Hidden .facebook_cache folder
Started to noticed a hidden .facebook_cache folder containing journal entries. That never happened before! Note, we've never used Facebook... My SO is forced to use WhatsApp for work though.
Anyone who uses the Facebook phone app knows what a toll it can take both on your mobile data and free time to be plugged into the social network through your device. But what happens if you don't even have an account, you can't remove the app, and the social network won't leave you alone? That's a problem facing folks around …
What's the path to this folder, you mean?
Its located in the root of 'Internal Storage', right next to the default location for DCIM (photos / videos). Connecting the phone to a PC via USB shows the folder. Its not visible on the phone otherwise, due to the period at the start of the filename.
The folder along with its files are getting created periodically, possibly around the 3rd week of every month (now)... What's in the files? No idea, they're encoded. What are the filenames? They're mostly obscure but two of them end in 'unknown', and the only other standout one is called 'Journal'...
Anyone else seeing this? .... Any idea what these are? This phone has never had Facebook ever. Its Android v4. Every single slurpable app has been long disabled, except WhatsApp... Which was side-loaded earlier this year...
Sadly, lots of workplaces are too useless to have proper infrastructure and so rely heavily on Gmail / Google-apps and WhatsApp etc. Especially educational institutes. Consider yourself lucky / free to escape this kind of oppression! But make sure you're not friends or have family linked to anyone in this situation sharing your cellphone / email with Suckerberg, or you're info is being hoovered up in Shadow Profile data too!
" lots of workplaces are too useless to have proper infrastructure and so rely heavily on Gmail / Google-apps and WhatsApp etc. "
Mine is one of these (except WhatsApp). So what I do is use them -- but only on company computers, and only for company business.
I don't allow any of my personal machines or devices to communicate with company equipment or services.
Luckily, I don't have this issue since we have OUR OWN Android OS which we rebuilt from SCRATCH which redirect's all IP requests and file open/save requests to sandboxed files which we can examine at ANY time to see where there are going and what is being saved.
In a CUSTOM version of Android you just redirect ALL file open/write/read/close requests and ALL IPV4/V6 data rads/writes to custom memory locations and REMAP storage requests to custom files which can be moved and/or examined and/or deleted at any time!
Any APPS we install will work as normal and since we even create our own version of JAVA/JS where we can ENSURE everything such as location data, hardware and BIOS access is simply STRIPPED OUT or redirected...It's actually not that hard to do and once your codebase is set you only need to update it whenever a new version of Android comes out.
Yes! A "normal" company would NOT do that but since we ARE NOT a normal company, we have the coders and hardware tech engineers and gurus who can do stuff like that! We STILL use Facebook and many applications BUT it's on OUR TERMS ONLY since WE rewrote the Base Android OS, teh phone BIOS and the JAVA JIT engine AND the HTML5 browser engines from SCRATCH !!!
I vaguely remember with Win95 with some form of early malware that would either create a file in the Windows directory.
The way to prevent it was to create a folder with the same filename (complete with .EXE at the end) as the malware. The idea was that you can't overwrite a folder with a file, and so was safe.
Not an Android person, but wonder if you deleted that folder and created a file with the same name it would bugger things up for FB?
"Have Win7/Mint on Desktop. Steps for easy install of sqlite3...?"
Dunno about Win 7, I don't have one of those handy, and even for Mint I'm just guessing, I don't want to turn on my test Mint system just to look that up, but try this on Mint -
apt-get install sqlite3
Or try searching for it in what ever package manager you use on Mint, it'll be there. It might even be installed already, it's a common dependency for Linux packages.
UPDATE:
Thanks for the debugging suggestions guys. It seems I had Sqliteman installed for phonebook backups. However it didn't recognize the files. But File <filename> returned 256 x 256 PNG. Turns out they're thumbnails, like little Google-maps.
CONCLUSION: Looks a lot like 'Location' Tracking-Data.
