Difference between revisions of "User:KJ7RRV/QMFbrick"
(Created page with "'''Trojan:Linux/QMFbrick''' is a family of malware targeting the PinePhone. Three variants are known: * QMFbrick.A: bundled with a Snake game in an Arch package * QMFbri...") Tags: mobile web edit mobile edit |
m |
||
(6 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
'''Trojan:Linux/QMFbrick''' is a family of malware targeting the [[PinePhone]]. | '''Trojan:Linux/QMFbrick''' (usually called QMFbrick; sometimes simply called "the PinePhone malware" or "the malware") is a family of malware targeting the [[PinePhone]]. | ||
Three variants are known: | Three variants are known: | ||
Line 7: | Line 7: | ||
* QMFbrick.C: bundled with wlsunset in a Debian package | * QMFbrick.C: bundled with wlsunset in a Debian package | ||
The trojans have been spread by anonymous download links in the Pine64 | The trojans have been spread by anonymous download links in the Pine64, DanctNIX, postmarketOS (offtopic), Mobian chats. | ||
The A variant was tested by Danct12 is known to soft-brick the modem and wipe /. | The A variant was tested by Danct12 and is known to use systemd to set a timer to soft-brick the modem and wipe / on the first Wednesday after installation at 20:00 local time. | ||
KJ7RRV is currently working on reverse engineering QMFbrick and attempting to write a removal tool, initially focusing on the B variant. | KJ7RRV is currently working on reverse engineering QMFbrick and attempting to write a removal tool, initially focusing on the B variant. | ||
It seems that running "sudo systemctl disable --now shadlow.timer" before 20:00 on a Wednesday (local time) will stop the A variant from doing any damage. This is not guaranteed, however, and it may or may not work with B and C. | |||
It is not known if the malware has any effects if it is disabled before the activation time. Out of an abundance of caution, a phone that has been infected, even if the malware has been disabled, should not be considered trustworthy. |
Latest revision as of 09:02, 11 December 2021
Trojan:Linux/QMFbrick (usually called QMFbrick; sometimes simply called "the PinePhone malware" or "the malware") is a family of malware targeting the PinePhone.
Three variants are known:
- QMFbrick.A: bundled with a Snake game in an Arch package
- QMFbrick.B: bundled with wlsunset in an Arch package
- QMFbrick.C: bundled with wlsunset in a Debian package
The trojans have been spread by anonymous download links in the Pine64, DanctNIX, postmarketOS (offtopic), Mobian chats.
The A variant was tested by Danct12 and is known to use systemd to set a timer to soft-brick the modem and wipe / on the first Wednesday after installation at 20:00 local time.
KJ7RRV is currently working on reverse engineering QMFbrick and attempting to write a removal tool, initially focusing on the B variant.
It seems that running "sudo systemctl disable --now shadlow.timer" before 20:00 on a Wednesday (local time) will stop the A variant from doing any damage. This is not guaranteed, however, and it may or may not work with B and C.
It is not known if the malware has any effects if it is disabled before the activation time. Out of an abundance of caution, a phone that has been infected, even if the malware has been disabled, should not be considered trustworthy.