Hi everyone,
About 2 months ago an ex-girlfriend's engineer boyfriend hacked the WiFi router administrative password on our home network and loaded what seems to be self-replicating malware/remote access trojans onto connected devices. I assume it is custom zero-day malware using unpublished vulnerabilities as it was undetected by mobile versions of Bitdefender, Kaspersky, and Malwarebytes and persisted on our non-rooted cell phones, Pixel 3 XL and Samsung Galaxy S10 Pro running Android 10, despite multiple factory resets. For weeks, they were surveiling/recording us through the mics and cameras, tracking our locations in real time, stealing our private photos, texts, passwords. In recent weeks they have been harassing us and attempting blackmail. Recently I reflashed the factory images on the Pixel 3 XL and Galaxy S10 Pro and this seems to have cleared the malware which may be confirmed by a reduction in bandwidth usage.
I am using Network Monitor Mini to view open connections on the Galaxy S10. (The Pixel 3 XL seems to prevent access to that data). On the S10, Network Monitor Mini typically shows two active connections to a remote address, currently 2001:1890:1f8:220e::1:2, on unregistered ports 6000 and one in the 33xxxx range. Port 33xxxx seems suspicious though these may be harmless connections to cellular towers (hopefully not spoofed by an IMSI catcher or dirtbox).
Any help in verifying the malware is cleared from these devices would be great.
A Pixel 2 XL running Android 9 remains infected. I keep it quarantined offline and have not reflashed the factory image as it still contains Google Authenticator codes that I have yet to setup elsewhere. Ideally, the malware can be located and safely removed/quarantined without wiping partitions or reflashing the factory image.
I am worried that our devices may have been used to spread the "worm." We connected to many public WiFi networks before realizing the situation, including several Starbucks, an AT&T store, and a hospital. My ex-girlfriend has all but confirmed this to me. By now her malware may have spread to hundreds of devices or more. For information, the Pixel 2 XL was the first device I confirmed to be infected when apps not secured with an app locker began opening and closing before our eyes. I also caught an old version of Chrome with a CVE vulnerability downloading in a browser tab I had not opened. Our phones were controlled as though by remote access software like VNC, though again scans with MalwareBytes found nothing.
Any suggestions for identifying the malware on the Pixel 2 XL (while keeping the device quarantined offline) so that it can be added to anti-malware definitions would be fantastic.
