port 9999 android

[renozion]

Ive detected some strange activity on my phone lately and been trying to figure it out, for a long time. I just think that maybe posting here u guys could help me out. My phone is receiving a tp-link-smarthome request and sending it to port 9999. It keeps on changing the source port but the destination remains the same just like a backdoor.

Frame 5992: 189 bytes on wire (1512 bits), 189 bytes captured (1512 bits) on interface wlan0, id 0 Section number: 1 Interface id: 0 (wlan0) Interface name: wlan0 Encapsulation type: Ethernet (1) Arrival Time: Mar 8, 2024 22:39:14.482624444 -03 UTC Arrival Time: Mar 9, 2024 01:39:14.482624444 UTC Epoch Arrival Time: 1709948354.482624444 [Time shift for this packet: 0.000000000 seconds] [Time delta from previous captured frame: 0.002034568 seconds] [Time delta from previous displayed frame: 120.006425176 seconds] [Time since reference or first frame: 723.581862141 seconds] Frame Number: 5992 Frame Length: 189 bytes (1512 bits) Capture Length: 189 bytes (1512 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:udp:tplink-smarthome:json] [Coloring Rule Name: UDP] [Coloring Rule String: udp] Ethernet II, Src: MYPHONEMAC Dst: Broadcast (ff:ff:ff:ff:ff:ff) Destination: Broadcast (ff:ff:ff:ff:ff:ff) Address: Broadcast (ff:ff:ff:ff:ff:ff) .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default) .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast) Source: MYPHONEMAC Address: MYPHONEMAC .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IPv4 (0x0800) Internet Protocol Version 4, Src:MYPHONEIP Dst: 255.255.255.255 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes (5) Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) 0000 00.. = Differentiated Services Codepoint: Default (0) .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0) Total Length: 175 Identification: 0xb391 (45969) 010. .... = Flags: 0x2, Don't fragment 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set ...0 0000 0000 0000 = Fragment Offset: 0 Time to Live: 64 Protocol: UDP (17) Header Checksum: 0xc5d3 [validation disabled] [Header checksum status: Unverified] Source Address:MYPHONEIP Destination Address: 255.255.255.255 User Datagram Protocol, Src Port: 38624, Dst Port: 9999 Source Port: 38624 Destination Port: 9999 Length: 155 Checksum: 0x244e [unverified] [Checksum Status: Unverified] [Stream index: 249] [Timestamps] [Time since first frame: 120.006425176 seconds] [Time since previous frame: 120.006425176 seconds] UDP payload (147 bytes) TP-Link Smart Home Protocol Cmd: {"system":{"get_sysinfo":{}},"cnCloud":{"get_info":{}},"smartlife.iot.common.cloud":{"get_info":{}},"smartlife.cam.ipcamera.cloud":{"get_info":{}}} JavaScript Object Notation Object Member: system Object Member: get_sysinfo Object Key: get_sysinfo [Path: /system/get_sysinfo] Key: system [Path: /system] Member: cnCloud Object Member: get_info Object Key: get_info [Path: /cnCloud/get_info] Key: cnCloud [Path: /cnCloud] Member: smartlife.iot.common.cloud Object Member: get_info Object Key: get_info [Path: /smartlife.iot.common.cloud/get_info] Key: smartlife.iot.common.cloud [Path: /smartlife.iot.common.cloud] Member: smartlife.cam.ipcamera.cloud Object Member: get_info Object Key: get_info [Path: /smartlife.cam.ipcamera.cloud/get_info] Key: smartlife.cam.ipcamera.cloud [Path: /smartlife.cam.ipcamera.cloud]

After this I went on a quest to figure it out the destination port and found a "nobody" service listed as port 9999, no matter what I do, try to block udp traffic,tried to block this service, no matter what, it keeps coming back with different source door.

Any hints on this?