Context: The device was compromised by someone with local access via malicous MDM installation. Despite several factory resets, clean OS installation, the compromise persists and extends to new devices at boot.
1. Introduction: This report summarizes the analysis of system logs from a Samsung Android device, potentially a Galaxy S21 Ultra (SM-G996U), showing signs of unauthorized access, specifically a rogue wearable device and remote control activities.
2. Initial Indicators of Rogue Wearable:
2.1 Suspicious Wearable Connection Attempts: Log evidence: ``` 2024-08-28 21:54:46.000 15752 15752 com.sec.android.app.samsungapps V [SAUI] : BaseHandle :: fakeModelFromDeepLink:false|hadGearConnected:false|gearMarketingName:Galaxy Watch4|fakeModelName:SM-G996U_SM-R870|gearOsVersion:| ``` This log indicates an attempt to spoof a Galaxy Watch4 connection, despite no actual wearable being connected.
2.2 Bluetooth Activity: Logs showed multiple Bluetooth advertising and scanning activities, including: ``` 2024-08-28 23:14:28.178 4009 4093 bluetooth I bt_shim_advertiser : packages/modules/Bluetooth/system/main/shim/le_advertising_manager.cc:175 StartAdvertisingSet: create advertising set, client_id:255, reg_id:-372 2024-08-28 23:14:28.180 4009 4259 bluetooth I bluetooth : packages/modules/Bluetooth/system/gd/hci/le_advertising_manager.cc:631 create_extended_advertiser_with_id: AdvertiserId : 0 ``` These activities suggest attempts to establish or detect Bluetooth connections, potentially related to the rogue wearable.
3. Remote Access Indicators:
3.1 Remote Services Initialization: Multiple remote services were initialized, including: ``` 2024-08-28 23:44:22.084 1559 1559 system D SystemServerTiming : StartRemoteProvisioningService 2024-08-28 23:44:22.536 1559 1559 system D SystemServerTiming : StartRemoteAppModeService 2024-08-28 23:44:24.075 1559 1559 system I RemoteDesktopService : RemoteDesktopService started (pid=1559) ``` These services enable various forms of remote access and control.
3.2 Remote Camera Access: ``` 2024-08-28 23:44:23.991 1671 1870 cameraserver I cameraserver : Connecting to new camera provider: legacy/0, isRemote? 1 ``` This log indicates a remote camera connection, raising serious privacy concerns.
3.3 Remote Audio Routing: ``` 2024-08-28 23:44:23.608 1559 2582 system D AS.AudioService : applyAllVolumes: apply index 15, group AUDIO_STREAM_MUSIC and device remote_submix ``` Audio being routed to a remote device, potentially allowing unauthorized audio capture.
3.4 Remote Input and Display Manipulation: ``` 2024-08-28 23:44:22.629 1559 1559 system D RemoteInjection : mCurrentDisplayWidth : 1080, mCurrentDisplayHeight : 2400 2024-08-28 23:44:22.386 1413 1456 system I SurfaceFlinger : id=8 createSurf, flag=84004, RemoteWallpaperAnim:1:1#8 ``` These logs suggest capabilities for remote input injection and display manipulation.
4. System Responses and Security Measures:
4.1 Anti-tracking Measures: ``` 2024-08-28 21:54:56.873 16714 16743 I chromium : [INFO:anti_tracking_preference_watcher.cc(34)] [IAT] Enabled 1 asas = kOpenerInteraction cname = 1 srs = 1 anti-fp screen = 7 anti-fp webaudio = kEnabledAll ``` The system activated anti-tracking measures, possibly in response to detected threats.
4.2 Security Services: ``` 2024-08-28 23:44:22.085 1559 1559 system I SystemServiceManager : Starting com.android.server.security.rkp.RemoteProvisioningService ``` Security-related services were initiated, potentially as a response to detected anomalies.
5. Implications and Risks: - Unauthorized access to camera and microphone - Potential data exfiltration through remote access - Privacy violations through screen mirroring and input injection - Possible manipulation of device settings and security features
6. Conclusion: The analyzed logs provide strong evidence of both a rogue wearable device attempting to connect and comprehensive remote access capabilities being established on the device.
