Concerned about security on T2e Android 11 with no more security updates

Hey all, and more specifically, Teracube engineering:

Let me pick your brains on this. Recently, I got my T2e replaced with what was supposed to be a brand new replacement. In the past, I would always have done a wipe and firmware change out of an abundance of caution on any new device. However, I was busy and the phone seemed new/sealed and booted-up and went through fresh OOBE and showed no prior uptime. So I popped my sim card in and started using it.

Two days ago, I get a couple of SMS verification codes from Google Voice’s official SMS shortcode, which I ignored, aside from a quick visit to Google to make sure my account was secure and no logins had occurred from unknown devices. All looked good with no unauthorized activity, so I went about my business. A few hours later, I got an email from Google Voice that my cellular # had been removed from Google Voice as a forwarding number and attached to someone else’s GV account, meaning they were able to read my text messages. I re-added the number as a forward to my GV account, and verified using the SMS codes sent to me. I also sent an alert to GV support, but sending anything serious to Google expecting action is like sending a letter to the White House and expecting someone to actually do anything with it. At least in my experience haha!!

Fast forward a few days, I woke up this morning and a well-known social media app that I use had been hijacked. This app was NOT on the T2e, however this app uses a phone number (and SMS verification), with email as optional backup). Someone would have gone through SMS verification in order to gain access on another device. The email was changed by them but the phone number left alone. Meaning, they were able to sign into the service and get an SMS verification code, then change my email on the service to something else.

Given the fact that this seems to be an SMS intercept, it seems that one of the following is true:

A) on-network SMS intercept on T-Mobile’s system

B) the new T2e came with some malware installed


C) the new T2e became the victim of an attack, likely due to out-of-date security fixes exposing some vulnerability.

As a precaution, I wiped and re-flashed firmware on both the T2e and my other device (I don’t suspect the latter because it has no SMS capability), and re-built everything from scratch, passwords, yadda yadda yadda.

Pertinent facts:
1- I use a separate device with the bulk of my apps (wifi only, no cellular) for daily use

2- the new T2e was mostly factory-vanilla with only minor customization done to it (icons, look, etc) and had a lock code active

3- very few apps were installed on the new T2e phone and it was only being used for calls and SMS for the most part. No web sites had been pulled up on it yet, and although email was setup, the app has always been configured to not load anything outside of plaintext content from any messages.

4- No other device besides the new T2e had access to send/receive SMS on that cellular service

5- Wifi calling has always been turned-on, and that carries SMS also, I believe.

6- The new T2e was updated with all available security updates/patches, however, being on Android 11.x, those updates stopped a very long time ago.

Any ideas guys? Something I could be missing here? I’m doubtful that it was a hack on T-Mobile’s network. Before I wiped and re-flashed the T2e, I did look at all the running processes and didn’t see anything out of the ordinary. Like I said, it had very little of anything installed on it yet, as I had just started using it.

1 Like

As Forbes noted 2.5 years ago, SMS verification is going to fail a quarter of the time, and it’s well known that the networks are often hijacked with MitM attacks which can stay dormant for extended periods of time.
If you’ve used SPflash with the known-good firmware from here, have only installed ‘safe’ apps, and are still getting compromised, it’s likely the infrastructure at fault rather than your phone.

1 Like

Hi @sgray500 - sorry to hear about this situation. The issue is most likely caused by something outside the phone (carrier level maybe) as getting something on the phone would be a very-2 highly sophisticated attack and would have been public by now.

Regarding the malware part, all our units should have the bootloader locked. You can verify this by running this app.

1 Like

Thanks guys, for the input on this. Yeah, all reasonable precautions have been taken to keep the device clean, and yes I used the firmware from here and did the wipe/flash/wipe.

It just amazes me how widespread these attacks are getting now. I have a port-lock on my number with the carrier, so i’ll cross my fingers and keep playin the drums!! :stuck_out_tongue_closed_eyes:

1 Like