Can my data be compromised after failed attempt to backup with 3rd party software?

[Ollie321]

So I was going to reset my old s7 and wanted to backup the phone before I erased everything. I kept coming across wondershare Dr fone. I was tried and seemed fairly simple and since there were no obvious scam/Hack alerts to be found just Quickly browsing. I thought i'll give it a whirl. Should have not ran it apparently.

So I connected via usb to Windows and started the program - > Phone instantly gone to download mode and apparently the software is trying to root or set some firmware to gather data - > Software doesnt work and phone stuck in endless bootloop - > recovery mode gives no command but starts after hanging a few seconds 10 or so - > Do a factory reset from recovery and Log back into previous Google Account required so I Do it and do a normal reset - > Reset goes in normal but when setting up clean phone it gives me a Security alerts "unauthorized activity noticed" and deviCe Security guides me to restart phone to reset changes.

Really spooky not knowing what the software did! Can you guys please help me figure out? Didnt find anything on web that indicates Dr fone stealing data or hacking, just ripping Off payments.

- How do I know I'm on stock ROM and nothing suspicious was left on the phone?
- Should I flash stock ROM just in case?
- Can my personal data, passwords etc be compromised if I dont use the phone?
- Could the Windows app itself have gathered personal info somehow. Can I check it out from Logs? I have the Logs in AppData

I found out that after factory reset Im getting a Security alert even though firmware and everything else seems original. Could this be knox efuse that triggered when software tried to root? Can I check the firmware some how for possible flaws/changes?

Seems like there are plenty people in trouble with Dr fone gone bad, maybe we Could help others too. Tell me if you need photos. Thanks in advance!

 

[Rukbat]

Can it be compromised? Of course. Was it compromised? I don't know enough about Wondershare to be able to answer that. But with backing up being so easy (see Backing up an Android Device), there's no reason to use Dr. Fone.

- How do I know I'm on stock ROM and nothing suspicious was left on the phone?

Back it up, then reflash the firmware (see [Samsung] How to flash Stock ROM via ODIN).

- Can my personal data, passwords etc be compromised if I dont use the phone?

If they got them, and use them, sure. As I said, I don't know enough about them to say. (I'm retired now, but I spent decades with my nose [and my computer] in other people's data - and nothing was ever "compromised". But if a client in Chicago had a customer in NYC, and the customer's phone number began with 312, I'd change it. Then forget it as soon as I went to the next record.)

- Could the Windows app itself have gathered personal info somehow.

Of course.

Can I check it out from Logs? I have the Logs in AppData

I doubt that, if they were stealing your data, they'd log that. (You may have logs that show that their program ran, but you have no logs showing what they did with your data,)

I found out that after factory reset Im getting a Security alert even though firmware and everything else seems original. Could this be knox efuse that triggered when software tried to root?

Could? Yes. Did? Most likely not. Reboot to Download (Volume Down/home/Power) and look at your fuse listing (it's listed at the top - Knox Warranty Void: 0x0 is not tripped, otherwise the number after 0x is the number of times it's been tripped).

- Can I check the firmware some how for possible flaws/changes?

Not easily - just reflash it.

 

[Ollie321]

How exactly does the knox counter check work?
Do I need adb for that?

If it's not triggered then flashing stock would mean the phone is again valid for normal use, especially if done in a licensed shop? Thinking reflashing stock in a shop wont really cost much..

Digged into the info I could find on my pc and nothing seems out of the ordinary. Ran pretty much everything Rkill -> Malwarebytes -> Bitdefender and there is nothing that suggests any harmful files with dr fone. Event viewer only shows normal activity any legit program would do, only 1 error from that time:

.NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

So nothing currently implies any kind of theft. No alerts of unauthorized logins or active sessions in other devices. I mean the phone in question is my old phone so I haven't used it at all after the procedure. I just want to make sure. Is there anything else I can do except change passwords to be sure? I would assume changing password revokes tokens with google, facebook, instagram etc..?

 

[Ollie321]

Status update, Checked odin mode and showed:

CURRENT BINARY: Samsung Official
SYSTEM STATUS: Custom
WARRANTY VOID 0x0000

Reflashing (had to do it twice) Stock ROM fixed it and now normal:


CURRENT BINARY: Samsung Official
SYSTEM STATUS: Official
WARRANTY VOID 0x0000

So Either I got a security alert because the download mode was interrupted and didn't reach the point of efuse triggering but left something in a wrong state or.. because something actually found it's way to the system. Only difference I noticed application-wise was that custom had "a" Game optimization service and official didn't. Might have missed something and of course if there was something disguised I wouldn't know just by browsing through. Lesson: stay the **** away from all this easy fix kind of crap and actually study :-[

Windows itselft shows absolutely clean status even after running every check in safe mode. Haven't checked with the big guns yet because there's no implication on having the need to use them. Nothing out of the ordinary. I currently believe my main concern is logging into google to reset FRP lock after factory reset with custom OS? This ought to be taken care of by changing passwords and checking account security settings are up to date?