1. bluebits's Avatar
    Hi,

    There was a security breach in my home network and connected Android devices to the home wifi were infected. There were logged signs of tampering with the anti-virus, unauthorized access to Google accounts and unrecognized credit card purchases. The infection was treated with a clean install of Windows on the desktop and Factory Reset of ALL four connected Android devices. I did my best to avoid cross infections by carefully disconnecting the internet and resetting them one by one.
    There is still signs of infection after factory reset!

    => Google activity logs shows Android device1 has logged access to hxxp:com.iu.ad_phase_0 multiple times on periods of no/low device activity
    => Android device1 opened a window with an alarming message that "this phone has a dangerous trojan!" from:
    Code:
    hxxp://launchacross.bid/ferbirthidcoms/hicahdxgams?b6b97525010e4a2db3e7cd3418da6b08bd7742280df55d2da9fbb81f9257d914240551fa4b77936d19d61dc0094c3c53f5acc6b4a93ff185b06540d50e369eb052ed54165525b3f607c4dd5572687a0cbe68ac68a822e19a8b79120bf36ab6ca0ea79e5c5cdea0569dae4eed692306cc37d5b0c2b5d40d113eb368fc4933399cc6ca2008081acfb131f11c4799546810f35d0c422515b62e2c802b57a4aa217cfb6ac2ebce86521554069edc5bcb5b9678a9830fb54b1a03ed58b5ee7bee7b5f8253113ced4ebb7259d19af3d70f432ab3f57c8f383db5a2ccccd443988982addb340d3f48e6d24ae61fcc2ab2ef81e1b77f207770535341a7bd9244a946337b885146795487da60f51d363ab0cc9202#
    hxxp://launchacross.bid/ferbirthidcoms/hicahdxgams?b6b97525010e4a2db3e7cd3418da6b08bd7742280df55d2da9fbb81f9257d914240551fa4b77936d19d61dc0094c3c53f5acc6b4a93ff185b06540d50e369eb052ed54165525b3f607c4dd5572687a0cbe68ac68a822e19a8b79120bf36ab6ca0ea79e5c5cdea0569dae4eed692306cc37d5b0c2b5d40d113eb368fc4933399cc6ca2008081acfb131f11c4799546810f35d0c422515b62e2c802b57a4aa217cfb6ac2ebce86521554069edc5bcb5b9678a9830fb54b1a03ed58b5ee7bee7b5f8253113ced4ebb7259d19af3d70f432ab3f57c8f383db5a215879b16b6daaff4130660295a5f2803bb377894e229a6344d544ee58c1b69d14aa103633a6ca0f5b8f39df9cd0cec3377b1e89c11a6a8ab
    hxxp://launchacross.bid/ferbirthidcoms/hicahdxgams?b6b97525010e4a2db3e7cd3418da6b08bd7742280df55d2da9fbb81f9257d914240551fa4b77936d19d61dc0094c3c53f5acc6b4a93ff185b06540d50e369eb052ed54165525b3f607c4dd5572687a0cbe68ac68a822e19a8b79120bf36ab6ca0ea79e5c5cdea0569dae4eed692306cc37d5b0c2b5d40d113eb368fc4933399cc6ca2008081acfb131f11c4799546810f35d0c422515b62e2c802b57a4aa217cfb6ac2ebce86521554069edc5bcb5b9678a9830fb54b1a03ed58b5ee7bee7b5f8253113ced4ebb7259d19af3d70f432ab3f57c8f383db5a27b2ed1cb0fd26de0cd9c6d00dba2c83ba50512010a41dc342a6ff126372a02b59f1535cb11ca24703168a22fa2d16033183c8cbf3b062f0d
    hxxp://launchacross.bid/ferbirthidcoms/hicahdxgams?b6b97525010e4a2db3e7cd3418da6b08bd7742280df55d2da9fbb81f9257d914240551fa4b77936d19d61dc0094c3c53f5acc6b4a93ff185b06540d50e369eb052ed54165525b3f607c4dd5572687a0cbe68ac68a822e19a8b79120bf36ab6ca0ea79e5c5cdea0569dae4eed692306cc37d5b0c2b5d40d113eb368fc4933399cc6ca2008081acfb131f11c4799546810f35d0c422515b62e2c802b57a4aa217cfb6ac2ebce86521554069edc5bcb5b9678a9830fb54b1a03ed58b5ee7bee7b5f8253113ced4ebb7259d19af3d70f432ab3f57c8f383db5a27b2ed1cb0fd26de0cd9c6d00dba2c83ba50512010a41dc342a6ff126372a02b59f1535cb11ca24703168a22fa2d16033183c8cbf3b062f0d
    => The message above appeared by only clicking on the Chrome app. The phone was immediately turned off without any action on the window.
    => Android device2 cannot open Google Play Store for reinstallation of apps. The error message is "Unfortunately, Google Play has stopped working"

    There is a total of 4 Android devices connected to the home network; two Samsung devices (A5 and J5), one LG device (K10), one Samsung tablet (Galaxy Tab 4). At this point I have no reason to trust any of them. Anti-virus was the premium paid version and enabled on all the devices prior to the infection. It shows clean scans now, but it never warned of anything prior either. None of the devices were rooted or ever attempted. There were no cracked applications or P2P programs installed.

    Please advise.
    03-02-2018 10:45 AM
  2. B. Diddy's Avatar
    Welcome to Android Central! Does this also happen in Safe Mode for any of those devices? The steps for the A5 should work for the J5 and Tab 4 as well.

    How do I use Safe Mode on my Galaxy A5? | Samsung Support UK

    https://support.t-mobile.com/docs/DOC-31115
    03-02-2018 04:42 PM

Similar Threads

  1. Android Oreo 8.0
    By EmanC19 in forum Samsung Galaxy Note 7
    Replies: 2
    Last Post: 04-29-2018, 06:12 AM
  2. Replies: 46
    Last Post: 03-22-2018, 02:13 PM
  3. Replies: 1
    Last Post: 03-02-2018, 07:52 AM
  4. Can't see the latest podcasts in the Android Central app
    By Android Central Question in forum Ask a Question
    Replies: 0
    Last Post: 03-02-2018, 12:13 AM
  5. Help removing a device from a Google account
    By Android Central Question in forum Ask a Question
    Replies: 0
    Last Post: 03-01-2018, 10:51 PM
LINK TO POST COPIED TO CLIPBOARD