Malware infection or not on phone

[Raven]

Hello

My Samsung A52-5G wanted to contact "customer.thewayofmoney.us" but the AirProtection of my Router (RT-AX86U Merlin firmware 3004_388.9_2) prevented that (hurray).
Now I read that this is a C&C Server and blacklisted because this server spreads malware, malware alias: FakeUpdate, GhoLoader, SocGholish and Confidence level is high (100%).

My question is whether my phone is infected with malware or the router (AirProtection) prevented this?
Sophos Intercept X reports that there is no malware on the phone, threats and PUAs 0 and low reputation apps 0.

Greetings Raven

 

[Treadler]

Hello

My Samsung A52-5G wanted to contact "customer.thewayofmoney.us" but the AirProtection of my Router (RT-AX86U Merlin firmware 3004_388.9_2) prevented that (hurray).
Now I read that this is a C&C Server and blacklisted because this server spreads malware, malware alias: FakeUpdate, GhoLoader, SocGholish and Confidence level is high (100%).

My question is whether my phone is infected with malware or the router (AirProtection) prevented this?
Sophos Intercept X reports that there is no malware on the phone, threats and PUAs 0 and low reputation apps 0.

Greetings Raven

I’d be thinking you’re ok.

 

[Ripshod]

What does your samsungs own security app have to say about this?

*edit* revisiting this as this site is classified by Trend as Dangerous (phishing)

https://www.scamadviser.com/check-website/customer.thewayofmoney.us

 

[XIII]

If you didn't type in the mentioned domain yourself, something else must have wanted to contact it.

Doesn't that then mean that your phone is already infected?

(But just couldn't get (new?) instructions from the C&C server because your router blocked that request)

 

[Ripshod]

Yes, it's the phone that's infected and AiProtection has successfully prevented the malware from "phoning home".
Just need to establish which app is doing this. Since this has only come up now it has to be an app that's been installed recently, or it's been installed by one of those many popular free game apps.
Look at your apps listed by install date. It still may not even show there as it could be disguised as a game addon/upgrade/expansion.

 

[Raven]

What does your samsungs own security app have to say about this?

*edit* revisiting this as this site is classified by Trend as Dangerous (phishing)

https://www.scamadviser.com/check-website/customer.thewayofmoney.us

Various scans with Samsung security and third-party scans like Sophos Intercept X and Malwarebytes indicate that all apps are safe. There are no new notifications, but I have blacklisted the URL on the Pihole and see no attempts to contact the URL there either.

 

[John Fitzgerald]

Hello

My Samsung A52-5G wanted to contact "customer.thewayofmoney.us" but the AirProtection of my Router (RT-AX86U Merlin firmware 3004_388.9_2) prevented that (hurray).
Now I read that this is a C&C Server and blacklisted because this server spreads malware, malware alias: FakeUpdate, GhoLoader, SocGholish and Confidence level is high (100%).

My question is whether my phone is infected with malware or the router (AirProtection) prevented this?
Sophos Intercept X reports that there is no malware on the phone, threats and PUAs 0 and low reputation apps 0.

Greetings Raven

Can you do a hard reboot of Samsung?

 

[degrub]

It may mean that your phone did not have a good cell connection and when the app phoned home over wifi, your local gear caught it. i would wipe the phone back to factory and start over. Your cell provider may be able to help. Do not allow apps/data to be restored automatically. Bring back only the basics - contacts, photos, etc. If you are doing any banking from the phone , those login credentials may already be compromised since you don't know for sure when the malware became active. Most of these are credential stealing malware. i would change any passwords, etc on those accounts if you use the phone that way.

 

[Raven]

Can you do a hard reboot of Samsung?

Yes I did that and then?

 

[Tech9]

My question is whether my phone is infected

Just need to establish which app is doing this.

Some game most likely and built-in ads provider.

 

[John Fitzgerald]

Yes I did that and then?

If you still think it's infected see post #8.

 

[Ripshod]

Yes I did that and then?

You could also either monitor pihole for further activity, or my personal preference is remove the block in pihole and see if AiProtection blocks it again.

 

[ducky124]

You don't necessary have malware on your phone. This could have happened during a normal browsing session. A page you visited could have been injected with hidden JavaScript that automatically beaconed out to in the background. You never had to click anything. Or possibly a seemingly normal ad slot on the site loaded third‑party code that executed a silent redirect or script include.
The source site can appear clean if you revisit later; payload windows are often brief to evade detection. The trigger may have been an embedded resource — image, script, iframe — pulled into the page from a hostile domain without your knowledge. So I wouldn't worry too much about it unless you keep seeing it happening. At that point I would do a wipe on the phone.

 

[Raven]

I've factory reset my phone and manually installed the non-system apps.
I've disabled the "customer.thewayofmoney.us" block on the Pihole.
I'm waiting to see if AirProtection on the router activates prevention and blocking again.
Thanks everyone for your help with the problem.

Kind regards,
Raven.