Norton Halt exploit > hidden device administrator > phone info app

I have an Android 4.3, Samsung Galaxy S3 SPH-L710. I was sitting at my desk having a cup of coffee and and happened to glance over at my phone, which I had not touched since waking up and watched the camera flash activate / turn on by itself. I picked up the phone and the flash light quickly turned off. I checked Settings> my device > Accessibility > Flash notification and this is already set to off.

 

I ran Norton Halt and it detected a hidden device administrator called "Phone Info" - ("halt" grab attached).

 

Operations it can perform according to Halt are attached in "halt2".

 

Clicking on Deactivate doesn't appear to do anything; returns me to the initial detection screen ("halt.pdf"). It also doesn't appear as an option to disable under settings > security > device administrators.

 

Going into settings > application manager > running, I saw 2 instances of this app running. I was able to stop them. Going into application manager > all, I clicked to clear the cache and data stored but am not able to remove the app. ("phone info.pdf")

 

The app has permissions to do just about everything it could want (see grabs "perms1-5"). I know I didn't actively install this.

 

I installed and ran several security apps: lookout, norton mobile, avast, hidden device admin detector, trend micro mobile, SeCore. None of them are detecting an issue and none of them can remove it.

 

My questions are 1. This appears to be malware, as Halt is suggesting, correct? 2. If so, how do I get it off my phone manually, asap?

 

Thanks for your help.

 

 

 

 

 

 

Thanks Andmike for your response. Some answers:

 

Yes, I've had Norton Halt on the device for a while, I'd say a year or longer. I've run it a handful of times, it's always come up clean and protected. And I haven't seen any warnings pop--up. I proactively ran it yesterday when I noticed some weird behavior on the device.

 

I took a look at the Phone Info apps on Google play - there are three by that name - and I am absolutely positive I have never installed any of those, I have no need for them.  But I cannot access the "phone info" app to launch and compare to the screenshots.

 

* it doesn't appear under the Downloaded tab. 2 instances of it originally appeared under "Running" (until I stopped it) and the "All" tab.

* It also doesn't appear under Device Administrators.

* I have installed and run Norton Mobile Security and it came up clean

* I have not rooted the phone

* there is no option to uninstall it anywhere.

 

 

 

 

Hi thingy543.

 

Puzzling.... [IF ANY OTHER READERS HAVE ANY IDEAS PLEASE FEEL FREE TO JOIN IN!]

 

If it does not show as having been downloaded I wonder if it might be part of the standard software that comes with the S3.  Have you had any upgrades to the device recently?  Can you contact Samsung or whoever admits to owning the basic phone set up and see if they know what the app is?

 

Does you setup allow the installation of apps not downloaded from Google Play?  (As you probably know you can check in Settings; Security; Unknown sources).

 

What browser do you use on the device?  Is it the default Android browser, Chrome or something else?

 

As you can probably tell I am casting around a bit as this seems odd.  Unless it is part of the factory load of software that has been updated, or someone else has had your phone recently and been loading software...

 

You say that you did not find is in Apps under Downloaded.  Did you find it under "All" and can you uninstall it from there?

 

If you can be certain that it is not part of the factory loaded software then one option would be a factory reset.  But that may be a pain and unless you can be sure that will get rid of it, I would be wary of suggesting it.

 

I look forward to your reply.

I have an Android 4.3, Samsung Galaxy S3 SPH-L710. I was sitting at my desk having a cup of coffee and and happened to glance over at my phone, which I had not touched since waking up and watched the camera flash activate / turn on by itself. I picked up the phone and the flash light quickly turned off. I checked Settings> my device > Accessibility > Flash notification and this is already set to off.

 

I ran Norton Halt and it detected a hidden device administrator called "Phone Info" - ("halt" grab attached).

 

Operations it can perform according to Halt are attached in "halt2".

 

Clicking on Deactivate doesn't appear to do anything; returns me to the initial detection screen ("halt.pdf"). It also doesn't appear as an option to disable under settings > security > device administrators.

 

Going into settings > application manager > running, I saw 2 instances of this app running. I was able to stop them. Going into application manager > all, I clicked to clear the cache and data stored but am not able to remove the app. ("phone info.pdf")

 

The app has permissions to do just about everything it could want (see grabs "perms1-5"). I know I didn't actively install this.

 

I installed and ran several security apps: lookout, norton mobile, avast, hidden device admin detector, trend micro mobile, SeCore. None of them are detecting an issue and none of them can remove it.

 

My questions are 1. This appears to be malware, as Halt is suggesting, correct? 2. If so, how do I get it off my phone manually, asap?

 

Thanks for your help.

 

 

 

 

 

 

Thx Mike

 

Ah, so there was a prompted upgrade to the Android OS that came across not too long ago and I ran. Embarassingly, I didn't pay a whole lot of attention to it, but I think it was this  - http://www.androidauthority.com/galaxy-s3-android-4-3-update-hold-samsung-318014/

 

From that article, it looks like there were problems...I guess I can reach out to Samsung and see what they know about this app. However, since Norton Halt is detecting this as potential malware - and this is a Norton board- perhaps any Norton folks out there can look into the issue as well?

 

To your other questions -

 

* No, unknown sources is not checked (allowed) under security settings

* I used the default android browser (haven't installed any others)

* Yes, it only appears under all and there is no option to uninstall. Here is what I see:

 

http://community.norton.com/norton/attachments/norton/Other_Mobile/577/4/phoneinfo.pdf

 

Thanks for the quick response thingy543.

 

Well it looks to me like the Samsung upgrade.

