There Is A Spy On The Mobile Device

Hello Cyberman!

This article will be about mobile spyware and how.
With the spread of smartphones, spyware begin to proliferate.  And she recently reported that he had a health problem.

We’ll call it “G” for now. She wrote to me and asked me to help.

She reported that he had downloaded ESET, Avast, Kaspersky Antivirus and detected a virus.
Her main actions were as follows:
– Restore the phone to factory settings.
– Reset device
She conveyed that she did such operations, but did not go.

I got the device. And I started testing with a laptop with a Windows operating system.
Used programs:
– WireShark (for laptop)
– KingRoot (for Phone)
– Termux (for phone)

First of all, I turned on my computer’s mobile hotspot feature.

 As seen above. Then I right-clicked with the mouse and clicked “Go to Settings” for Mobile Hotspot.

  Then I changed the password and connected the mobile device. I opened the software called Wireshark (If you don’t know Wireshark please read this article) and in the “Local Network Adapter” option, I selected the field with the ip address 192.168.137..

Then, in WireShark, it started to be seen where the device was sending packets to.

I noticed that among the listed requests, it is constantly trying to perform req and res operations from an abnormal port.

When I examined the IP address, I found out that it is not a server and connects to a computer with dynamic dns.

And I realized that the software works with a fixed software that is connected to the system.
(Because if it was a normal malicious apk, it would be gone when it was reset.)

Then I opened developer options to root the device. And I rooted it with the software named Kingroot.

I downloaded the software called Termux to the phone. And I gave permissions. For reading and deleting files. (Please click. How to for termux give it to permission )

Thanks to the fixed software named “Weather”, I learned that the system was logged in every way. And I deleted the installation and other files of the software named “Weather” from Termux.

And when the software named “Weather” is removed from the device
– Avast
– Kaspersky
When I scanned the device for this, it was seen that it was clean.
After scanning with Wireshark, it was seen that it did not send a request to the IP address. I did give her it mobile device. And she is now happy.

Seems clean so far…
I hope it stays like that.. 

Note: Unreal photos are used for this article. Because it happened in November.

Have a nice day with lots of informatics. 🙂


Leave a Reply

Your email address will not be published. Required fields are marked *