Saturday, January 30, 2016

Google Play Services networking error > Phishing?

Last week my son approached me, because his Samsung all of a sudden started to show networking errors for YouTube, the PlayStore and G+ app.  Connectivity was fine, we switched from 4G to Wifi and back, with no change (he would not have asked me for a pure/true connectivity issue). The Youtube app itself worked fine and played videos, he just could not log in with his Google account.
So no wonder this problem exists across several google services/apps, but nothing else.

Opening google.com/youtube.com in the browser also showed no problem, so definitely not a networking, dns, routing... problem.

I did some googling and found (apart from nonsense like "turn on wifi"...) some hints about a broken hosts file.  So I adb'd into the device from my computer, pulled the /system/etc/hosts file:
127.0.0.1    localhost
127.127.120.139 android.clients.google.com
With a hint from the ever-helpful stackexchange and the fine coincidence that he (or was it me?) rooted his phone sometime in the past, I was able to shell in, su to root, mount the file system as read-write, comment out that last weird line (for android.clients.google.com) and change the file system back to read only. Check the details on this post on stackexchange.

And then it worked.

This looks suspiciously like a phishing attempt by some malware, that managed to manipulate the hosts file to get the google password. So thirst thing after fixing this, chance the password.
Next thing, find that f*ing app that did this.

That's the downside of having rooted your phone. So finding the phone rooted was not such a coincidence after all.