A beginners fear of Android malware
This could be a stupid question and I am most likely over reacting, but as it worries me and people say "there are no stupid questions", here we go.
I am worried about a possible infection concerning an Android device.
I used this Samsung Galaxy A52s, last March I switched to a newer model and it has been idling since that.
I noticed that there was a suspicious file, it also transferred to my new phone when I cloned it after the purchase. But the file was never ran on the newer phone - simply deleted.
It aroused my suspicion because: A local bank has this phone number, let's pretend it is +3584011112222. Every time I pay a bill, they send me a confirmation
message there. Unfortunately some scammers also spoof the number and send malicious messages there, then they all show on the same message chain and one has
to be very careful which is which.
OK, the aforementioned file looked like a voice message, and it had the bank's number on the file name as well.
It was something like : message_3584011112222. , the file extension started with an A. Can't remember if it was AMR or something else.
So, I simply deleted it from my new phone, but then I did something stupid. I opened that old Galaxy A52s that has not been used since March and it hasn't got any security etc. updates in a year or so. I ran the file and it was "empty". Just some sound of someone moving furniture or something, that lasted like 10 seconds.
Then I became paranoid. Why the heck did I do that? Why did I run the suspicious file on my old phone.
I ran a factory reset on the old phone. I also factory resetted my 4G modem, I can't remember if it was connected to that phone at the time or not.
My 4G modem is Huawei 535 with the latest 2.1.0.1 or something firmware. (no new one has been released in a couple of years but according to F-Secure router checker it should be ok).
Now I just can't get if off my mind.
- The file name, it had that phone number in it. And my bank never sends voice messages.
- I suppose it was a malicious file, and can my old phone still be infected by it.
- If it was indeed malicious, can it also infect the 4G modem/router. (what are the odds).
- How likely it is that it ran some rootkit that survives factory reset.
- Or the same with the router, that it survives resetting that.
- I also cloned my new phone to my old after the factory reset using Samsung Smart switch, I was going to use it as a spare phone. What are the odds that something transfered back from that to the new phone. Even after resetting the old.
I can't see anything visible wrong in the modem/router settings, I put all the settings as they should be after the reset.
What is your expert opinion, should I be worried that it was some extremely sophisticated trojan/rootkit and it may still cause issues, like jump from one device to another over the wifi, or should I just forget the whole thing and trust that it is gone after resetting the phone and the modem/router.
I have always been so careful with everything, I can't understand what was I thinking when I ran the damn file on that older phone, but I'm sure I will never repeat that with any device.
I have F-Secure installed on my new phone, it has not reported anything, but I don't know if it can find sophisticated rootkits etc.
I know this may sound ridiculous and over reacting, but hey… I'm not an expert and it worries me.
Should I just forget about it ?
Accepted Answers
-
"Ai aided or assisted" means that the a comment i made was ai assisted and organised but it has to be approved by community moderators in order to get is published(community rule ?).The english forums moderators and admins have been very inactive lately.
Sorry about that but the conclusion was that you should not to worry about your security.
-
"I completely understand why this has been bothering you – it’s natural to feel that way if you think you might have allowed something suspicious onto your device. Let’s go through it step by step:
1. The file (AMR or another audio file)
- If it really was just an audio file (as you said, it only played some furniture-moving sounds), then its potential for harm is extremely limited. Audio files by themselves cannot install programs – they can only be opened by a media player to play the sound.
- In theory, media players can contain vulnerabilities, but exploiting them requires very specific, targeted, and technically advanced attacks. The chances of such an attack being aimed at you are essentially zero.
2. The old phone
- You did a factory reset → that wipes all user-installed apps, data, and settings.
- Normal Android devices don’t keep malware “through a reset” unless the phone was rooted and infected with a very deep, kernel-level implant. In an everyday situation, that’s highly unlikely.
3. The router (Huawei B535)
- Hacking a home 4G router through a random suspicious file is practically impossible. For that to happen, malware would have to first compromise your phone and then exploit special vulnerabilities in the router.
- You also reset the router, which clears any possible malicious changes to settings.
- That means your router is clean.
4. Cloning the new and old phones
- When you used Smart Switch after the factory reset, you did not transfer the suspicious file back – it was already deleted. So nothing bad was copied to your new phone.
- If there really had been something malicious, F-Secure most likely would have flagged it.
