless you think we're all compromised too?

Chronicos Flickering screen when keyboard is present
Call quality is questionable
Rethinkdns showing connections to country's like Brazil , Belgium, Romania and services like amazonaws, firebase.
I received a text message from an unknown mobile number before all this started happening which seemed to be in Arabic so i could not read it, this was on a brand new sim card and number with a brand new pixel 9a with grapheneos installed, only 4 people had the number, 2 of which where close family members.

None of these are indicators of an OS compromise. GrapheneOS already gives you the features to ensure security:

Reboot to perform an integrity check on the firmware and OS.
Enable LTE-only mode to reduce cellular attack surface.
Factory reset from recovery mode deletes all persistent state and restarts the already verified operating system with a clean blank state.
Maybe other features that could be relevant to you.

I suggest you to stop worrying about benign stuff. Misinterpreting things you see out of ignorance isn't a healthy way to determine that you're compromised.

Chronicos

Watermelon

Thanks, yes boot key matches, would that change if code was injected to graphene system files? Sorry for the ignorance, how can I enable LTE ONLY mode?

Novalissoide

Chronicos how can I enabl

https://grapheneos.org/usage
https://grapheneos.org/faq

raccoondad

Chronicos would that change if code was injected to graphene system files?

It wouldn't boot if system files were changed, your system shows no signs of compromise. It simply is not compromised system file wise if the phone can reboot, it will fail to boot otherwise.

Watermelon

Chronicos Thanks, yes boot key matches, would that change if code was injected to graphene system files?

The verified boot key fingerprint that's displayed at boot time and on the GrapheneOS website is a value calculated from the verified boot key that you install during the initial installation. This value doesn't represent the software on your device and isn't meant to be an indication of whether the software was compromised, instead it represents the key you installed and locked into your device at installation time, and the software is checked against this key.

After you install GrapheneOS and the key, and lock the bootloader with this key, it's believed to be impossible to change the key without also triggering a complete wipe of all of your data. See: https://grapheneos.org/install/web#verifying-installation

Installing GrapheneOS flashes the GrapheneOS verified boot public key to the secure element. Each boot, this key is loaded and used to verify the OS.

The “secure element” cited here is a physical component within your phone, basically another computer within your phone that has its own internal operating system, storage, processor, etc. The secure element isn't a general-purpose computer, it's extremely tightened down and hardened against attacks. Furthermore, because it's separate from the main CPU and other components, even a complete compromise of the operating system isn't enough to compromise the secure element, as that still requires an extra step.

If you keep your phone up-to-date with the latest GrapheneOS versions, you take care to not install apps that seem malicious or from shady sources, you enable extra security features and take care with granting extra permissions to apps, you're helping to reduce the chance that a vulnerability in the secure element could be exploited, because even if one exists there's still a way to go through before it can be exploited. GrapheneOS updates also bundle up-to-date Google firmware, so installing that would make sure that any vulnerabilities discovered in the secure element are patched. After an OS update is installed, I recommend ~~rebooting twice~~ rebooting once, unlocking the device, waiting for the “finalizing system update” notification to go, and then rebooting again — this presumably ensures that the secure element's firmware is updated too.

Chronicos Sorry for the ignorance, how can I enable LTE ONLY mode?

Check here:
https://grapheneos.org/usage#lte-only-mode

If you're really concerned, you can also reboot at least once a day.