100% positive phone hacked to the hilt.

Socionn

Hey all, long time lurker first time poster(unfortunately). Love Graphene to death. It has taught and shown me an incredible amount and there is so, so much here. I will try and keep this somewhat brief but I know from my years fixing PC's the more detail the better.

So, roughly a week ago I noticed that I wasn't getting as many daily notifications. Not a red flag but yellow. I passed this off as just coincidence. The following few days later I started to see barely any emails or email notifications come in through any of my clients. I thought simple malware, spyware or a dud app from f-droid paying not enough attn.

Fast forward to the last few days and it I wouldn't even call it Graphene anymore. Notifications were blatantly turned off for multiple apps and system apps. I couldn't update, unfamiliar system apps & processes...it was proper fu##ed. And yes the first thing I did was a factory reset. But upon setup, there were Odd changes. On some screens I couldn't go back. When I went to accessibility and changed options, went back then again into it, half the options were gone! In 15 secs. I knew then it was still infected, my thought was bootloader but again phones aren't my fortay.

But it got serious when my banking app, which worked flawlessly prior; when I'd receive a 2 factor SMS notification two bubbles with the code would appear. Instantly thought MiM, but I'm no expert. Then on phone to bank 3 times for up to 2.5 hours each time. Their tech team useless. For whatever reason no funds taken?

So here's where I'm at: (*ive had no pc/laptop until literally 20 mins ago) it would not let me boot into recovery, fastboot. It would show "no command". With a bit of time and ADHD I discovered if I pressed vol up, down and power three times simultaneously it would allow me into recovery at the error screen. Obviously tried factory format which came back error.
So I got caffeinated and for hours tried to find the /root or at least cripple it. I could barely force stop or disable anything. I'd open browser tabs to search a term, get dud results, tabs closed/changed. The sensitivity would change on the fly, as would keyboard letter spacing. I finally went into certificates, looked at the credentials of every single one and saw obvious frauds. So I un-ticked every single one. I went back to running apps, success! Sort of. I was able to at least stop/disable/turn off background data to a lot of the bastards.

I booted back into recovery, successfully wiped/formatted and was greeted with the stock grapheneos setup, omg the back button returned! Lol.

But. And there's always a bloody but, I made sure no WiFi or mobile data through setup. The second it hits the home screen, a notification for a sizeable update starts. Which I managed to stop yet I'm pretty damn sure the bitch is back. Its still 100% stock. 30 mins passed, as I was browsing through permissions I noticed unusual apps had 'modify system settings'. Apps like contacts, calendar and others. Now im looking at apps with 'all files access' and there are ten. One of them being 'rcsservices' which I thought graphene did not run??

What should/can I do?
What do to insure this doesn't happen again if resolved?
Is it true a target can now be infected simply by an SMS or email even if untouched?
How prevalent, common are nefarious USB cables and wall sockets, what are they capable of and what should I look out for?

TL;DR
-Phone hacked to the max
-managed to funk it off
-formatted, fresh install.
-99% sure still infected
-Hoping for help

Here's what I get from recovery:
Product revision: panther MP10
BootLoader vers: CLOUDRIPPER -1.0-989
Secure boot: PRODUCTION
NOS Production: YES
UART: DISABLED
fast BOOT HW vers: MP1.0
Secure Boot: YES
Baseband: g5300g-230525

Any and all feedback/help would be greatly appreciated and I will pay it forward by educating myself more, becoming active within the community and a donation. Cheers.

Graphite

Socionn unfamiliar system apps & processes

Can you specifically list which apps and processes are unfamiliar?

Socionn When I went to accessibility and changed options, went back then again into it, half the options were gone

I know it's normal behavior in the Accessibility submenu to disable some options if the app isn't unrestricted by going into it's App Info permissions

Socionn went into certificates, looked at the credentials of every single one and saw obvious frauds

Can you give a few examples. Certificate Authorities from other countries are common, but can look shady.

Socionn unusual apps had 'modify system settings'. Apps like contacts, calendar and others

I believe those are necessary for system apps.

