Recently, I have had a friend with a new Galaxy S7 that has been infected by some sort of persistent exploit/hack. Seemingly randomly, the device will start typing, launch random applications, and even start the camera up.
My first thought was that it was infected by a piece of malware so I ran a variety of scans that came up with nothing. I figured if I reset his phone and did a full factory reset that it would wipe the phone clear and he would be good to go, but this did not work. A day or so later (he had not downloaded any apps, just kept the stock ones - and no internet browsing through chrome etc..) the phone started launching apps and the camera etc while he was using it...
I figured at this point it must be a persistent piece of software implanted in the actual OS that survive the factory reset that used a reverse tcp attack. This means it would survive a factory reset and then would send a packet to connect to the hackers computer at random times giving the hacker a notification of a new session and full access (probably using metasploit). I used Wireshark (a network packet capturing software) to monitor his phone and packets for any connections the phone tried to make with an external ip address - other than the google services and servers - but nothing registered. Odd. Did a factory reset again and signed in with a brand new Google account.
Fast forward a few days and his phone started doing the same thing again - only this time his data and wifi were completely off. However, it acted as if it was being controlled externally.
The only thing I can think of now is that it is being exploited by a media messages via a text message? There have been reports in the past about Android phones being exploited by specially crafted media messages.
Any thoughts about what this might be/how to get rid of it?