Jump to content

Zero-Day Malware Removal from Pixel 3 XL, Galaxy S10 Pro, Pixel 2 XL

Recommended Posts

Hi everyone,

About 2 months ago an ex-girlfriend's engineer boyfriend hacked the WiFi router administrative password on our home network and loaded what seems to be self-replicating malware/remote access trojans onto connected devices. I assume it is custom zero-day malware using unpublished vulnerabilities as it was undetected by mobile versions of Bitdefender, Kaspersky, and Malwarebytes and persisted on our non-rooted cell phones, Pixel 3 XL and Samsung Galaxy S10 Pro running Android 10, despite multiple factory resets.  For weeks, they were surveiling/recording us through the mics and cameras, tracking our locations in real time, stealing our private photos, texts, passwords. In recent weeks they have been harassing us and attempting blackmail. Recently I reflashed the factory images on the Pixel 3 XL and Galaxy S10 Pro and this seems to have cleared the malware which may be confirmed by a reduction in bandwidth usage.

I am using Network Monitor Mini to view open connections on the Galaxy S10. (The Pixel 3 XL seems to prevent access to that data). On the S10, Network Monitor Mini typically shows two active connections to a remote address, currently 2001:1890:1f8:220e::1:2, on unregistered ports 6000 and one in the 33xxxx range. Port 33xxxx seems suspicious though these may be harmless connections to cellular towers (hopefully not spoofed by an IMSI catcher or dirtbox).

Any help in verifying the malware is cleared from these devices would be great.

A Pixel 2 XL running Android 9 remains infected. I keep it quarantined offline and have not reflashed the factory image as it still contains Google Authenticator codes that I have yet to setup elsewhere. Ideally, the malware can be located and safely removed/quarantined without wiping partitions or reflashing the factory image.  

I am worried that our devices may have been used to spread the "worm."  We connected to many public WiFi networks before realizing the situation, including several Starbucks, an AT&T store, and a hospital.  My ex-girlfriend has all but confirmed this to me.  By now her malware may have spread to hundreds of devices or more.  For information, the Pixel 2 XL was the first device I confirmed to be infected when apps not secured with an app locker began opening and closing before our eyes.  I also caught an old version of Chrome with a CVE vulnerability downloading in a browser tab I had not opened. Our phones were controlled as though by remote access software like VNC, though again scans with MalwareBytes found nothing.

Any suggestions for identifying the malware on the Pixel 2 XL (while keeping the device quarantined offline) so that it can be added to anti-malware definitions would be fantastic.

Link to post
Share on other sites

Hi @misgnomer,

Well, that is quite a predicament.  Since you have a device that could potentially be infected, you can send us an Apps Report from that device.  Since you suspect that it may be spreading through WiFi, I would suggest disconnecting any other devices on the network before powering up and sending the Apps Report.

To send an Apps Report with Malwarebytes for Android use the following instructions.

1.Open the Malwarebytes for Android app.

2.Tap the Menu icon.

3. Tap Your apps.

4. Tap three lines icon in upper right corner.

5. Tap Send to support

Choose an email app to send Apps Report.

Your email app will open with the Apps Report included.

At this point, it would be very helpful to mention you are submitting via recommendation from the Malwareybtes forum.  This allows our support staff to know where to direct it.

By sending the Apps Report, you will create a ticket in our support system.

Private Message (PM) me the email used and/or the ticket number assigned.


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.