1. RayRay226's Avatar
    Using Samsung J7 Prime, Android Nougat.

    I was using the Facebook app yesterday, when suddenly, a downloading icon appeared in the status bar. I had done nothing, clicked no links, no website was open, even the Facebook app itself I was checking the settings, not browsing. By the time I had managed to pull down the notification screen to see what it was, it had disappeared. It all happened in a matter of split seconds, so fast that I barely had the time to blink. I think I managed to catch a fleeting glimpse of what was downloading, but really I can not say for sure it was that fast. I know for a fact that some apps like Google Play and Instant apps often get downloaded this way, but I have ESET premium installed that monitors every download, even the Google Play ones, and when I checked eset's activity log, there were no recent downloads. I checked the Downloads folder from My Files too, nothing there. Yet, I saw the notif., I saw the install process progressing.

    Point to be noted, my Facebook app itself was last updated 3 days ago. I am a very security cautious person, I have auto update for all apps, and install them asap. However, possibly due to my data limits or something, the app didn't get updated because when I checked in the Playstore there was another update available already. I don't know if 3 day old software can leave you vulnerable to zero day attacks, but since it happened while only Facebook was open, it leads me to worry so. Or maybe some existing malware on my phone became active.

    I would appreciate some guidance as to what I can do now. I know the exact time this happened, if I could access the events/activity log or notification/status bar history by some means, I will be able to pinpoint exactly what was the download for. I know there are some notif. History third party apps available in playstore, but they all record the history after installing, they dont give history of what went down before the app was installed.

    Would truly appreciate some help. Thanks in advance.
    11-18-2018 01:46 PM
  2. RayRay226's Avatar

    Okay, so I was not crazy and seeing things apparently. Today, through sheer luck, I managed to find this thread that describes the exact issue I had.


    However, that was about it. The person who replied there did not know anything about it except for the fact that it was a php code or something. Also, the original starter of the thread had reset his phone and it had happened again, so now I'm not sure if resetting will actually help. I haven't tried resetting yet, I will but don't know if that will actually solve the issue.

    I tried searching for the phrase "attackers on <b>%1$s</b> might atte..." on Google and nothing specific to the issue came up, just a bunch of generic information articles about network attacks and man in the middle and ddos attacks.

    Now I'm really worried out of my mind. I had suspected it was possibly a zero day or network attack, but now it seems to be confirmed. I wasn't even using wi-fi, I rarely do.

    If any of you know anything about this, or can suggest possible solutions for such attacks, please please do. It's really urgent it's been 4 days since the incident and I'm using the phone as is, I don't know what to do.

    Any suggestions or help will be useful. Thanks
    11-21-2018 03:06 PM
  3. belodion's Avatar
    I'll move the thread to General Help, where it may fare better.
    RayRay226 likes this.
    11-21-2018 06:00 PM
  4. methodman89's Avatar
    @RayRay226 If you are really security conscious you would not use Facebook. If you still wanted to anyway, you would use a browser to access their site and remove their app and its permissions to monitor, use up and slow down your phone.
    11-22-2018 12:30 AM
  5. RayRay226's Avatar
    @methodman89 I know, Facebook has dropped the ball several times over the last few months, and with the amount of private data it stores, it's basically a spyware on its own. The only reason I haven't been able to ditch it and its family of apps yet because being in marketing, I kind of need to use it.

    good idea about the app thing, though Facebook came preloaded into my device, it's Samsung, so it shows up as a system app and doesn't give uninstall, just disable. Will disabling work?

    Also, any idea about that download thing in my original post? I still don't know what to make of that unusual notif. And wonder if my network got compromised already.

    Thanks a lot.
    11-22-2018 08:19 PM
  6. russ_andCent's Avatar
    This is normal behavior.

    I've witnessed the very same event (notification of a download in progress but by the time you swipe down the screen, you only catch a glimpse of the progress bar before the whole thing disappears).

    By "normal" I mean that events such as this correlate with activity by (on my Samsung S4) the app "Download manager, Downloads, Media Storage".

    Since I have a firewall on my phone, it's gotten me intimately familiar with what apps are necessary (at least their internet connectivity) for the phone to function.

    I've also been using tools such as Wireshark, Network Monitor (both packet capturing & interpretation software) for many years and also web capturing proxies that allow me to view the traffic of web applications. The web proxy will even generate a root CA that you can install in your browser, allowing you to view HTTPS encrypted traffic. (This is not installed on the phone - I have to set up a proxy to re-route the phone's traffic to my desktop).

    So, what I'd like to get across is that there is MUCH more traffic going through your phone that doesn't correlate with events that you see happening on your phone. Even when your phone appears to be "idle", it's far from it. There are constant requests / responses from Google Account Manager, Android System, etc. And Chrome is very special - even when the app is closed it phones home to Google. If I firewall the Chrome app, it still phones home. I can write custom rules to block all of Google's address ranges and that does work but at a price.

    In fact, I have allowed most of Google's apps to communicate because even though firewalling them doesn't harm the phones functionality (except for the obvious) there are annoying side-effects:

    When an app fires off a request and doesn't get a response, it, being a dumb app, doesn't know it's being firewalled. So it makes DNS requests and tries again. Makes more DNS requests and tries yet again. Wash, rinse repeat. So eventually your router / modem becomes overwhelmed with constant DNS requests, requiring you to re-boot the devices maybe a couple of times a day.

    I would venture a guess that one of the most common downloads that you don't actually personally initiate is Google Maps updating map info.

    When using any given enterprise level app or web app, you are communicating not just with the obvious domain and subdomains (like facebook.com or xxx.facebook.com) but a whole plethora of 3rd parties. These oftentimes measure in the 100s. Different domains for JS frame works / Libraries, CSS, fonts, 3rd party trackers in addition to their own tracking. Not allowing 3rd party cookies makes people feel better but the information is traded in real time, on the fly.

    I'll often see requests for image files that are just excuses to send GET or POST requests that contain mass amounts of key / value pairs, and the "image" that comes back in the server response will not even render - it only contains GIF header info and no real content.

    I would post examples of some pretty eybrow-raising FB JS objects (they're using your CPU cycles to guess your gender and other things I won't mention), but I would be potentially violating their TOS.

    If you use the client CPU cycles to mine Bitcoin, everybody goes bananas but they can eat up your CPU cycles analyzing your behavior and nobody cares. This is stuff that could be done server-side but is much more cost-effective for them to do it in a distributed fashion. It's frankly amazing what FB in particular does client-side.

    Honestly, if everyone were to wake up tomorrow with the tooling and ability to read & interpret their network traffic, people would throw their phones in the river and hide under their beds.
    11-27-2018 02:59 AM

Similar Threads

  1. Replies: 2
    Last Post: 11-18-2018, 05:33 PM
  2. How do I set a temporary silent mode on the 6G?
    By Android Central Question in forum Ask a Question
    Replies: 1
    Last Post: 11-18-2018, 01:45 PM
  3. How do you set the hotspot password on a Samsung S7?
    By Android Central Question in forum Ask a Question
    Replies: 1
    Last Post: 11-18-2018, 01:08 PM
  4. TPU screen protector that doesn't cause "grainy" effect on screen?
    By Chris9183 in forum Samsung Galaxy S7 edge
    Replies: 0
    Last Post: 11-18-2018, 12:51 PM
  5. Replies: 1
    Last Post: 11-18-2018, 12:04 PM