Uneasy after unwanted downloads via Download Manager - ideas for diagnosis?

Bimmy

First potential security-relevant incident observed on one Pixel 8 with GOS, and I'd be happy for a suggestion for next steps.

Here is what probably(*) happened:

0) GOS, secondary user
1) Using Vanadium (mostly out-of-the-box) in foreground, browsing.
2) Ordinary search for name of a journalist seen on TV (in this case: "Daniel Levy").
2.1) Done first with the search engine configured in Vanadium, in our case: startpage.com,
2.2) then continuing looking up the website of duckduckgo,
--> reaching a site that allegedly and probably actually was duckduckgo.com (no signs of irregular behavior jet)

2.3) Entering same search term there
--> getting an ordinary suggestion list of found sites

2.4) Probably(*) clicking 1 or 2 from upper search results, which didn't show any indicators of being shady.

(*) NOTE: I'm describing with restraint, because I'd expect some vagueness in memory here is possible because what happened next startled the one searching the internet.

3.) Suddenly a popup / overlay from "Download Manager" appeared and begin to enumerate unwanted names of files that were allegedly downloaded.
--> 4 files in total were supposedly downloaded until the next step.

NOTE: I am convinced, that no such download was intended, nor willfully initiated. I wouldn't even know how it was possible to start downloading multiple files at once in Vanadium.

4.) Person who operated the phone immediately shut down / rebooted GOS via side buttons > Reboot.

5.) Rebooting regularly > Unlocking Owner
6.) Auditor App > verifying Questionable Device (Owner) from other, trusted GOS phone
--> everything OK (green) and as expected

7.) Airplane Mode and Log into secondary user where the incident occured
8.) Auditor App > verifying Questionable Device (respective secondary user) from other, trusted GOS phone
--> everything OK (green) and as expected, too.

9.) Looking for the unwanted files via file manager (Files App)
--> Using the information from a another thread ( https://discuss.grapheneos.org/d/8701-download-manager-where-are-files-stored ), no obvious traces were found. Unfortunately, a notification history did not exist, because the feature is not enabled here.

10.) Using Files manager to dig through some typical folders mentioned in usage guide (s. https://grapheneos.org/usage#storage-access ) ,
--> nothing suspicious was found.
--> In this course, a few old, known files (jpg and pdf) were cleaned, but not our dubious, downloaded(?) files from step 3.)

11.) Opening Vanadium to find out more about the mysterious downloads:
12.) Download manager still showed file names:
_td.txt
_rd.txt
[1 undocumented txt file, unfortunately lost because suboptimal handling and/or the Download Manager's UI behaviour not fitting personal, mental logic]
_basicconfig.json

13.) Trying to find out more about the properties of these files(?)
--> mostly unsuccessful:
13.0) Few minutes of internet research does not tell me anything clearly useful.
13.1) In case of the alleged txt-Files, trying to obtain more info via Vanadium and Download manager.
--> Clicking the entries resulted in their successive disappearance from the Download Manager list - accompanied by a short, quick message bubble that probably read like: File not found.

13.2) The "_basicconfig.json"-entry actually did lead to an "Open File-Dialog", which was followed up by choosing BeauTyXT.
NOTE: I suppose steps 13.1) and 13.2) were risky. I am not proud about the handling here. Yet I want to be honest and as exact as memories allow it. Apart from that, there was (maybe too much??) trust in the presumed hardening of Vanadium and BeauTyXT and situational perceptions of the overall situational factors. That did not lead to thorough conviction that a dangerous attack was in progress. Actually, it's still unclear what exactly happened here, at all.
13.2.1) Using BeauTyXT to open the json(?)-file actually lead to something looking entirely like a relatively short configuration file in valid json, without many remarkable properties. I should have filmed the operation from another device or made a screenshot here, but I didn't expect that the file would soon get "lost"(?), too.
13.2.2) IIRC, BeauTyXT headlined the file with just its name and the locator "/", as if it was at top, root level of filesystem.
13.2.3) After I closed BeauTyXT, even that json(?)-File can no longer be found. I dont' know where it was(??) and where Download Manager put it or read it from.
14.) After step 13, the list in Vanadium > Downloads is now completely empty.

We could call it a day here, and pretend nothing happened, but an uneasy feeling remains. I want to emphasize that this is the first time something undesirable, unexplained happened on a GOS device, to me at all.

The least I'd hope to find out:

Where did these alleged files - of which I've definitely seen a json via BeauTyXT for a short time - go?
Is there anything to fear, clean up, or specifically watch for?
Generally, can anyone make sense of what have happened here?

Thanks in advance for your time and best regards!

PS: Excuse me for sketchy formatting. For the original post I did not have a preview, indentations came out completely different than expected, and now only few minutes to somehow make it tidy.

ryrona

Bimmy First potential security-relevant incident observed on one Pixel 8 with GOS, and I'd be happy for a suggestion for next steps.

