Dear conference attendees,I am fairly sure that my Android phone got pwned v

1. Dear conference attendees,
2.  
3. I am fairly sure that my Android phone got pwned very recently.
4. I don't have any proof that this happened at LCA, except that
5. I have two data points from Tuesday and Saturday which lead me to
6. suspect that something happened in between.
7.  
8. It's a bit surprising, as I run a custom ROM without Google apps,
9. a firewall, and Xposed/XPrivacy, but I also notably left my phone
10. behind on two occasions, so the breach could have happened
11. physically.
12.  
13. Anyway, as I said, I don't have proof, and I certainly don't want to
14. stir the paranoia, but I guess it's still better to share.
15.  
16. My (previously rooted) phone has been modified the following ways:
17.  
18. - /bin/su is gone, hence the phone is no longer rooted;
19. - there are a few temporary files in /system;
20.  
21. I've noticed frequent reboots too. And no, I have not made any
22. changes myself lately.
23.  
24. Altogether, it looks like a cracking attempt gone wrong.
25.  
26. I have not done any further post-mortem analysis, because my phone
27. was due for replacement anyway (and is now out of service, yet still
28. existent), but if you witness similar problems, have a look, and let
29. me know…
30.  
31. Thanks for your attention,
32.  
33.  
34. ---
35.  
36. I had an issue with my Nexus 7 Tablet running stock Lollipop throwing up adverts over the LCA 2016 website.
37.  
38. A reboot didn't solve the problem and malwarebytes reported the tablet as clean.
39.  
40. In the end I cleared the Chrome cache and everything returned to normal.
41.  
42. Anyone else had issues?
43.  
44. ---
45.  
46. I used a stock Android 6 Nexus 7 quite a bit during the conference and did not notice anything out of the ordinary with the conference website or any other aspect of its operation. The browser in use was firefox. Another potential point of difference beyond the Android version is that I didn't have the device associated with any accounts (google or otherwise). I don't know whether there is any reason to believe that this could be significant.
47.  
48. Regards
49. jonathan
50.  
51. ---
52.  
53. I also noticed a spate of frequent reboots on Friday night and then back at home over the weekend. Seems to have settled down now though.
54.  
55. I run similarly unusual phone build (Replicant) without proprietary wifi drivers, so only access data over the phone network.
56.  
57. ---
58.  
59. Steven> I had an issue with my Nexus 7 Tablet running stock Lollipop
60. Steven> throwing up adverts over the LCA 2016 website.
61.  
62. I had the same issue on my phone, also running cyanogenmod lollipop.
63.  
64. Ads were only over the LCA website; other sites seemed OK.
65.  
66. Peter C
67.  
68. ---
69.  
70. I'd be interested to understand what the adverts were - there was certainly no advertising loading natively from the LCA site - this sounds more like a browser hijack (as Steven suggested). Knowing what the ads were might give some visibility to the issue, but likely not.
71.  
72. Certainly, we could have been of more assistance had we known about this during the conference, when the conference network was in place, and the delegates were still on site - at this stage the conference network is back in Canberra with Evil Steve, and the delegates are spread all over the world. If anyone or anything was injecting ads or spreading malware, it is gone now.
73.  
74. It is of course disappointing such things have apparently happened, but given everything and everyone is now long gone, there's not really much we could investigate.
75.  
76. Thanks Martin for alerting everyone to your experience - we can only advise that anyone who feels their device(s) may have been compromised to take the action(s) appropriate to the operating system(s) and device(s) in question.
77.  
78. ---
79.  
80. FWIW, I had no issues with my stock Nexus 5 or my rooted Nexus 9 tablet (oth running 6.0.1 mind you, so could have been an issue with older Android or devices without the latest Webview packages).
81.  
82. Used the conference network and visited the site regularly, and steadfastly avoided any of the other dodgy 'free wifi' APs all around Geelong :P
83.  
84. - Ender
85.  
86. ---
87.  
88. Hi Michael
89.  
90. I couldn't be sure if my issue was due to content viewed under Chrome before I arrived @ LCA. The advert pop-ups were largely blocked but I did get a couple of OZ Sports Betting sites come up.
91.  
92. Once I'd cleared the Chrome Cache the issue didn't re-occur, otherwise I'd have raised a ticket with the 2016 team.
93.  
94. Steve
95.  
96. ---
97.  
98. Hi all
99.  
100. my HTC Eye running stock Android 5.0.1 did do a random reboot at LCA when no apps where in the foreground. I also did have one or two ads popup in Chrome but I had lca website and a few other tabs open
101.  
102. My phone has been turned off before the flight back to Perth.
103. Since then everything with my phone is back to normal
104.  
105. ---
106.  
107.  
108. LCA has a large number of smart people in a small area, presumably some portion of those people are criminals so it would not be particularly surprising if an LCA delegate was responsible for hacking devices. Also with a large number of target devices in one location someone who was in Geelong but unrelated to the conference could have taken advantage of that opportunity. As an aside the Wifi password was not treated as a great secret and was also not difficult to guess.
109.  
110. However as there were maybe 800 Android devices being actively used it also seems almost certain that the usual issues with apps that are insecure will occur on some devices without being in any way related to the conference or it's network.
111.  
112. It is reasonable for someone who had a problem with their device at the conference to consider the possibility of an attack directly related to the conference. It is good to share information on such things to try and discover the cause of the problem. But I think we need to consider how many such issues with Android devices happen in the usual course of operation. If you select a random group of ~500 people who use Android devices intensively for a time period of a week how many would you expect to have undesired behavior that looks like security issues?