5. Fear of a rootkit
- A rootkit that survives a factory reset on Android is extremely rare and usually something only nation-state actors deploy. They are not spread through random SMS spam or audio files.
Conclusion:
- The chance that you got infected from this file → essentially zero.
- The factory resets on both your phone and router eliminated any risk.
- Your new phone with F-Secure installed is safe.
- This is more about peace of mind than a real technical threat – there is no reason to think a hidden rootkit could jump between devices."
Android Security Check-List
1. Updates & Security
- Always keep your phone’s system and apps updated (security patches fix known exploits).
- If a device no longer receives updates, use it only as a secondary/spare device.
2. Apps & Files
- Only install apps from Google Play Store (or Samsung Galaxy Store). Avoid APKs from unknown websites.
- Don’t open unknown attachments or links in SMS, email, or messaging apps.
- Audio, video, or PDF files can look harmless — if they come from suspicious sources, just delete them.
3. Banking & Sensitive Tasks
- Always check that banking apps come from the official developer in Play Store.
- Be cautious with SMS messages claiming to be from banks, especially if they contain links. (Real banks rarely send links.)
4. Backups & Resetting
- Keep important data backed up (Google Drive, Samsung Cloud, or another secure service).
- If you ever suspect infection:
- Backup your personal files (photos, contacts).
- Perform a factory reset.
- Restore only from official sources (Google/Samsung cloud), not from suspicious files.
5. Router / Home Network
- Keep router firmware updated (check once in a while).
- Change the default admin password if you haven’t already.
- A simple reset usually clears any misconfiguration.
6. Security Software
- Keep F-Secure (or another trusted security app) active.
- Don’t install multiple antivirus apps at the same time (they can conflict).
7. Mindset
- Remember: most malware spreads through human mistakes (installing fake apps, clicking links), not through random media files.
- If you’re careful, your risk is extremely low.
Answers
-
-
Thank you for your reply. I think I can sleep a bit better now, and not be so worried about this any more.
Learned my lesson, leave files like these alone in the future, delete them immediately.
One thing still bothers me a bit. I read incoming SMS-messages etc. carefully, I don't understand how a file like that could have come through as an attachment, without me noticing it then, so how did it come to my phone and why did it have that phone number as a file name.
It is too bad that original message chain was deleted long ago, so I can't look at it.
I understand that it may have been an attempt to get my attention and make me to go to some web site and install something bad. But I never got any links etc. So, why would anybody actually send me a file like that, for what purpose.
I guess I'll never know.
-
Hello,
Based on your story: there is not much evidence that anything has caused serious harm to your devices, nor that you have been heavily targeted by attackers. As well as the actions you have taken to correct the situation, they look reasonable and without any particular flaws. Such as.. quite sufficient or even excessive.
But I will say right away that I have quite a bit of experience with mobile devices (Android in particular). In the context that I almost never use them as it is supposed (probably) to be done today. So, I use mainly cell phones for calls and SMS. And Android-based or Windows Phone devices are more like computers and mostly offline (and often without being tied to cellular networks). Therefore, many things are unknown to me or I simply don’t know how it could be there.
One thing still bothers me a bit. I read incoming SMS-messages etc. carefully, I don't understand how a file like that could have come through as an attachment, without me noticing it then, so how did it come to my phone and why did it have that phone number as a file name.
Since you mentioned that the scammers tried to spoof a valid phone number, and the "owner" of this number does not leave voice messages, it is possible that what was "left" by the scammers, either intentionally or accidentally, ended up in spam or quarantine automatically.
Also, some default settings/choices may replace 'original' SMS/MMS design to, so called, RCS. Which I suppose will work like a built-in 'messenger'-type; where RCS chats would have voice messages as an attachment, for example (?!).
For instance, even on my rather old device, I manually turned off the RCS option in the Google Messages app (I mean the option is even there). And if I look in spam and blocked, there are dozens of voice messages left from all sorts of 'callers' whose calls I don’t even remember. I don't know how they are stored. If they are stored at all for export or something like back-up or transfer.
So, why would anybody actually send me a file like that, for what purpose.
It is quite possible (given the discussions above in other comments) that this was an auto-call from a "scammer" or even a bank for advertising or promotion, the phone was not picked up and the call was forwarded to voicemail, where some "household" noise was recorded. Which can be explained by anything (I mean the nature of 'sound').
