190704 - WhatsApp installs new rootkit, yet undetected by all major security softwares
You thought WhatsApp has solved its "exploits" used by state intelligence communities from USA, Great Britain, Australia, Canada, New Zealand and Israel?
Nope.
You can also wonder if it was an exploit, or an "actively tolerated" backdoor ordered by NSA, GCHQ.
And "developed" with Israeli programmers support.
In any case, between 27 of june 2019 and 1 of july 2019, I managed to neutralize and identify a new type of Android rootkit, which was completely undetected by Symantec, Kaspersky, Avast/AVG, ESET.
The rootkit was detected by an indirect method which I will describe here. And eliminated also.
However, THANK YOU, USA, UK, Canada, Australia, New Zealand and especially Israel for the honour accorded to my person, and my swedish phone number: +46 720 329614.
I will technically describe how I detected and eliminated the rootkit, so that your programmers will "correct" the mistakes done, and improve your rootkit for better undetected use.
Same rootkit is also spread packaged with various popular softwares, made available via a "curiously tolerated by US authorities" piracy site, "forum.mobilism.org".
Used devices:
Motorola G6 Plus rooted with latest Magisk, Xposed;
Windows Desktop PC
Windows Software:
Symantec Endpoint Protection
Android Softwares:
Kaspersky Mobile Antivirus AppLock & Web Security
Avast Antivirus Mobile Security & Virus Cleaner
ESET Mobile Security & Antivirus
Marcel Bokhorst NetGuard Pro
3C Battery Monitor Widget Pro
GSam Labs GSam Battery Monitor Pro
Install all needed softwares above.
Configure NetGuard Pro to block anything on Mobile Data and WiFi.
Install/reinstall WhatsApp or some of the softwares "released" on "forum.mobilism.org" between 27 june 2019 and 30 june 2019.
Assume your person is an "interesting profile" for The 5 Eyes Community (US+UK+CA+AU+NZ) or Israel.
It's enough your number is called or you make just one call.
Open WiFi. Keep it open few minutes. Then close WiFi.
Wait at least 12 hours, do not use the phone or the WiFi in it.
The rootkit will trigger itself, trying to send the logged data from your device.
There is a "bug" in the rootkit which will do the following: if it can not send logged data for at least 12 hours, because it is blocked by firewall (used latest version actual for the time period named - possible the author to be "bought" by the affected 5 Eyes + Israel - not sure if future versions will successfully block the rootkit), the rootkit will infect the process "com.motorola.modemservice", in practice "hammering" the phone modem, to be able to force-sending via mobile data, the logged data.
Not being able, this "hammering" will result in an indirect higher power consumption, detected by both 3C Battery Monitor Widget Pro and GSam Labs GSam Battery Monitor Pro.
Connect the phone to PC, and do a complete device scan via adb with Symantec Endpoint Protection.
As you guessed, Symantec being a US registered company, it will detect nothing.
Now do same full device scan (apps, apks, files, processes, memory) with ESET.
ESET is Slovakia native, but operates in USA, hence do not expect to detect something, confirmed.
Do not expect they will make public the evidence registered from my phone.
Now do same full device scan with Avast/AVG.
Czechia native, operating in USA, same result as ESET, nothing detected.
Do not expect they will make public the evidence registered from my phone.
Now the interesting part, use latest Kaspersky Mobile Antivirus AppLock & Web Security.
Unfortunately, Kaspersky is not able to detect the rootkit.
I do hope that Kaspersky will inspect their logs and identify my Motorola G6 Plus scanned by them, to create an identifying signature for the rootkit.
All evidence exists registered at Kaspersky.
So, no actual security software for Windows or Android was able to detect the rootkit.
Clear sign it is a new developed cyberweapon by USA, UK, CA, AU, NZ and Israel.
Eliminating the rootkit.
As no software was able to detect it, only solution was a factory reset of the phone.
Disabled automatically update/install from Google Play to avoid auto reinstalling previous installed softwares, including WhatsApp.
Be very cautious when installing pirated softwares from "forum.mobilism.org", the fact they are "tolerated" by USA authorities, says a lot.
Thinking of "Piracy", "Double Moral", "Money Laundering", "Criminal activities on internet", think of 2 things:
Who are the main "remained tax paradises" ? Mostly USA and UK colonies. (according to United Nation and Interpol statistics)
Which countries receive with open arms "fugitives tax-payers and money lounderers" as "strategic investors" ? UK, Israel. (according to United Nation and Interpol statistics)
This is double moral.