Please anyone with information, help, advice, feel free to comment.
I used a app once that used advertisers ids to collect info about devices and allowed a user to bond to their bluetooth audio peripherals without connecting to it. Conclusion most likely a jealous friend thats nosey but if you wanna chat about it lmk. Also a flipper zero would stomp whatever security measures you think you can come up with. You are helpless. There is more settings that you dont have access to unless you have a rooted phone. Good luck
"I appreciate the information. As I mentioned in the post, this ordeal is the result of a bad actor with physical access to my systems. Unfortunately, the issues I'm experiencing are persistent and complex, suggesting a more targeted and sophisticated attack. I'm taking steps to secure my devices and data, and I'm exploring all options to address this situation. If you have more precise information, please share them on the forum, so others could benefit as well. You mentioned "I used a app once that used advertisers ids to collect info about devices and allowed a user to bond to their bluetooth audio peripherals without connecting to it"
Which app ?
When you said : "You are helpless" did you mean me specifically ?
"There is more settings that you dont have access " - Please elaborate
For over a year, Iāve been dealing with **persistent and suspicious wearable connections** on several of my Samsung devices, including the S21+ 5G, A13, and others. Despite never pairing a wearable or owning a Galaxy Watch, these devices consistently show logs and activities related to **Galaxy Watches, Tizen OS**, and **virtual connections**āeven connecting to apps like **Samsung Wallet, Instagram**, and **Google Messages** without my consent.
### **Summary of Issues:** 1. **FakeModelName Linking Watch and Phone** - Across multiple devices, Iāve discovered a recurring **FakeModelName** that combines the model numbers of my phone (e.g., SM-A136U) with that of a **Galaxy Watch 4** (SM-R870). This seems to indicate a **virtual or rogue pairing** of a wearable. Hereās a key log entry:
This same pairing occurs across different devices, including my Samsung S21+ 5G and A13, making this suspicious.
2. **Google Messages Syncing with Wearable** - Iāve noticed repeated logs of **Google Messages** syncing with an unknown wearable, particularly through **CallInSync** and **Companion Data Transfer** during calls. These logs suggest an **unauthorized transfer of call data** to a rogue wearable.
3. **Samsung Wallet Wearable Connections** - Logs indicate that **Samsung Wallet** is consistently interacting with a wearable, even when no such device has been paired. The **PayPal account** linked to Samsung Wallet seems to be particularly tied to these wearable activities, while other cards are not.
``` 2024-09-20 19:36:29.262 29463 29463 com.samsung.android.spay I SAMSUNGWALLET : [AbsWatchManager] isConnected called ```
4. **Instagram App Reference to Wearable Not Reachable** - Iāve come across multiple instances where **Instagram logs** mention a wearable thatās **ānot reachableā**. While Instagram is not an app I associate with wearable devices, it seems to be interacting with one in my case.
5. **Galaxy Store and Tizen OS** - Iāve also found references to **Tizen** and **Galaxy Store-related wearable connections**, which is strange since Iāve never owned a device running Tizen. Here are the relevant logs:
6. **CallInSync and Companion Data Transfer** - During calls, Iāve detected activities suggesting that **call data is being transferred to a wearable**. These activities occur consistently and raise concerns about the integrity of my communications.
### **Why This Matters:** Despite never pairing a wearable myself, these logs show **persistent unauthorized connections** to various wearables, particularly Galaxy Watches. I have taken the step of downloading the **Samsung Wearable** and **Google Wear OS** apps to trigger logs and investigate further, but the issue seems to have been ongoing long before that.
### **Key Log Entries:** To give more context, here are some additional logs showing suspicious wearable-related activities across different devices: ``` 2024-09-26 06:27:20.656 20903 20903 com.samsung.android.app.watchmanager I IDS_TAG : Getting Shared Preference for com.samsung.android.app.twatchmanager.TWatchManagerApplication@3a792fa uid = 10305 ``` ``` 2024-09-20 19:36:29.262 29463 29463 com.samsung.android.spay I SAMSUNGWALLET : [AbsWatchManager] isConnected called ```
Has anyone else experienced similar issues with **rogue wearable connections** or **virtual wearables** on their Samsung devices?
