Hey all, long time lurker first time poster(unfortunately). Love Graphene to death. It has taught and shown me an incredible amount and there is so, so much here. I will try and keep this somewhat brief but I know from my years fixing PC's the more detail the better.
So, roughly a week ago I noticed that I wasn't getting as many daily notifications. Not a red flag but yellow. I passed this off as just coincidence. The following few days later I started to see barely any emails or email notifications come in through any of my clients. I thought simple malware, spyware or a dud app from f-droid paying not enough attn.
Fast forward to the last few days and it I wouldn't even call it Graphene anymore. Notifications were blatantly turned off for multiple apps and system apps. I couldn't update, unfamiliar system apps & processes...it was proper fu##ed. And yes the first thing I did was a factory reset. But upon setup, there were Odd changes. On some screens I couldn't go back. When I went to accessibility and changed options, went back then again into it, half the options were gone! In 15 secs. I knew then it was still infected, my thought was bootloader but again phones aren't my fortay.
But it got serious when my banking app, which worked flawlessly prior; when I'd receive a 2 factor SMS notification two bubbles with the code would appear. Instantly thought MiM, but I'm no expert. Then on phone to bank 3 times for up to 2.5 hours each time. Their tech team useless. For whatever reason no funds taken?
So here's where I'm at: (*ive had no pc/laptop until literally 20 mins ago) it would not let me boot into recovery, fastboot. It would show "no command". With a bit of time and ADHD I discovered if I pressed vol up, down and power three times simultaneously it would allow me into recovery at the error screen. Obviously tried factory format which came back error.
So I got caffeinated and for hours tried to find the /root or at least cripple it. I could barely force stop or disable anything. I'd open browser tabs to search a term, get dud results, tabs closed/changed. The sensitivity would change on the fly, as would keyboard letter spacing. I finally went into certificates, looked at the credentials of every single one and saw obvious frauds. So I un-ticked every single one. I went back to running apps, success! Sort of. I was able to at least stop/disable/turn off background data to a lot of the bastards.
I booted back into recovery, successfully wiped/formatted and was greeted with the stock grapheneos setup, omg the back button returned! Lol.
But. And there's always a bloody but, I made sure no WiFi or mobile data through setup. The second it hits the home screen, a notification for a sizeable update starts. Which I managed to stop yet I'm pretty damn sure the bitch is back. Its still 100% stock. 30 mins passed, as I was browsing through permissions I noticed unusual apps had 'modify system settings'. Apps like contacts, calendar and others. Now im looking at apps with 'all files access' and there are ten. One of them being 'rcsservices' which I thought graphene did not run??
What should/can I do?
What do to insure this doesn't happen again if resolved?
Is it true a target can now be infected simply by an SMS or email even if untouched?
How prevalent, common are nefarious USB cables and wall sockets, what are they capable of and what should I look out for?
-Phone hacked to the max
-managed to funk it off
-formatted, fresh install.
-99% sure still infected
-Hoping for help
Here's what I get from recovery:
Product revision: panther MP10
BootLoader vers: CLOUDRIPPER -1.0-989
Secure boot: PRODUCTION
NOS Production: YES
fast BOOT HW vers: MP1.0
Secure Boot: YES
Any and all feedback/help would be greatly appreciated and I will pay it forward by educating myself more, becoming active within the community and a donation. Cheers.