 

I have already drawn this to the attention of the Halt team but as far as I can see Halt has done its job and told you that there is a hidden device administrator, so I'm not sure what else you expect them to do.  Norton apps are not going to stop a manufacturer's upgrade once you have chosen to install it....  Neither can they remove manufacturer supplied apps on a non rooted device.

 

I hope you have some luck with Samsung, we would bee fascinated to hear anything you can get from them as it will help us and the team respond better in future.

 

Good luck and I look forward to hearing back from you.

 

In the interim - Happy New Year....

Thanks very much Mike. I have submitted an inquiry to Samsung. I will let you know what  I hear back.

 

I do get your point about Halt's capabilities. I guess I am very keen to find out if this is a false positive - any feedback from the Halt team would be fantastic.

 

Happy new year to you as well!


thying543 wrote:

.......................

I do get your point about Halt's capabilities. I guess I am very keen to find out if this is a false positive - any feedback from the Halt team would be fantastic.

 

........


I think the point is, that Halt has identified what it perceives at its capabilities - what it does with those is another matter.

 

Good luck.

Here's the response from Samsung. Completely resetting the phone and starting over is going to be a nightmare for me. But I will do it, if I have to. 

 

Of interest to Norton Halt is that Samsung says they have nothing to do with Phone Info.

 

========

 

Thank you for contacting Samsung Telecommunications America. 

 

After reading your e-mail, we understand that Norton Halt installed on your Samsung Galaxy S3 detects the application Phone info as a Hidden Device Administrator and you would like to remove it . 

 

We understand how important it is to get it fixed. 

 

We would like to inform you that Phone info and Norton Halt for Android are third party applications and we do not have information regarding these applications available in Play store as they are not tested by Samsung. As you are unable to remove the application on the device, we recommend you to perform a factory data reset to fix the issue. 

 

Most of the issues can be resolved by performing hard reset(Factory Reset). Your phone settings will be changed to default factory settings once you perform Hard reset. Hard reset erase all downloaded applications and personal files, including music, pictures, videos, and documents, that did not come pre-installed on the device. Paid applications can be re-downloaded free of charge if the same Google account is used after the reset. 

 

Please back up the data using Samsung Kies application which can be downloaded from the web link below. 

 

Link : http://www.samsung.com/kies

 

Please restart the PC to save the changes. Please back up the data on the device by following the pictorial representation given in the web link below. 

 

Link:http://www.samsung.com/us/support/SupportOwnersFAQPopup.do?faq_id=FAQ00029017&fm_seq=29185 

 

Perform a factory data reset on the device by following the steps given in the web link below once you have backed up all the data. 

 

Link : http://www.samsung.com/us/support/faq/FAQ00047427/51470/SPH-L710RWBSPR 

 

We are positive that you can fix the issue by performing factory data reset on the device. 

 

Feel free to contact us if you have any questions regarding your Samsung Mobile Phone, you can also reach out to our chat support team by accessing the following link. Live Chat is available 24 hours a day and 7 days a week. 

 

Link: http://www.samsung.com/us/support/contact 

 

Thank you for your continued interest in Samsung products. 

 

Sincerely, 

 

Valarie 

Technical Support 

Thanks for that update thying543.

 

Well if it did not come from Samsung then I am most puzzled where it came from, however I agree with their advice that a factory reset seems the next thing to do.  Sorry.....   :smileysad:

 

If you do a factory reset may I suggest that the first thing you do on getting the device up and running again and before you reconnect to the internet is to look at All apps and see if "Phone Info" is there or not.  If it is then you probably need to contact Samsung again with the relevant screenshot.  If not, load Halt and keep an eye out for it reappearing later.

 

As before we remain interested in whatever you decide to do.  Sorry I cannot offer you an easier solution.

 

You can rest assured that the Halt team have been informed but there appears to be no new advice.

 

Whatever you decide may I take this opportunity to wish you all the best for 2014.  :smileywink:

 

Good luck

Hi, thying543,

 

I've done a little digging on this myself. Are you by any chance a Sprint customer?

 

I'm finding multiple indications that this software, a.k.a., com.sec.sprextension.phoneinfo is part of Sprint's bloatware that they add to the baseline Android OS before releasing it to their customers. See, for example:

 

https://community.sprint.com/baw/thread/116701

 

Haven't found any suggestions of what it does, but it almost certainly arrived with your Android update (these are actually pushed by our telecom providers after they've "customized" them in whatever ways they see fit to allow the OS on their network--which is why you'll hear that an Android update has been released...but still have to wait months before you actually see it on your phone).

 

Two takeaways: one, it isn't likely to be anything you have to worry about--coming as it does from your carrier--and two, there isn't anything you can do about it if you did worry--any more than those annoying games we never play and apps we never open that they inflict on us too--other than switch carriers...and take the new guys' bloatware instead....

 

Not exactly the ideal news (i.e., here's how you get rid of this...)--but at least it's not malware.

 

V/R,

--DistEd2

Thanks for that DistEd2.

 

If you are a Sprint customer thying543 then there seems little point in doing a factory reset as it would just give it back to you.  As you appear to have contacted Samsung direct then they could be correct in saying that they knew nothing about it, the provider having added it to the package after it left Samsung.  What you could try doing is contacting your provider and see if they admit to knowing about "Phone Info".

 

Thanks so much DistEd2 for finding that. I am indeed a Sprint customer and those threads you found are very similar to what I am seeing on my device. It is disturbing that they are placing this undocumented software on customer devices, but it is a big relief to know that I am not alone and/or infected with malware.

 

Happy new year!

Thanks for assistance on this, Andmike. I am not optimistic that I will get anything more from Sprint that others on that board did, but I will post any developments here. Happy new year!

[Admin Edit: Post moved to threads of its own: Norton Halt: Hidden device administrators found - Phone Info ]