Project

General

Profile

hacking attempt

Added by John Smith over 8 years ago

I am a bit of a noob so if this is in the wrong place or other issue please move or let me know.

I installed replicant about 6 weeks ago. I left it on charge and when I came back I noticed an unusual icon in the top notify area. It turned out to be the terminal emulator app. It had in it:

bin/sh/as_vcard

I don't know how this could be finger trouble on my part. It seems someone was trying to access my contacts. unfortunately I did not get a screen capture nor did I do other checks. It seems the file as_vcard was not where they were looking. I later checked as su and could not find an as_vcard utility on the phone. It seems like an amateur attempt to me. What do people think the person making the attempt were trying to do? Did they know what they were doing? Replicant on my phone is out of the box. I disabled the Browser app and added an app from fdroid: Notepad (bander.notepad version 1.06)

I am not saying that this was the problem. There were a number of places where the chain of trust could have been broken. For example: I had the Browser app enabled for the first few days until I woke up that it had not been secured (indeed not possible) in replicant and then disabled it.

I have no secrets to protect so not crucial.

Thanks for any info.


Replies (2)

RE: hacking attempt - Added by My Self over 8 years ago

Just to be sure:
  • you "left it on charge" over USB cable on your PC (?),
  • send your device to sleep before leaving (or not?),
  • using a screen-lock (PIN / password / pattern, which nobody than should know?)
  • ADB (Android Debugging) was enabled (?),
  • you're sure, that the TerminalEmulator app wasn't opened before (?),

and after you came back, (minutes, hours, ...?) the Terminal Emulator app was started and executed (or just wrote down?) the command "bin/sh/as_vcard"?

I don't know how this could be finger trouble on my part.

I've researched a bit and found out, that in this case 'as' stands for:
  • sometimes "auto-sync" but in this special case
  • "ACTION_SEND"

I've also realized, that it's possible to 'share' things (like contacts) via the Terminal Emulator app. Theoretical it looks pretty legit that you have (accidentally) tried to share a vcard to the Terminal Emulator, which could lead to such a picture. In my test if I share a person (inside the 'People' app) via the Terminal Emulator, this (Terminal Emulator) app opens, brings the icon you described in the notification area and wants to execute "/contacts/as_vcard" (with the error: 'No such file or directory').
(By the way, you can't capture a screen because: http://redmine.replicant.us/issues/705)

I have to be in doubt that somebody remotely would first opens a visible Terminal Emulator app to do something.
But this could be the case if somebody had physical access to your unsecured (screenlocked) device, and don't had enough time to close the app, (or just don't know how to do it [settings -> close window, otherwise app keeps opened and shown in the notification area]).

Hope this helps a bit.

RE: hacking attempt - Added by John Smith over 8 years ago

OK great! I think I know what must have happened. I was alone in the building. I assumed that the cord was plugged into the a/c power supply but it may have been plugged into a nearby windows PC. Don't recall following the rat's next. I may have inadvertently had it on in my pocket prior to this and hit the power button... No ADB though. Can't reconstruct exact circumstances but I don't think it was a hacking attempt. What a piece of detective work. Thanks.

    (1-2/2)