Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 8 subscribers
  • Views 1841 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Mobile Security: Unknown code rendered Sophos Mobile Security helpless, downloads unknown file repetitively, and has made my Samsung Note 4 useless.

Christian LG

Sorry for the long story.  "tl:dr" version is at the end;  these details are in case anyone can use them to figure out what happened and how to fix it. 


4 days ago I got a pop-up saying "Unfortunately, Sophos Mobile Security has stopped." It had happened a couple of times the previous fortnight, randomly, and I had just pressed "OK" and it (apparently) restarted without a problem. This time was different. The pop-up returned, and then again and again, on about a 2-second interval and gradually speeding up. I tried to use the "Report" option but the pop-up interrupted everything I did until I was typing only a few letters at a time. I'm not even sure if the report was received or by whom.



That's when I noticed download activity I had not requested. The download was called "Testiculate.mp3 Something Rhymes with Purple" and said it was 30 MB. There were 3 of them when I looked in my file manager.

I turned off the phone, pulled the battery, SIM and storage card, waited, reinserted them, and rebooted. The DLs had stopped and I deleted them successfully (I thought). The phone worked fine until yesterday.



The same thing began again.  I cannot recall anything I was doing in particular, when the same sequence of events started but this time it was downloading 2 at a time.



This time I immediately turned the phone to Flight Mode to stop the multiple DLs. That seemed to stop both the downloads and the pop-up boxes from Sophos Mobile Security. I went into the file manager again and deleted the multiple copies of the file. I also looked through my other listed downloads. I could account for most of them but deleted some whose names seemed odd. (I may regret that when the phone is working again.)



I also saw, but didn't yet delete, a file I cannot explain at all. I took a screen shot of its listing in the file manager. It's called "dmc.txt". It says it's only "50 B".  The download date and time indicate it was DLed 1 minute before the "Testiculate" files began DLing. I didn't delete it in case it's useful to someone to examine it.


tl:dr version



Current state of affairs: my phone is effectively bricked, since I can't take it out of Flight Mode.  To the best of my ability to summarize things, my phone seems to have been infected somehow by some kind of code capable of stopping Sophos Mobile Security dead in its tracks.   I still don’t know what it is, or where or how it got on my phone.  Whatever that code is, it was capable of bypassing Sophos without being detected, and now it crashes Sophos Mobile Security every time it tries to restart and stop the code.  Then I get another string of weird downloads and it’s as if the code uses Sophos Mobile Security to keep me from using the phone at all.   It’s still on my phone and I still don’t know how to get rid of it.  



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to Christian LG

    Hi  

    Unfortunately, the Samsung Note 4 does not have the latest Android security patches installed as it cannot run the latest version of Android. This means that it leaves the door open for a lot of security vulnerabilities which can be exploited. Even though every possible security feature is turned on in the Sophos Mobile Security app, it can only do so much when the device itself is not patched and is exposed to vulnerabilities. 

    However, if you still have the file which you suspect that infected your device, then I would suggest that you submit a sample to Sophos Labs so that they can release detection signatures for that file if it is found malicious.

    Thanks,
    Yashraj Singha
    Manager | Global Community Support
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Children
  • 0 in reply to Yashraj S

    Thank you Yashraj.  

    Thanks for confirming the situation related to the age of my phone.  I figured as much, but I'm not sure what to do about it.  Until this episode Sophos Mobile Security successfully had been keeping me safe, but as you say, it can only do so much with the unpatched OS.  

    As for the file I suspect, I can't really justify my suspicion.  It's not even correlation, just coincidence.  And since it's only 50 bytes, I can't help wondering if there's some other file I don't know about that's the real culprit.  

    The bigger problem is that I've kept the phone in Flight Mode since the incident because whenever it was connected the download kept triggering, and when it does the phone doesn't let me do much of anything else.  But in Flight Mode there's no real way to get that file or anything else off the phone.  

    If I can think of a way to do something that file I will get it to Sophos.  

    Thanks.  

    CS

Unfiltered HTML