Socionn Is it true a target can now be infected simply by an SMS or email even if untouched?

Yes, but only if there is an unpatched vulnerability. GrapheneOS is kept pretty up to date.

Socionn How prevalent, common are nefarious USB cables and wall sockets, what are they capable of and what should I look out for?

BadUSB devices infect by emulating a keyboard (HID) device and rapidly typing keystrokes to execute or download a payload. The default setting is to only allow USB accessories when unlocked. But even in that case, you'd see it try to type something. It works on Desktop a lot easier since there are simple keystrokes to open a terminal. Not really going to work on Android. If you've got an infected PC and your device has ADB debugging enabled, then it could try to infect your device in the background, but again, Android will prompt for confirmation to trust the PC that wants to send commands.

What hash does your bootloader display when starting up and warning that there is a custom OS?
It kinda sounds like hardware issues, which persist no matter what software you have.

treequell

Socionn Hi there, sorry to hear you've been facing some issues with your GrapheneOS device. I don't want to make any assumptions about what has or hasn't happened to your device. Let me try address some of the points in your post, and hopefully that will help you towards clearing this up.

Socionn roughly a week ago I noticed that I wasn't getting as many daily notifications.

Could you provide some more information about how you have push notifications set-up on your device? Are you using Google Play Services for push notifications, or the implementation of the apps themselves for push notifications?

Socionn following few days later I started to see barely any emails or email notifications come in through any of my clients.

When you say that you missed push notifications for emails, were you able to still read the new emails that you missed notifications for in your email app?

Socionn I couldn't update

Please could you open Settings > About phone, and tell me which build number you are currently on?

Socionn On some screens I couldn't go back

Are you using gesture navigation or three button navigation? You can check that in Settings > System > Gestures. It sounds like you might have switched to gesture navigation, but be used to using three button navigation.

Socionn it would not let me boot into recovery, fastboot. It would show "no command".

The screen with "no command" is recovery mode. No command means that recovery is waiting for a command to be passed. To access the recovery mode GUI from that screen, hold the power button and press the volume up button a single time.

Socionn What should/can I do?

Have you performed verification of your device? There are two things you can do.

Check that when you boot your phone, you see the screen with the yellow triangle and warning stating that you're running a different operating system. That means your phone is passing verified boot. You can check the boot key hash using the instructions here: https://grapheneos.org/install/web#verified-boot-key-hash
Perform verification of your device with the Auditor app. You can do local verification if you have another Android device, or otherwise remote verification works too. Instructions are provided here: https://grapheneos.org/install/web#hardware-based-attestation

Hope that helps to answer some of your questions. Do let me know the answers to the questions I've given you, and we can take it from there.

Hb1hf

Graphite Certificate Authorities from other countries are common, but can look shady.

Is there a place where we can check what certificates come pre-installed with a fresh GOS install?

Because after seeing this post I went to check my certificates and you're absolutely right, some of them do make one want to remove them asap.

Socionn

italian_job

Graphite Can you specifically list which apps and processes are unfamiliar?

I should have taken screens. My memory is shocking. Exact apps and processes aside, the entire OS was tilted. Permissions would change on the fly, notification settings would too. That's two of twenty examples I could rattle off.

Foreward though: I myself don't blackhat, but I do mingle with some who do. I can't rule out spending a night at said house and them not being the culprits.

For example, I've been going through settings meticulously and honestly there is around 40% more than before. Complete categories.

Graphite Yes, but only if there is an unpatched vulnerability. GrapheneOS is kept pretty up to date.

Did I mention that among the 9 hour chaos last night it would not let me check for updates? If not, I definitely should have.

Graphite BadUSB devices infect by emulating a keyboard (HID) device and rapidly typing keystrokes to execute or download a payload. The default setting is to only allow USB accessories when unlocked. But even in that case, you'd see it try to type something. It works on Desktop a lot easier since there are simple keystrokes to open a terminal. Not really going to work on Android. If you've got an infected PC and your device has ADB debugging enabled, then it could try to infect your device in the background, but again, Android will prompt for confirmation to trust the PC that wants to send commands

I've heard of USB cables and wall sockets disguised as well. Is this true? I've only had my phone for 3 months and I've never once connected it to a PC/laptop.

