Could my Galaxy S6 Active be infected with a rootkit?

[CodeReub]

I have had some concerns the last few months that my phone may be infected at a low level. Periodically (oftentimes around a certain time of the day) my phone makes a bleeping sound and when I open it I find the S Finder program open.

I have tried a number of methods to try to combat this, short of a full factory reset. Among them, I have denied privileges to nearly all apps (including numerous system apps I'm not sure what they do) to change system settings and have denied other permissions to most apps. I have also run free scanners of both McAfee and MalwareBytes, but both indicate the operating system is healthy. I have not rooted my phone.

• My first questions is: Is it even possible for malware to install a rootkit on an Android device that has not been rooted? I read an article that said there is malware capable of doing so, but I'm not 100 sure I trust the article as legitimate.
• A second question is: If I factory reset the phone, will it even remove a rootkit?
• Third: If factory reset will not accomplish the task, is it possible to root the phone and remove a rootkit manually? I assume I would have to have a copy of a healthy system configuration file from a similar device to even begin something like that.
• Are there any other suggestions for dealing with something like this?
• Finally: Would I be better served, in the words of the late great Easy-E, "to throw it in the gutter and go get anutter"?

Thanks in advance for any help

 

[B. Diddy]

Welcome to Android Central! From what you describe, I wouldn't immediately jump to the conclusion that the phone is infected. Is the bleeping sound the same as the default notification tone, or is it something you've never heard before? If NFC is on, turn it off and see if it happens again.

 

[CodeReub]

Thanks for your reply B. Diddy,

The beeping is not the default notification tone, which I have set to a sound I recognize. It may be the system action notification tone that the phone uses when it goes on the charger and so forth but it usually happens unexpectedly and is typically in my pocket when it does so; so I can't say that it is the same sound with any certainty.

The issue does seem to involve NFC as I found a bunch of outgoing data sent by the NFC Beaming Service — a lot of stuff with names of things I don't particularly want shared like Camera Iris Test, Smart Face, Key Chain, Samsung Pay Framework, and lots of other stuff. As far as I know, I never really use NFC and typically keep it turned off, nor do I use Samsung Pay. I don't know if some legitimate application could have activated the Beaming Service in the meantime as I haven't really paid much attention to that setting recently.

It just troubles me that I regularly find the S Finder application open when I know I did not initiate the action and that it does seem to happen around a certain time of the day — 4 p.m. Eastern time if that makes any difference.

 

[B. Diddy]

Where are you seeing those items being sent as outgoing data via NFC Beaming Service? I suspect that those are only system apps that can be associated with NFC, but aren't necessarily beaming any data actively.

The next time this happens, check the NFC toggle to confirm that it's off.

 

[CodeReub]

It's in my mobile data usage ... under Android system. It has used 50 Mb in the past 30 days. When I check it, it says Beaming Service on the top line. Beneath that are all the items I mentioned previously.

It didn't happen yesterday afternoon. I heard the same sound this morning when I first unlocked my phone today (it is slightly different than the charging sound, but it is a regular sound from the device) but the S Finder was not open.

 

[CodeReub]

Someone definitely has access to my phone. Today there were several attempts to login to Facebook in Portugese & Chinese as well as visits to weather.com's southeast Asia forecast. The Chinese facebook page open on my Chrome browser (when I opened my device) had my yahoo email address in the apparent username line. I disabled my Facebook account about a month ago shortly after clicking on one of those suspect social engineering links from a friend's messenger account.

 

[B. Diddy]

At this point, it's probably wise to do a full factory reset, after backing up your crucial data. When the phone resets, set it up as a brand new phone, rather than restoring it from the list of phone backups. Without installing any 3rd party apps, see if those same problems persist.

To be safe, I would also recommend changing your Google password and turning on 2-factor authentication, if you haven't already. Changing all of your sensitive passwords (e.g., to social media accounts and bank accounts) would be a good idea as well.

 

[CodeReub]

I did all that Sunday. Haven't had any issues yet in first 48 hours, hopefully nothing further comes of it.

Thanks for your help.