Manipulated website buys abo for 3rd-party services on my mobile-providerLT

xundeenergie

Today my wife did a websearch in vanadium on grapheneos on a pixel 7a
The websearch-result from duckduckgo.com she clicked was this

I don't want to write down the url in case of, it's a hacked and infected website.

It is a legitim result. It's ok for the thematic, she searched, and the location is ok. It looks like a report from a visit in the "Garten Tulln"... which is a well known exhibition in tulln.
So she clicked on the link in vanadium.

I heard her from the other room, "Oh no, what happens here now? Please help me!"
And she came to me, showing me the phone. She had closed the website and told me "something weird happened. So i closed this site". And then she received a sms with a buying-confirmation

and 2 minutes later an email with the same confirmation from the mobile-provider

I could verify the puchase in the customer-zone from the mobile-provider:

At this moment, i hat no time to investigate further, so i told her, to turn off the phone, so that a possible malware can not infect other computers in our network.

I called a friend to talk about this. He also has grapheneOS and knows, what I'm talking about.

He tried to open the page and got a 520 error from Cloudflare. A bit later he tried it again and reached the site. But it got redirected, and ublock blocks this redirection:

He told me, he fiddled around with this site on his computer, and the redirection finally wants to install something on his computer. Malware...
My first thought was, did i accidentially allow sideloading unknown apps for vanadium, when i installed her phone?

No:

So my fazit is:
She visited a site, which got hacked.
You can see a search https://duckduckgo.com/?q=site%3Aulrike-trebesius.de&t=fpas&ia=web which shows "normal" content indexed. And now it is most time blocked by cloudflare and sometimes the url redirects to a weird url, as shown above in the screenshot, which tries to install something via your browser.

Vanadium did not block this software, and it must be a very coicidence that opening this prepared website and becoming victim of some other fraud based on data from a data-breach. Because it was at the same time. Within less than a minute after opening this website.

Something downloaded and run by the browser could gather information about the phone-number and do a 3rd-party purchase from the browser.

That is the information, i could gather from this incident.
I tried to get the logfile, after i turned on the phone again, when i had time to investigate.
But the systemlog got deleted. It starts with the power on from me.
I did not know, that grapheneos deletes logfiles from the last boot before. If you think you need it. I can upload it somewhere.

I think, there is a vulnerability in vanadium or grapheneos and the infected website is able to exploit this vulnerabilty.

I need to know, what i have to do now. How can i find out, if there is really malware installed?
Is it enough to reset the browser?
Or should i reinstall grapheneOS from scratch?
Personally i tend to the second...
And how can we catch a possible vulnerability? I'm willing to help, to find out, what's going on. But i need support from people, who are more comfortable with android. I'm "only" a linux sysadmin.

Thank you
Jakob

Watermelon

xundeenergie I need to know, what i have to do now. How can i find out, if there is really malware installed?
Is it enough to reset the browser?
Or should i reinstall grapheneOS from scratch?

There's absolutely no need to reinstall GrapheneOS. There's a feature intended to be used instead: verified boot. A simple reboot is all you need to regain trust in the installed operating system. I recommend you to check her phone with the Auditor app. Examine the Auditor app's results, check that the reported security patch level is up-to-date, and that all other reported values match your expectations. There should be no device admin apps and no accessibility granted apps, as these are incredibly dangerous permissions. If there are, try to disable them, and then use the Auditor app again to ensure they've been disabled.

You can set dynamic code loading via memory to restricted on the Vanadium app. This will make the in-browser JIT toggle lack effect. There's no more need to enable JIT just for enabling WebAssembly in the newest Vanadium version, as they've recently enabled JIT-less support for WebAssembly. You can try rebooting the device after setting the exploit protection setting as I suggested, if you want to make sure that things are applied properly. And of course, make sure that Vanadium is up-to-date in the GrapheneOS App Store.

Edit: Which app is set as her default wallet app?

23Sha-ger

xundeenergie Something downloaded and run by the browser could gather information about the phone-number and do a 3rd-party purchase from the browser.

Nothing like this happened unless you have some sort of autofill
in Vanadium, and then it will ask you to fill a form with data that
is available, such as name, phone, address, ZIP.

This cannot happen without consent.
Rest assured that a real vulnerability in Chromium that allows
to install unwanted software (remote code execution) is sold
for very large amounts, so no one will waste this to hack some
website and make unathorized fraud whatsoever.
Call your carrier and reverse the charge for whatever crap you
clicked on, and block billing and premium numbers/SMS.

xundeenergie

Sorry... the image-links do not work in case of CSP-Header... and i can not edit the posting anymore.

de0u

xundeenergie It is likely possible to post the images via something like imgur, or put them in Proton Drive, and post links here.

xundeenergie

I posted them via https://img.adminforge.de/ and one via my nextcloud and a public link.

I can try it via imgur too... but i don't like this information in imgur... so i prefer privacy respecting services.

xundeenergie

Now i called the phone-provider. The lady on the line told me, such things happens often. And i have to call to the scammer to get my money back...

But i don't understand, how it can happen, that vanadium sends a purchasing sms from a manipulated website.

