Help needed for S9 and note 9, unknown source is changing settings in our phones.

[aksamsungusers]

We purchased a S9 and note 9 in October 2018 from at&t. Carrier is also at&t. We had the phones for about a week, noticed the note 9 had new apps that were downloaded from a unknown source. On both phones we were signed out by the unknown source and our passwords were changed. Log in information were changed for all accounts. Personal information as birth dates were changed. It happened with google accounts,email accounts, facebook accounts, wiped the call logs, pictures off of the SD card and Amazon music. Got into the JPro system. Pretty much every account possible. And every device we have.

On the screen you can see the glitches, can see the apps they are in but we can't access the app. Did multiple factory resets. Contacted at&t support, they also couldnt remote access the phones. We contacted google but they offered no help. We contacted Samsung support and were asked to send in both phones. The note 9 google account password was changed and was unable to log back into the phone. The note 9 was replaced and before the box was opened, the new phone was activated and downloaded apps by the unknown source. Before we received the note 9 replacement, four prepaid cell phones had the same malicious issues and were a complete lost. It also happened with a Amazon kindle fire tablet. It had also accessed a Asus diagnostic system at work. New phones, new phone numbers, new accounts and new passwords were made, and currently we are having the same issues in our replacement note 9 and S9. They also got into our server. Our data is being used causing higher cellular bills.

We had no prior issues of any kind before the S9 and note9.

We think it might be third party apps. We did safe mode. And, eventually the problems keep reaccuring with our new phones.

We have no ideas on what else is going on. We spent thousands of dollars to try and fix but nothing seems to work.
Please help. We reside in Alaska and have no walk-in support techs, so our devices have to be shipped out to have diagnostic tests done. We have not come across or talked to anyone with similar issues. Any help is very much appreciated.

Thank you.

 

[B. Diddy]

Welcome to Android Central! Sorry to hear about these problems. Are you still able to log into your own Google accounts? If so, have you turned on 2-step authentication on all of them? Do the same for any other sensitive account you have, if they offer 2-step authentication as long as it's not done via SMS. Hackers and identity thieves have gotten better at bypassing 2-factor authentication by intercepting the 2-factor code that's sent via SMS. It's best to use an app for 2-factor (like Google's Authenticator app), or by receiving an actual phone call telling you the authentication code.

 

[methodman89]

We purchased a S9 and note 9 in October 2018 from at&t. Carrier is also at&t. We had the phones for about a week, noticed the note 9 had new apps that were downloaded from a unknown source. On both phones we were signed out by the unknown source and our passwords were changed. Log in information were changed for all accounts. Personal information as birth dates were changed. It happened with google accounts,email accounts, facebook accounts, wiped the call logs, pictures off of the SD card and Amazon music. Got into the JPro system. Pretty much every account possible. And every device we have.

On the screen you can see the glitches, can see the apps they are in but we can't access the app. Did multiple factory resets. Contacted at&t support, they also couldnt remote access the phones. We contacted google but they offered no help. We contacted Samsung support and were asked to send in both phones. The note 9 google account password was changed and was unable to log back into the phone. The note 9 was replaced and before the box was opened, the new phone was activated and downloaded apps by the unknown source. Before we received the note 9 replacement, four prepaid cell phones had the same malicious issues and were a complete lost. It also happened with a Amazon kindle fire tablet. It had also accessed a Asus diagnostic system at work. New phones, new phone numbers, new accounts and new passwords were made, and currently we are having the same issues in our replacement note 9 and S9. They also got into our server. Our data is being used causing higher cellular bills.

We had no prior issues of any kind before the S9 and note9.

We think it might be third party apps. We did safe mode. And, eventually the problems keep reaccuring with our new phones.

We have no ideas on what else is going on. We spent thousands of dollars to try and fix but nothing seems to work.
Please help. We reside in Alaska and have no walk-in support techs, so our devices have to be shipped out to have diagnostic tests done. We have not come across or talked to anyone with similar issues. Any help is very much appreciated.

Thank you.

If for real, you've been hacked. Assume everything connected is compromised. Turn off all synching. Do as stated above. Phones are shipped off without an SD card. That will make it impossible to load apps. Is the store you bought from a real att store or an authorized dealer? The amount of penetration you describe points to a hands on approach for ease. Good luck. Merry Christmas!

 

[aksamsungusers]

Ok. I used malwarebytes and eset to scan our devices and came upon a whitesystem app

:Android/PUP.HackTool.DeviceAlive.a

We had disabled the app. Unable to uninstall due to the fact it is a system app. It is a spyware app. We are currently trying to retrieve our Samsung accounts as it had already been changed. So far we see no signs of the malware being active. Here is what we found so far about the preinstalled app that caused havoc on our devices.



That is what I have researched:

The Phone has been reported with serious security issues by Kaspersky as it can install unwanted Apps, execute remote commands and transmitt personally identifiable information without user consent or disclosure
You can find several posts about malicious ROM; malicious YouTube App etc. I got at least 3 responses from other people that have exact the same problem as we have
I read that many Scanners will not report System Apps because they think that the manufacturs are not installing malicious things on the phone.

If, at all you have an idea on how to remove this app from the phone, please let me know. I will continue to try and remove this app. I'm afraid it will enable itself and cause the same issues. Merry Christmas to you as well. Thank you for your responses on this problem

 

[B. Diddy]

Is it saying that ATT HVPL contains that Android/PUP.HackTool.DeviceAlive.a malware? Security apps can give false positives sometimes, identifying legitimate preinstalled apps as malware. I did a search for "ATT HVPL" and couldn't find anything, though.

If it truly is malware that was installed to the system root, then you have to reinstall the firmware to get rid of it. Use either Smart Switch (https://www.sammobile.com/forum/threads/29914-SmartSwitch-Install-amp-update-or-replace-firmware) or Odin (https://forums.androidcentral.com/a...w-flash-stock-rom-via-odin-new-interface.html).

Remember, people don't always have to do some kind of sophisticated hack to get into your accounts. If your passwords are easy to guess, are the same or similar across your accounts, and aren't doubly secured by 2 factor authentication, then it may not take much work to log into one of your accounts and start changing things left and right.

 

[Rukbat]

I'd first back up everything - pictures, music, etc. Than I'd go to the local AT&T store and ask where the nearest Device Support Center is. I'd tell them what happened and ask if they could reflash the phones.

Once that's done, I'd get Google Authenticator and use that as my two-step authentication. Then I'd set up all my accounts, using a different, very strong, password for each one. (If you need help remembering passwords use Keepass2Android Password Safe.) Then reinstall everything I'd backed up. (Using the same password everywhere is one cause of what happened to you.)

 

[aksamsungusers]

This is what I found in the note 9. Any idea what it is for?
Thank you. I'm trying to gather as much information before i send the phones off to samsung.

 

[KyleHughes2]

One more thing when you got your new phones can you turn them on if you logged into your old Samsung or Google accounts he immediately had the same access he did last time

 

[mustang7757]

This is what I found in the note 9. Any idea what it is for?
Thank you. I'm trying to gather as much information before i send the phones off to samsung.

View attachment 296018

Just reading your thread , if you go settings >apps >3dots upper right corner tap>select special access > device administrator app tap > you see anything there besides find my phone ? Also in same place special access tap under install unknown apps you see any that's allowed?