Graphite Can you give a few examples. Certificate Authorities from other countries are common, but can look shady.

(Aain I should've screened it) after studying every one of them I know that even the legit ones had fields left out but these ones for example: the serial number would be 07, blank on organisational unit, had some words starting with capital's, others with lower case. For the life of me I wish I could recall the names but again, I was only able to force close these processes & apps and subsequently successfully wipe/format, after turning off the certs.

I bought this pixel w/ graphene already installed but from my limited, early mid 2010's era flashing with Odin; I presumed the device would no doubt have to be rooted?

Can you recommended any decent system scan apps?

Thank you immensely for the reply! I will reset and post the info from the startup screen which I do still get.

Socionn

treequell Could you provide some more information about how you have push notifications set-up on your device? Are you using Google Play Services for push notifications, or the implementation of the apps themselves for push notifications?

Sure. At initial suspicion, I had play services sandboxed but strictly so my banking app wouldn't crash. I'm using the apps themselves for notifications and had no third party app to dictate notifications (if such app exists).

treequell When you say that you missed push notifications for emails, were you able to still read the new emails that you missed notifications for in your email app?

I should have elaborated on this point. Yes, I would have to manually check my clients and they would have some unread in the inbox. But I failed to mention the volume of emails just dropped completely. I would say on average, prior; I'd receive an email roughly every 15-30 minutes. Probably less. Said day after that I would open my usually bursting inbox and find <5. I'm an email junkie plus I'm old and I like the format; its formal. Since the 90s its never been that low.

treequell Please could you open Settings > About phone, and tell me which build number you are currently on?

Currently: TQ3A.230605.012.2023062300. What also stopped happening were the auto updates and following resets. I was just too flat out with work to notice. And then two nights ago, when I started getting serious, it flat out refused to search for updates.

treequell Are you using gesture navigation or three button navigation? You can check that in Settings > System > Gestures. It sounds like you might have switched to gesture navigation, but be used to using three button navigation.

.I have used gesture the entire time. I couldn't gesture back but when I say 'back' in this instance I'm referring to the small back < Button bottom left of the setup screen. It was not there persistently until I formatted and fresh setup after all of the above.

treequell The screen with "no command" is recovery mode. No command means that recovery is waiting for a command to be passed. To access the recovery mode GUI from that screen, hold the power button and press the volume up button a single time

Lol. Here I am thinking I've cracked enigma 2.0. :p

treequell boot hash, auditor.

I will run them both this morning and report back. Mind you, the auditor app is now present. It was 100% gone prior.

Thanks heaps for your time and input.

[deleted]

Socionn Looking in mine I see similar ones, blank organization unit with 2 digit sn.

Also the no command thing.

And I also have 16 system apps with modify system settings including rcsservice.

Think these are normal things.

Also have had inexplicable issues with notifications before too that I just had to fix this trial and error.

Socionn

[deleted]

[deleted] Think these are normal things.

Thanks for the reply. Some of them may be, yes. But how else do you explain me logging into my bank to make a payment, receiving two notification bubbles with the 2 factor- then at around the same time, an alert email from my bank that a new device has been registered, a Samsung. As I've said, one of many many incidents I can mention. I 100% see where you're coning from. My trade background is in consumer electronics. Namely, audio and video and as we were told in class decades ago, "over 90% of technical issues are user based. Fact. So your call outs will be painful." Lol.

[deleted]

Socionn When you say 2 bubbles, do you mean you get 2 separate texts as in it shows two in the message thread? I've also had different apps misidentify my device as something different or just unknown. I guess it would just be incredible if you had malware that somehow passed verified boot and survived a reboot, unless some program has admin or accessibility privileges? To be clear not saying it isn't, just my understanding is that would typically be a highly targeted attack that cost a lot of resources.

Socionn

Current check