Since you had documented so exactly what has happened, including file names and such, I decided to play detective, and I have found out what happened to you.

First thing: It was not any website that triggered these downloads. These downloads were triggered by an app called RethinkDNS which you probably have installed. RethinkDNS apparently has a blocklist functionality, and when updating the blocklists, it initiates exactly four downloads. Those are typically initialized using the in-app downloader, but if you have disabled that in the RethinkDNS settings, it will use the "Android Download Manager" instead. The files downloaded are "filetag.json", "basicconfig.json", "rd.txt" and "td.txt", which matches well with what you describe. Apps can apparently initiate downloads through Android Download Manager without asking for your confirmation, to any path they want. Websites cannot.

Bimmy Where did these alleged files - of which I've definitely seen a json via BeauTyXT for a short time - go?

Likely deleted by RethinkDNS app as automatic cleanup of old temporary files.

Bimmy Is there anything to fear, clean up, or specifically watch for?

If you got the RethinkDNS app, and have disabled the "in-app downloader", I do not think you need to worry at all anymore.

Source for all this (both code and tickets):
https://github.com/celzero/rethink-app/

nandohyphen1

Were you able to delete them? I'm unable to delete the 'ghost file' on my phone. I had no intention of downloading anything and it just appeared in downloads several days ago. I am not able to delete it

Bimmy

To wrap this up,

nandohyphen1

I was about to answer in a sense that strictly speaking, I couldn't answer that question, since the files disappeared upon click from download manager or after first access from text editor and I still haven't been unable to locate them.

However, ryrona's answer effectively superseded this and provides a comprehensive explanation for this specific instance of appearance of ghost files. Unless, you had used RethinkDNS too and somehow configured it to use Downloads folder, I guess there are multiple different root causes at work here.

While a more detailed treatment of that might exceed the scope of the thread at hand, I hope the community can join forces to deal with those other root cause, too.
IIRC, you mentioned "your" ghost files occurrence in some sibling thread. If you have the URL at hand, you could cross-link so we can easier deal with that issue there.

Bimmy

ryrona

Phenomenal!

Though I can't say with 100% certainty, AFAIK your hypothesis matches reality in several points. Actually, that much that I'd call it confirmed.

Regarding some details:

ryrona First thing: It was not any website that triggered these downloads. These downloads were triggered by an app called RethinkDNS which you probably have installed. RethinkDNS apparently has a blocklist functionality, and when updating the blocklists, it initiates exactly four downloads. Those are typically initialized using the in-app downloader, but if you have disabled that in the RethinkDNS settings, it will use the "Android Download Manager" instead.

I confirm that RethinkDNS was running at the time. Additionally, RethinkDNS (version 0.5.5n) had mostly default settings - in which in-app downloader is indeed disabled.

ryrona The files downloaded are "filetag.json", "basicconfig.json", "rd.txt" and "td.txt", which matches well with what you describe.

That fits. Though the name of one of the files was undocumented, I'd say it's very plausible that it had been filetag.json. (Needless to say: My albeit uncertain report, that it had been a txt-file underscores again the fuzziness of human recollection processes...)

ryrona Apps can apparently initiate downloads through Android Download Manager without asking for your confirmation, to any path they want. Websites cannot.

For interest (maybe you know): I wonder whether that download incident was just coincidental to the browsing session -- meaning that the download and popup-window would have shown even on a blank homescreen or while using anything else than vanadium, anyway. Or does that RethinkDNS download mechanism somehow need an active browser session?

ryrona If you got the RethinkDNS app, and have disabled the "in-app downloader", I do not think you need to worry at all anymore.

As said, all a hit. I'd assign kudos, but since this board apparently doesn't have this, I can only express my sincere gratitude for taking your time to review the code and tickets and providing this explanation. This also provides relief for some residual worries and also allows a better handling of future of such incidents.

If you'd be willing to reveal tricks: Was there a simple online way to search for phrases of the phenomenon? Or did you fetch lots of code with git and did local text searches? Or even manual code walkthroughs? Either way, I'm still impressed. The theoretical possibilities for some random app doing this on the device were near infinite. Even narrowing down the search to RethinkDNS was a feat, even though I mentioned usage of RethinkDNS in some sibling thread.

newbie24689

ryrona

Apps can apparently initiate downloads through Android Download Manager without asking for your confirmation, to any path they want

YIKES!!!

Bimmy

The statement about apps using download manager, the latter's capabilities and potential, resulting uneasy might be worth additional consideration:

ryrona Apps can apparently initiate downloads through Android Download Manager without asking for your confirmation, to any path they want. Websites cannot.

Can you say how this works with respect to the android permission model? My current state of knowledge was the one from usage guide ( https://grapheneos.org/usage#storage-access ), particularly that respective app-internal storage is effectively free for the specific app itself, while shared (app-"external") storage required granted permissions. I guess, for arbitrary write anywhere, this would be the permission "All files access" (MANAGE_EXTERNAL_STORAGE).