Location Services are fully off, but of course on Android-4, there's no permissions. So WhatsApp could be logging cellphone towers like Google was caught doing recently.
Interesting stuff, but terrifying too, if it turns out to be true. Will keep an eye in coming months and post again under the same original post title if things go down-the-rabbit-hole much further...
Please ping me if you have an update, or want to investigate further. I'm unlikely to notice any replies to this topic in the future (sucky El reg forums - how on Earth do people track replies on here?)
The "-journal" ending implied to me it was sqlite3, but they were images.. Hmm. maps of your location?
I don't have access to an android *phone* so can't check, but I can comfirm that at least until android lollipop you could grab the wlan mac, and the host mac on a tablet even without being granted the privileges "needed", so nothing would surprise me ( https://forums.theregister.co.uk/forum/containing/3520637 )
Of course, the host mac is good as a unique id (if the 'official device unique id' is denied)
Also, the wlan mac can be used to track you from their big database of snarfed wlan mac address.
Incidentally, I worked out how to do this after accidentally stumbling on an app that had my precise location in it's config/data file - despite me never authorising it, or even having GPS (not really much point on a TV box!)
Even some apps from "reputable" companies do this - it appears that the ad brokers follow no rules when it comes to what they'll try and grab... Don't they know unauthorised access is a crime?
"my precise location in it's config/data file"
Any particular format? Presumably something fairly compact (in "number of bytes" terms)?
"The "-journal" ending implied to me it was sqlite3, but they were images.. Hmm. maps of your location?"
If, hypothetically speaking, I wanted an app to unobtrusively track someone's location, periodically saving/uploading a harmless-looking image (*NOT* something that looks like a map) with the location data hidden in the image using steganography or similar, for later analysis, might be an interesting approach.
Are there any samples of this 256x256 PNG file ? Has anyone looked at the actual contents?
I'm getting confused - there seem to be 2 different anons posting here!
The format... It was just grid coordinates in text, not hidden.. It was part of a json or something. I've blocked all these ad slurpers on my router now.. .I'll see if I can find an example....
Interesting idea, though location data can be transfered in 4 bytes.. It would be pretty easy to hide that somewhere, without uploading an image... Uploading an image would set my alarm bells off immediately! Have they got control of my camera?!
Ok, I found this. I wrote a script that deletes all the spying data files, but this is obviously one I missed:
44 -rw-rw---- 1 u0_a194 u0_a194 43043 Aug 27 2016 /data/data/air.SpaceZombies2/shared_prefs/Appodeal.xml
Look for "Appodeal.xml" in the shared_prefs folder of any app (you'll need to be root though)
This is a 43K file, starting off like:
<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
ap>
<string name="banner">{"status":"ok","ads":[{"status":"mopub","id":"YktV,,, etc.
decoding it gives a json file, uploading variables such as:
gender:
alcohol:
smoking: (how the f??? does it know that?)
Interestingly, it's also hacked other apps and uploaded their unique ids that were given to me, including: "admob, applovin, chartboost, inmobi, mopub, smaato"
The worst is this URL listed:
"url":"http://soma.smaato.net/oapi/reqAd.jsp?adspace=130015622
\u0026apiver=415
\u0026bundle=air.SpaceZombies2
\u0026device=Dalvik%2F2.1.0+%28Linux%3B+U%3B+Android+5.1.1%3B+R68G+Build%2FLMY48G%29
\u0026devicemodel=rockchip+R68G
\u0026devip=88.109.36.106
\u0026dimension=full_320x480
\u0026dimensionstrict=true
\u0026format=all
\u0026formatstrict=true
\u0026gender=m
\u0026googleadid=6d7d7151-9edf-4085-aa19-67726fd7dd1c
\u0026googlednt=false
\u0026gps=51.65765765765766%2C-4.0371868876609485
\u0026iabcategory=IAB95
\u0026kws=puzzle%2Ctools%2Cadventure
\u0026mraidver=2
\u0026pub=1001000335
\u0026response=html"
All those details were accurate at the time - as I said, I don;t even have gps on here, but if you look at the "gps" field, if you threw a hand-grnade at those coordinates, you'd blow up my sofa! (OK, slight exageration, but it's the coordinates of the playing field opposite!)
