I have a Galaxy Note (N7000) device running stock Android 4.1.2. I was browsing the internal storage and noticed a directory named ".MySecurityData", which contains one single directory "dont_remove", which contains multiple directories whose name consists of hexadecimal characters of length 32 (presumably MD5 hashes). All those 3rd level directories contain three directories - ".image", ".thumb", and ".video". A search through
find command reveals that all the directories are empty containing no files.
Fact that the parent directory is hidden, directories have suspicious and obfuscated names, and a web search returns no results for ".MySecurityData" has raised concerns of some malicious activity.
Can anyone identify the application that may have created these directories? I'm a paranoid person and usually shy away from installing apps, and double check the ones that I'm installing.
There is also a SQLite3 file inside "dont_remove" (name is again in hexadecimal characters of length 15). A SQLite3
.dump on this file results in following:
PRAGMA foreign_keys=OFF; BEGIN TRANSACTION; CREATE TABLE android_metadata (locale TEXT); INSERT INTO "android_metadata" VALUES('en_GB'); CREATE TABLE medias (_id INTEGER PRIMARY KEY,album TEXT, from_path TEXT, dest_path TEXT,thumb_path TEXT,file_name TEXT,file_type TEXT,file_ext TEXT,timestamp LONG,rotation INTEGER DEFAULT 0); COMMIT
grep through dumpstate logs in
/data/log, I noticed that the SQLite3 file was being accessed by
com.domobile.applock. I've emailed the developer asking for more information.