Hi everyone,
I think my Android phone has been compromised by a rogue app or a banking trojan, and I need help identifying the source (through logs?).
The Incident:
I opened a multi-purpose app (TataNeu), the following happened automatically:
The camera torch flashed briefly.
The app navigated itself to a sensitive bank-related page (View Card Details).
A Bank OTP arrived via SMS immediately after.
This was not a mistouch; the navigation steps required to reach that page are complex.
I immediately exited the app, disabled all Accessibility Services, and revoked System Access for all installed apps.
Suspected Culprits:
MacroDroid: I enabled Accessibility settings for it today. I also installed its connectivity add-on (official site) for Bluetooth automation.
Activity Launcher : Installed 2 days ago.
Llama Automate + Legacy Add-on: Uninstalled yesterday, but I’m worried about persistent background processes.
Warp Share: This was sideloaded from the internet and uninstalled yesterday.
My Questions:
Is there a specific way to check Android Logs or a Bug Report to see which package triggered the flashlight and the UI interaction at that specific timestamp?
Can a sideloaded app leave a "stub" or payload behind even after being uninstalled?
Are there specific "Device Admin" or "Hidden Services" I should look for that standard App Managers might miss?
What is the best way to clean and safeguard the device?
The phone is a brand new oneplus device. Formatting is an option but data backup may be an issue.
[link] [comments]