Now I am unsure how this is handled exactly. There is mainly two groups of themes.

Firstly, there is a system app(?) / service called Download Manager.
- The Android documentation describes it as a system service for long-running http-downloads (s. https://developer.android.com/reference/android/app/DownloadManager ).
- RethinkDNS shows it in its "Apps" list.
  - Secondary-Question / To make things more complicated for the android-laymen: RethinkDNS lists also another system app Downloads. I don't know how Download Manager and Downloads are exactly related. Is Downloads an alias for Download Manager?
  - Secondary-Question 2: Using the RethinkDNS-internal App info-functionality associates Download Manager and the following: Sounds, Downloads, com.android.providers.media, MTP Host. I wonder whether that association is because RethinkDNS doesn't have a way to distinguish between these. It might however exceed the scope of this thread.
- Does Download Manager have the "All files access" permission? Or is it somehow implicitly allowed to write everywhere?
  - For information: On my devices, the configuration Settings > Apps > "> See all [...] apps" > [3-dot menu in upper right corner] > Show system > [scrolling down to ...] > Download Manager > Permissions says it had the following "Allowed": Network, Notifications, Sensors. The section "Not allowed" says "No permissions denied".
Secondly, there is the possibility for other Apps to invoke Download Manager.
- If they do so, was using a write access to shared (app-external) storage (via Download Manager) be regulated through the usual permission mechanics? Meaning it should be limited to specific standard directories (like /Documents, /Downloads ) or had to get explicit permission to "All files access", otherwise?

ryrona

Bimmy If you'd be willing to reveal tricks: Was there a simple online way to search for phrases of the phenomenon? Or did you fetch lots of code with git and did local text searches? Or even manual code walkthroughs?

I just did an internet search for "_basicconfig.json _rd.txt _td.txt" to see if something would show up as being associated with those filenames. I didn't know what I would get, but since those are very specific names, it was definitely worth a try. The only relevant search result I got was a single ticket filed against RethinkDNS github project. It mentioned those filenames. From there I found other tickets, and also a commit that mentioned those file names. And then I just read tickets and the code trying to get a rough understanding what functionality it is those filenames are related to and how it works, and it seemed to describe well what you had observed. I just used github's web interface, I didn't fetch any code.

Bimmy Either way, I'm still impressed. The theoretical possibilities for some random app doing this on the device were near infinite. Even narrowing down the search to RethinkDNS was a feat, even though I mentioned usage of RethinkDNS in some sibling thread.

Nah, I just guessed you might be using RethinkDNS with the in-app downloader disabled based on the search results.

ryrona Apps can apparently initiate downloads through Android Download Manager without asking for your confirmation, to any path they want. Websites cannot.

Also, sorry about the confusion this statement caused. I did not mean to imply an app can download files to any path, just that no user-interaction is needed to specify the path. It sounds reasonable that it is limited to the apps own storage and a dedicated downloads folder.

nandohyphen1

Bimmy I do not use RethinkDNS so I guess it couldn't be that.

Here's the thread that I had originally posted in
https://discuss.grapheneos.org/d/2485-cant-delete-ghost-file-from-downloads-in-files-app/28

@matchboxbananasynergy said;

This is an upstream AOSP issue, and based on reports I've heard, the files go away by themselves after a few days, so the issue should take care of itself without any manual intervention being required

But it has not gone away for me, unfortunately.

Probably9857

Bimmy

This may or may not answer some of your questions:

For applications targeting Build.VERSION_CODES.Q or above, WRITE EXTERNAL_STORAGE permission is not needed and the uri must refer to a path within the directories owned by the application (e.g. Context.getExternalFilesDir(String)) or a path within the top-level Downloads directory (as returned by Environment.getExternalStoragePublicDirectory(String) with Environment.DIRECTORY_DOWNLOADS).

https://developer.android.com/reference/android/app/DownloadManager.Request#setDestinationUri(android.net.Uri)

My translation: for apps targeting Android 10 or higher, downloads are restricted to the application's own folder, or the public Downloads folder

Bimmy

I consider outsourcing these questions about Download Manger into a separate dedicated thread, since I notice that I am about to hijack my own thread, which original question was answered.

It's still about Download Manager and potential unwanted downloads, but I admit that I am about to bloat it with follow-up questions and into offtopic-danger ... ;-)

nandohyphen1

I downloaded an APK file for an app today that I wanted to install. All went well, so I deleted it after installation. Then, out of the blue, 3 more of the exact same APK started to download! It happened so fast I couldn't interrupt the download. Now these files are in my downloads folder and they can't be deleted! How to get rid of them?
By the way, that th (1) file is still on my phone and still undeletable.

nandohyphen1

Update...
So that th (1) file let me delete it today. But I still have 3 APK files that I can't get rid of. They are all for the same thing and I only needed one. Now I can't get rid of any of them. I'll give it some time and see how it goes.