QKSMS compromised?

Diptchip · February 19, 2022, 3:32pm

Hope someone looks into this. I tend to assume most devs releasing FOSS software do so free of malicious intent. I haven’t heard much about any confirmed cases of malicious FOSS apps, but I haven’t found evidence that much of it is even checked. I wouldn’t be suprised if your sim was cloned in this case as I’ve heard sim card tech has been compromised for some time now.

Simon311 · February 19, 2022, 3:51pm

Nobody has had access to my physical SIM, and even if someone did, I am not an interesting target, not to mention they’ve only been registering accounts and not actually hacking any of my own.
In terms of looking into the app, if I don’t forget, I’ll post the exact APK that’s on my phone, but I suspect it will match whatever F-Droid serves. But I think going further with the analysis should involve actually decompiling the app, because we can’t make any assumptions where the app’s been compromised (if it has been). Source code might be clean only for some other process in the chain to be compromised in some way. Sadly, I have no experience with that sort of thing.
Since I stripped the app of its permissions and stopped using it, nothing of that sort happened again though.

Simon311 · February 19, 2022, 3:53pm

Well, stock Android shows that only QKSMS had it (and now the stock app instead, of course). I know it may be obscuring parts of the Android OS that also have access, but that means we’re assuming that the OS is compromised.

Diptchip · February 19, 2022, 7:15pm

I don’t think they’d need physical access. Please let me know if it happens again.

StarScreamOS · February 20, 2022, 7:52pm

For all we know it could be coincidence or someone at the phone company selling info to clone others service to many other possibilities, not even mentioning the Androids configuration and state.

Not against you at all but just because it happened after installing QKSMS doesn’t mean anything as it’s likely the results would be similar with any messaging app.

There are just too many other variants that could be the reason. If your instinct is strongly telling you it’s QKSMS, know that i am not saying it wasn’t/couldnt have been at any fault.
Just consider all options.

Hope it’s nothing to worry about though, those situations are never fun.

system · April 21, 2022, 7:53pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

vdbhb59 · March 31, 2023, 5:10pm

Now the above is weird. I checked and the apparent VT result is throwing false positive. Just thought of sharing here, and honestly I found it funny for the VT result.

SkyWheel · April 3, 2023, 12:17am

I went through the VT report and I don’t see anything suspicious.
Besides, with VT, if just one not major vendor flags a file as malicious, one should always double-check if it’s false positive.
QKSMS can send text messages, only that could potentially lead to the detection by that vendor.
Anyway, I’d assume this is a FP…

shakirfateh · April 13, 2023, 5:40am

Simon311:

April 15 2021 - Someone registers at Microsoft. I managed to recover that account, it was largely empty, but it existed and was full of another person’s details.

January 19 2022 - I receive a verification code from Aliexpress. Trying to register my number reveals that it is already in use. Unfortunately, they do not yet allow recovery via SMS.

To be clear: I am using a Moto G7 Play with Stock ROM. I never rooted the thing or unlocked the bootloader. The only app that had SMS access at the time was QKSMS, installed from F-Droid.

I also seem to be not the only one experiencing the issue. https://4pda.to/forum/index.php?showtopic=576815&view=findpost&p=105851339 [https://user-images.githubusercontent.com/1058851/151103666-6882e75f-a927-4d0d-a7fa-48ad2513a647.png ] Streamz(https://user-images.githubusercontent.com/1058851/151103666-6882e75f-a927-4d0d-a7fa-48ad2513a647.png)

I am also using moto G7 play with stock