MMS attack

gustavoacab

Hi everyone.
I recently switched to GrapheneOS on a Pixel 7 after my Motorola got attacked over an "empty" MMS and possibly SMS messages. My SIM card got cloned and the attacker was able to make phone calls. I was alerted by one of the persons that received a phone call from my number. He reached out over WhatsApp asking who I was and why I was calling him and later shared a screenshot of the missed phone call, not a WhatsApp call. No other malicious activity was detected on other networks like email/bank/cloud/social media.
Yesterday I got the same MMS on my current device. It's an 145kb MMS with no visible content. If I recall correctly it's from the same sender, +55 1150. I'm worried my GrapheneOS device is somehow compromised, although no signs yet.
Is there a way to check for integrity of my device?
I'm also intrigued with the content of this MMS, but although I'm a software developer, I have no idea how to retrieve from local storage, parse and debug it. Could I get some help over here?
Thanks from Brazil

de0u

gustavoacab Is there a way to check for integrity of my device?

The first step would be to reboot the device and, when it comes to the yellow-triangle "different operating system" screen, press the power button briefly to stop it there. Then compare the "ID" which is displayed to the appropriate GrapheneOS signing-key hash for your device. Take the time to compare it completely, or maybe have somebody read the hash from the web page to you while you check what's on the screen. If you get the right answer, the OS on your device is legit, with a level of certainty which is much higher than for most Android devices.

If you wish, you can increase your degree of protection by following the directions for the Auditor app.

It's hard to know what to make of the MMS that your device isn't displaying. I have seen the default GrapheneOS Messaging app download an MMS but not display it -- it was something completely legitimate that I had sent via my carrier's e-mail-to-MMS gateway, though I don't remember what it was. Also, just because an MMS appears to come from +55 1105 doesn't mean it actually did, because there is a lot of SMS/MMS spoofing.

If you want, you could try using SMS Import/Export to dump your SMS and MMS messages to JSON, and then dig through to find the one that you are asking about. I'm not a forensics expert, so I won't make suggestions on that front.

gustavoacab

Just a correction, the origin of the MMS is 1105, not 1150

akc3n

gustavoacab

Just a correction,...

Note, the menu (⋯) on the bottom right of your message(s) has an 'Edit' option. :-)

de0u SMS Import/Export to dump your SMS and MMS messages to JSON

Thanks for sharing that @de0u

IksNorTen

Never allow automatic downloads in your SMS app. You can change it in your settings in advanced settings. Next time you receice a MMS your phone won't download it without your confirmation.