Since you suspected it to be ".amr" voicemail and after opening/launching it - your heard the content - so - it was likely such innocent 'stuff'. Another possibility is that this file is a "random" audio recording / audio note that you accidentally created during some "communication" with your local bank or in some connection. Since it is not entirely clear where exactly you found this suspicious file.
If scammers tried to make something (which would not describe the whole scheme or explain anything, though), maybe their idea would be to provoke sending some important information to your voicemail phone number. For example, if they had the ability to "check" your voice messages by spoofing your phone number and there if lacking of protection over it with your carrier. Then it would be beneficial for them if the "important" call from the bank would be missed (which in itself would be a form of login confirmation type of verification or something; which is not, basically, expected to be answered). But since I have not encountered such forms of verification, and also since it is so easy to invent any fantasy from any set-up, it is better not to think about this topic too much. Nevertheless, it is worth remembering and taking into account - that if all this looked suspicious, then there were reasons for that and it is better now to draw the right conclusions for future actions.
I think I can sleep a bit better now, and not be so worried about this any more.
Without disturbing your peace (because be calm), but simply to be even more attentive in the future..
.. what worries me (as the owner of a number of very old devices) is that it seems to me that devices like Android are sometimes subject to completely lethal consequences even without the user's knowledge or when doing the simplest things.
And I'm not talking about the well-known "commercial" spyware stuff, which can generally be reworked or reconfigured by any attacker (simply using ready-made techniques). But about all sorts of such unpleasant vulnerabilities and vectors as the old stories with just receiving MMS (Stagefright (bug)). Which could very well be trying to be "automatically" exploited by scammers by randomly sending it to people in the hope that they are using old devices and, let's say, trying to process it using vulnerable components.
There were also some relatively recent problems with ALAC format for most devices, but I don't remember it being widely covered. And your devices were most likely updated later than that (I mean, patched). So returning to the original summary - the actions taken to eliminate the consequences were good and there is a fairly close to zero presence of problems.
Thanks and sorry for the discussion.
-
Thank you for your reply.
Although I'm not as worried about this as I was before, it still bothers me that:
-
-
" auto-call from a "scammer" or even a bank for advertising or promotion"
My bank never does that. They have a strict policy. They only send confirmations when I pay a bill etc., nothing else.
Also, it can't have had anything to do with my voice mail service or someone leaving a voice message when I'm not available, because I have never used such services. Not once, ever. I have not answering service, voice mail, anything.
-
-
"
Another possibility is that this file is a "random" audio recording / audio note that you accidentally created during some "communication" with your local bank or in some connection. Since it is not entirely clear where exactly you found this suspicious file.
"
I haven't been in contact with them like that, ever. I only communicate with them through my banking app. Send them messages and they reply to my inbox, never voice messages, only text.
Also I never have used / installed that Google messaging service.
-
-
So it is still a mystery how did that file end up there, but as you said, Android may store them some way that isn't so obvious to the user.
Also it still bothers me that the file was also on my new phone, most likely transferred there when I initially started using it and took everything from the other one with Smart Switch, (later I did it vice versa as I mentioned).
But, as I never ran that on my new phone, it was just sitting there until I deleted it, I suppose it is OK.
It also sometimes bothers me that is Android safe enough for banking etc. But hundreds of millions of people use it for that. What I did some time ago was that I purchased a new Android tablet, and I do my banking with that. I installed the official bank application, I never do anything else with that tablet. I don't go to web sites (except for two - where I handle my health etc. issues), I don't download anything to it. And I have F-Secure installed.
So I guess it is safe to use it that way, unless my router gets compromised, and like mentioned above, it isn't very likely.
I suppose I just have to stop thinking about it too much and leave it as a mystery, guess I'll never know what that was, where it came from and what was the purpose of it. But it doesn't seem like it did any harm and those two devices are resetted.
-
Forgot to mention, what worried me also was this when I read from somewhere:
- You have a codec installed to decode videos or audio. One of the things the codec is used for is thumbnail images your system makes for the files. If a malicious video or audio file exists that exploits that codec, then merely having the file may result in the exploit.
But I suppose that is just… reaching. And it was enough that I simply deleted it from my new phone. Also that phone runs F-Secure. I would hate to have to wipe that new phone clean as well, and put everything back. I hope it was enough that I never ran it and just deleted it from the folder.
