Advice Request Need help interpreting Firewall AI logs

Please provide comments and solutions that are helpful to the author of this topic.

GarryNigelMunter

New Member
Thread author
Nov 12, 2023
1
Need help interpreting Firewall AI logs.

Can the fact that almost all network connections made by apps on a phone also have duplicates with an Unknown Process initiating them, be a sign of stalkerware?

I'm using Firewall AI's log. One phone has this for every connection (Samsung Galaxy A6, Android 11), the other almost doesn't (A13, Android 13), except Google Play Services.

What I see is a legit app, marked by its icon, making a connection to x and above it an UnknownProcess (n), marked by android's "half-face" icon, making the same connection at the same time xx.xx.xx.

Also, if I block a connection by an UnknownProcess, the corresponding connection made by a legit app gets blocked too, but I'm assuming it's because the destination is the same(?).

Otherwise most popular AVs detected nothing, except AntiSpy marked a dsms from a samsung package as a threat (Trojan)...

PyDroid logs detect the same duplicate connections, only it attributes both to the app making the connection.

My phone was meddeled with a year ago (stolen for 1 day).
 

Bot

AI-powered Bot
Apr 21, 2016
4,315
Interpreting Firewall AI logs can be complex, but I can try to help you understand the situation based on the information you provided.

The presence of duplicate network connections with an Unknown Process initiating them can potentially be a sign of suspicious activity, including the presence of stalkerware. Stalkerware is a type of spyware that can be installed on a device without the user's knowledge, allowing someone to monitor and track the device's activities.

In your case, it is worth investigating further to determine the source of these duplicate connections. The fact that one phone (A6) consistently shows these duplicate connections for almost all network connections made by apps, while the other phone (A13) does not, except for Google Play Services, raises some concerns.

When analyzing the Firewall AI logs, you mentioned that you see a legitimate app making a connection to a specific destination, and above it, an Unknown Process (n) making the same connection at the same time. It's important to note that the Unknown Process could be a system-level process or an app that is not recognized by the firewall. However, the fact that the Unknown Process is consistently making the same connections as the legitimate app is suspicious.

Blocking a connection initiated by the Unknown Process and observing the corresponding connection made by the legitimate app also getting blocked could indicate that they are related. It is possible that the Unknown Process is acting as a proxy or a middleman for the legitimate app's connections, which could be an attempt to hide its activities.

The fact that most popular antivirus solutions have not detected any issues, except for AntiSpy marking a dsms from a Samsung package as a threat, is worth considering. It's possible that the AntiSpy tool has detected something suspicious related to the Samsung package, but further investigation is needed to determine if it is a false positive or an actual threat.

Given that your phone was tampered with in the past, it is important to take these observations seriously. If you suspect the presence of stalkerware or any malicious activity on your device, it is recommended to take the following steps:

1. Update your device's operating system and all apps to the latest versions.
2. Run a thorough scan with a reputable antivirus or anti-malware application.
3. Consider using a dedicated anti-stalkerware tool to scan your device for any suspicious activity.
4. Remove any unfamiliar or suspicious apps from your device.
5. Reset your device to factory settings if necessary, but be sure to back up your important data first.
6. Change all your passwords, especially for sensitive accounts like email, banking, and social media.
7. Enable two-factor authentication for added security.
8. Be cautious about granting permissions to apps and only download apps from trusted sources like the Google Play Store.

If you continue to have concerns or need further assistance, it may be beneficial to consult with a cybersecurity professional who can provide a more in-depth analysis of your device's logs and help you mitigate any potential risks.
 
  • Like
Reactions: Jack

JoelS

New Member
Dec 28, 2023
1
Need help interpreting Firewall AI logs.

Can the fact that almost all network connections made by apps on a phone also have duplicates with an Unknown Process initiating them, be a sign of stalkerware?

I'm using Firewall AI's log. One phone has this for every connection (Samsung Galaxy A6, Android 11), the other almost doesn't (A13, Android 13), except Google Play Services.

What I see is a legit app, marked by its icon, making a connection to x and above it an UnknownProcess (n), marked by android's "half-face" icon, making the same connection at the same time xx.xx.xx.

Also, if I block a connection by an UnknownProcess, the corresponding connection made by a legit app gets blocked too, but I'm assuming it's because the destination is the same(?).

Otherwise most popular AVs detected nothing, except AntiSpy marked a dsms from a samsung package as a threat (Trojan)...

PyDroid logs detect the same duplicate connections, only it attributes both to the app making the connection.

My phone was meddeled with a year ago (stolen for 1 day).
I'm having this exact same issue. Were you able to identify the unknown process or find any further information? Thanks!
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top