The manipulated website is https:// ulrike-trebesius dot de
I write the url in that way, so no one can click it accidentially.
Now this website is blocked by cloudflare. Last night it got redirected to a malicious site. And somehow it was possible, that a short message was sent from the GOS-Phone triggered by this website.

Vanadium has/had no permissions for phone-calls and sms. Only Network, Notifications ans Sensors permissions were given.

dc32f0cfe84def651e0e

xundeenergie Now i called the phone-provider. The lady on the line told me, such things happens often. And i have to call to the scammer to get my money back...

Submit a formal complaint by both your carrier and the customer rights' protection institution in your country. It is between you and your carrier, a third party has nothing to do here.

chinook

So, if I read it right, your wife fell victim to a scammer, and somehow this is GOS fault?

But i don't understand, how it can happen, that vanadium sends a purchasing sms from a manipulated website

It seems that in the initial message you said:

And she came to me, showing me the phone. She had closed the website and told me "something weird happened. So i closed this site".

So we don't even know what happened and it's still GOS fault?
I smell stale water and leaves (;

xundeenergie

Is WAP_Billing https://en.wikipedia.org/wiki/WAP_billing possible on grapheneOS an vanadium?
It looks like, this could be the reason for this problem.
And if it's possible... how can the confirmation for the billing be pressed automatically from the browser, without action from the user?

Novalissoide

xundeenergie it wasn't 'pressed automatically in the browser' from what you describe.

xundeenergie

Novalissoide
i told:
my wife just opened a website and closed the tab in case it looked strange and not what she was looking for. And then the she received a confirmation-sms about the purchase.
NO click after the websearch. The purchase happened only on opening the website.

xundeenergie

I found this document
marktwaechteruntersuchung-der-unbekannte-dritte.pdf

On page 11 I found this:

Auch die Bundesnetzagentur konnte entsprechend un-
seriöse Geschäftspraktiken dokumentieren. So antwor-
tete sie auf eine kleine Bundestagsanfrage, „dass [in
den nachgewiesenen Fällen] alleine der Aufruf einer In-
ternetseite im mobilen Internet ausreichte, um eine ent-
sprechende Abrechnung auszulösen.“

Which means in english:

The Federal Network Agency was also able to document
dubious business practices. In response to a minor inquiry from the Bundestag, it stated that “in the proven cases, simply visiting a website on the mobile internet was sufficient to trigger a corresponding charge.”

Now i'm still asking, why is this possible in grapheneos + vanadium?

MineralWater

It's neither the fault of Graphene OS, nor of Stock Android or whatsoever...

Those phone billing services are unrelated to the OS, they are running on the backend of your phone provider.

In Germany most providers (if not all) disable third party billing and the customers have to enable it actively.

Should be the same in most EU countries.

You can disable it for free on your provider website when logged in as a customer.

Some people activate it to pay in Play Store or pay for music streaming etc.

So again, this is something that is on your phone providers site. The OS can't tell if a payment is fraudulent or willfully.

If you don't want this to happen, disable third party services for your phone number in your customer account.

xundeenergie

MineralWater

i've deactivated those 3rd-party services in her settings on the phone-providers customer-zone after that. I'm not sure, it's many years ago... when she bought her new contract on this provider, i think i disabled that stuff all. But I'm not sure.

It was enabled at all (or again?)
But again... Normally you need a click to activate such a purchase. In this case, no click was done and neccessary... only opening the website did the purchase.

And this happens in vanadium on grapheneOS. So, this is, why i'm asking here and not somewhere else.

Is there no possibility to harden vanadium against such attacks? Or deploy permissions for WAP_billing to the browsers and other apps?
Is the only way to disable this on my mobile network settings on the phone-provider settings?

xundeenergie

Watermelon
Thank you for this information. This is, what i wanted. Really thank you!!!

The auditor-app gives me good results. All "no" except "Main user account" is "yes"

There is no default wallet app. We both do not use paying with our mobile phones. So i've nothing configured.

I enabled now the exploit protection and rebooted the device.
And auto update is enabled, so it's on the last patchlevel.

MineralWater

xundeenergie

If you are in Germany you can report this to the Bundesnetzagentur

https://www.bundesnetzagentur.de/DE/Vportal/TK/Aerger/Faelle/Drittanbieter/start.html

If there wasn't any redirect you don't have to pay this.

xundeenergie

I'm in austria.
I think, i have to report it to the RTR.
https://www.rtr.at/TKP/was_wir_tun/telekommunikation/konsumentenservice/schlichtungsverfahren/TKKS_Schlichtung.de.html

dc32f0cfe84def651e0e

This is why it is important to use VPN.

MineralWater

dc32f0cfe84def651e0e

A VPN won't help. The billing is connected to a phone provider. When you got a sim or esim in your phone, the billing can be started.

Only way to prevent this is blocking third party billing or not having a sim at all.

dc32f0cfe84def651e0e

MineralWater It will. The billing provider will see connection from VPN IP, not the internal connection from the carrier side.

MineralWater

dc32f0cfe84def651e0e
That is not how this billing process works. It's tied to the telephone number on the sim, the billing process is handled via the cell network.

The IP is completely unimportant here.