Although you will probably need root to get to it
Which reminds me - I'm going to need to replace my OnePlus 3 soon (it's getting a bit flaky - rebooting at random intervals - both on a stock ROM and on the custom ROM I use) and so I want to replace it. Requirements are:
2 SIM slots (I don't want to have to carry a 2nd phone for work)
Must be rootable (bonus if a custom ROM is available).
Doesn't have to have a headphone jack, would be nice to be at least splashproof and have a good camera.
Any ideas? I thought that the Nokia 8 looked like a vaguely good bet but I don't know how long they support their phones..
"Although you will probably need root to get to it,"
If you don't want to root your android, then Blokada will do the trick nicely. It's available on the F-droid store (banned from Google for obvious reasons).
Incidentally, Facebook aren't the only spyware bunch coming preinstalled/unreovable. Slimy spamhaus Linkedin has their app bundled with Samsung Galaxy 9 phones and it's also non-disablable.
Back when I used to use a smart phone, I seem to recall installing a local VPN app that created rules every time another app wanted to talk to someone. It gave you the option of denying the flow - so if you have s/ware you can't un-install you could always try blocking the data flow.
I'd definitely suggest giving dns66 (https://github.com/julian-klode/dns66) a tryt - it'll set itself up as a VPN on your phone so all traffic is routed through it, and then just black-hole ad sites. Don't know whether the domains the FB app is talking to are blocked by it, but it's worth a try. If the problem app is installed as a system app then you might have to go into the dns66 "APPS" settings and toggle it to show system apps since dns66 is set up so that traffic from system apps is (by defaut) not re-routed.
If using dns66 then you can also get it to use a chosen DNS server, e.g. an ad-blocking DNS server.
Any Android device is used only after Facebook has been killed with extreme prejudice.
1. It has an abominable level of access to your phone - more than google's own apps. I have dumped the permissions in human readable format before - have a read: https://forums.theregister.co.uk/forum/containing/3518874
2. It used to go into a tailspin without you having an account and use 100% CPU in some versions. So disabling it was a requirement if you did not have a f***book account.
3. Even if you do not have an account some versions still register as attempting to talk to mothership in an app level firewall in Android. So it is guilty of data collection until proven innocent even if you do not have an account and/or have agreed to Facebook terms. That as we all know is a GDPR no-no. I am eagerly awaiting the end of this month to unblock the "not uninstallable" factory f***book app on my phone for 5 minutes and capture its data profile. If it will be what I would expect it to be the Minuteman will start a final countdown for a 4% Turnover GDPR nuclear strike.
@Voland's right hand; "it is guilty of data collection until proven innocent even if you do not have an account and/or have agreed to Facebook terms. That as we all know is a GDPR no-no"
Indeed. Let's please, *please* hope those pathologically-contemptious c***s get metaphorically (#) hit by the GDPR in much the same manner as Joe Pesci was at the end of "Casino".
(#) No comment on the suspicion that there are some people out there who *would* be happy to see this happen more literally to Zuckerberg!
rotfl, they're selling YOUR soul, not theirs. And the fact that "the app is installed as a system app, not a normal one" is EXACTLY there so that it stays there and you, an average mug, can't just delete it because you heard something-something-privacy-issue. You know, this free shot you get? If you need to go out to find a dealer, it's a hassle and plenty of reasons to give up before you find one. But if it's there, RIGHT IN YOUR POCKET...
Nope it will be the phone.
I've always by SIM free and this sort of shit is always pre-installed.
We can only hope the time of reckoning has come and that governments* around the world start fining them in the tens of billions, rather than the millions.
*as recently demonstrated, the UK is not worth the tech giants time. I'm talking about ones that actually scare the organisations, not ones with as much bite as a dead goldfish.