Original topic:

Rogue Wearable Device and Remote Access Concerns

(Topic created: 08-30-2024 09:54 AM)
408 Views
HisRoyalHighness
Constellation
Options
Galaxy S21

Context: The device was compromised by someone with local access via malicous MDM installation. Despite several factory resets, clean OS installation, the compromise persists and extends to new devices at boot. 

 

1. Introduction:
This report summarizes the analysis of system logs from a Samsung Android device, potentially a Galaxy S21 Ultra (SM-G996U), showing signs of unauthorized access, specifically a rogue wearable device and remote control activities.

2. Initial Indicators of Rogue Wearable:

2.1 Suspicious Wearable Connection Attempts:
Log evidence:
```
2024-08-28 21:54:46.000 15752 15752 com.sec.android.app.samsungapps V [SAUI] : BaseHandle :: fakeModelFromDeepLink:false|hadGearConnected:false|gearMarketingName:Galaxy Watch4|fakeModelName:SM-G996U_SM-R870|gearOsVersion:|
```
This log indicates an attempt to spoof a Galaxy Watch4 connection, despite no actual wearable being connected.

2.2 Bluetooth Activity:
Logs showed multiple Bluetooth advertising and scanning activities, including:
```
2024-08-28 23:14:28.178 4009 4093 bluetooth I bt_shim_advertiser : packages/modules/Bluetooth/system/main/shim/le_advertising_manager.cc:175 StartAdvertisingSet: create advertising set, client_id:255, reg_id:-372
2024-08-28 23:14:28.180 4009 4259 bluetooth I bluetooth : packages/modules/Bluetooth/system/gd/hci/le_advertising_manager.cc:631 create_extended_advertiser_with_id: AdvertiserId : 0
```
These activities suggest attempts to establish or detect Bluetooth connections, potentially related to the rogue wearable.

3. Remote Access Indicators:

3.1 Remote Services Initialization:
Multiple remote services were initialized, including:
```
2024-08-28 23:44:22.084 1559 1559 system D SystemServerTiming : StartRemoteProvisioningService
2024-08-28 23:44:22.536 1559 1559 system D SystemServerTiming : StartRemoteAppModeService
2024-08-28 23:44:24.075 1559 1559 system I RemoteDesktopService : RemoteDesktopService started (pid=1559)
```
These services enable various forms of remote access and control.

3.2 Remote Camera Access:
```
2024-08-28 23:44:23.991 1671 1870 cameraserver I cameraserver : Connecting to new camera provider: legacy/0, isRemote? 1
```
This log indicates a remote camera connection, raising serious privacy concerns.

3.3 Remote Audio Routing:
```
2024-08-28 23:44:23.608 1559 2582 system D AS.AudioService : applyAllVolumes: apply index 15, group AUDIO_STREAM_MUSIC and device remote_submix
```
Audio being routed to a remote device, potentially allowing unauthorized audio capture.

3.4 Remote Input and Display Manipulation:
```
2024-08-28 23:44:22.629 1559 1559 system D RemoteInjection : mCurrentDisplayWidth : 1080, mCurrentDisplayHeight : 2400
2024-08-28 23:44:22.386 1413 1456 system I SurfaceFlinger : id=8 createSurf, flag=84004, RemoteWallpaperAnim:1:1#8
```
These logs suggest capabilities for remote input injection and display manipulation.

4. System Responses and Security Measures:

4.1 Anti-tracking Measures:
```
2024-08-28 21:54:56.873 16714 16743 I chromium : [INFO:anti_tracking_preference_watcher.cc(34)] [IAT] Enabled 1 asas = kOpenerInteraction cname = 1 srs = 1 anti-fp screen = 7 anti-fp webaudio = kEnabledAll
```
The system activated anti-tracking measures, possibly in response to detected threats.

4.2 Security Services:
```
2024-08-28 23:44:22.085 1559 1559 system I SystemServiceManager : Starting com.android.server.security.rkp.RemoteProvisioningService
```
Security-related services were initiated, potentially as a response to detected anomalies.

5. Implications and Risks:
- Unauthorized access to camera and microphone
- Potential data exfiltration through remote access
- Privacy violations through screen mirroring and input injection
- Possible manipulation of device settings and security features

6. Conclusion:
The analyzed logs provide strong evidence of both a rogue wearable device attempting to connect and comprehensive remote access capabilities being established on the device.

Please anyone with information, help, advice, feel free to comment. 

Thanks in advance. 

2 Replies
Junior541
Constellation
Options
Galaxy S21
I used a app once that used advertisers ids to collect info about devices and allowed a user to bond to their bluetooth audio peripherals without connecting to it. Conclusion most likely a jealous friend thats nosey but if you wanna chat about it lmk. Also a flipper zero would stomp whatever security measures you think you can come up with. You are helpless. There is more settings that you dont have access to unless you have a rooted phone. Good luck
HisRoyalHighness
Constellation
Options
Galaxy S21

"I appreciate the information. As I mentioned in the post, this ordeal is the result of a bad actor with physical access to my systems. Unfortunately, the issues I'm experiencing are persistent and complex, suggesting a more targeted and sophisticated attack. I'm taking steps to secure my devices and data, and I'm exploring all options to address this situation.  If you have more precise information, please share them on the forum, so others could benefit as well.  You mentioned       "I used a app once that used advertisers ids to collect info about devices and allowed a user to bond to their bluetooth audio peripherals without connecting to it" 

Which app ? 

When you said : "You are helpless" did you mean me specifically ?

"There is more settings that you dont have access "  - Please elaborate 

 

 I look forward to hearing from you!

0 Likes