Difference between revisions of "User:KJ7RRV/QMFbrick"

From PINE64
Jump to navigation Jump to search
m (Fxc moved page QMFbrick to User:KJ7RRV/QMFbrick: not an article)
m
 
(One intermediate revision by one other user not shown)
Line 7: Line 7:
* QMFbrick.C: bundled with wlsunset in a Debian package
* QMFbrick.C: bundled with wlsunset in a Debian package


The trojans have been spread by anonymous download links in the Pine64 and DanctNIX chats.
The trojans have been spread by anonymous download links in the Pine64, DanctNIX, postmarketOS (offtopic), Mobian chats.


The A variant was tested by Danct12 is known to use systemd to set a timer to soft-brick the modem and wipe / on the next Wednesday at 20:00 local time.
The A variant was tested by Danct12 and is known to use systemd to set a timer to soft-brick the modem and wipe / on the first Wednesday after installation at 20:00 local time.


KJ7RRV is currently working on reverse engineering QMFbrick and attempting to write a removal tool, initially focusing on the B variant.
KJ7RRV is currently working on reverse engineering QMFbrick and attempting to write a removal tool, initially focusing on the B variant.

Latest revision as of 09:02, 11 December 2021

Trojan:Linux/QMFbrick (usually called QMFbrick; sometimes simply called "the PinePhone malware" or "the malware") is a family of malware targeting the PinePhone.

Three variants are known:

  • QMFbrick.A: bundled with a Snake game in an Arch package
  • QMFbrick.B: bundled with wlsunset in an Arch package
  • QMFbrick.C: bundled with wlsunset in a Debian package

The trojans have been spread by anonymous download links in the Pine64, DanctNIX, postmarketOS (offtopic), Mobian chats.

The A variant was tested by Danct12 and is known to use systemd to set a timer to soft-brick the modem and wipe / on the first Wednesday after installation at 20:00 local time.

KJ7RRV is currently working on reverse engineering QMFbrick and attempting to write a removal tool, initially focusing on the B variant.

It seems that running "sudo systemctl disable --now shadlow.timer" before 20:00 on a Wednesday (local time) will stop the A variant from doing any damage. This is not guaranteed, however, and it may or may not work with B and C.

It is not known if the malware has any effects if it is disabled before the activation time. Out of an abundance of caution, a phone that has been infected, even if the malware has been disabled, should not be considered trustworthy.