suspicious activity from "Linux" on an android phone
I need help with fixing certs I beleive were changed by an application. I found some files in an application I installed through another without fully looking at the extra packaged material. One seems to be a configuration file for CA certs and the other is a list of SSL certs taken from Mozilla that were included with the intent of editing trusted user certs. I now see the evidence of a Linux device using my Firefox. To me, that is pretty clear evidence that Shell was used for some connection. So, with that, I'm assuming the certs on my device are not correct, and need to be fixed. Please let me know what I can do for this and if there is any other information you can give me on how to find out more about what to do. Unfortunately, there are also files that seem to also change user to a fake user while they gain root as guest. Any additional information including removing and replacing all certs wouldbe very helpful. Im trying to get to a certain point of restricting access and making a move to alert the correct people in Github and a couple of others with/towards some of the files before I do any kind of reset as I am not fully sure how tainted the restore might be.
All Replies (5)
Hi
Not sure I fully follow what you are saying or what the problem is here.
How did you identify the certs in Firefox for Android? What other apps have you recently installed on your Android device?
I'm simply asking for information on getting Mozilla CA certs replaced.
I know they are Mozilla certs because of this screenshot (I won'tadd the full list for that one). Regardless of what this all may be, I would like to complately renew all certs that Mozilla provides. The other photo shows the end of the first file. I think the last bit switches the cert for whatever reason. I don't really like the idea of a random app running a command to replace a cert. It just seems like odd behavior. Let me know if it is not or if having an openssl config file is normal. I'm not exactly well-versed in this stuff. I was more worried about the other things I found, but I'm dealing with those elsewhere as the only connections with Firefox were the Linux activity showing on my profile and the Mozilla certs.
If you feel like reading through more screenshots, I will send them.
Novain'i Oops I shouldn't have... t@
There is no direct mechanism to replace the certificates in Firefox for Android which I believe are included when the app is compiled or updated.
Ghat is unfortunate. I have found out more, and it turns out they duped a few certs for use with other communication routes. The only connection here was the fact the originals were taken from Mozilla archives. Taking the few certs they duped off was nowhere near fixing the full problem. It turns out using a phone that is just an android emulator doesn't really give you much to work with when the daemon in charge is triggered by any intent. Thank you for your help.
You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.