>Triada gives them an immutable attribute, which prevents deleting, even by superusers. (Interestingly, the attribute can be deleted using the chattr command.)
If its contacting the server after infecting, Why is it hard to track the owner of dns address or the ip owner since running a server is impossible without the leaving a trail to real world id.
It's a terrible design to make a "factory reset" that leaves an entire partition completely intact, and to compound the problem by attempting to paper it over with regressive DRM. The obvious good design is to simply rewrite the entire flash image over USB, but apparently that was just too straightforward for Android.
The especially frustrating thing about bespoke special/hidden state is that it doesn't straight up fail hard enough to get scrapped, but rather causes ongoing pain for the lifetime of the implementation. Every additional bit of unnecessary complexity is another layer of knowledge and "tricks" that someone needs to know to competently maintain a device.
Leaving the partition during a reset is fine if you hash all the contents of the partition and check it matches a known good factory config. If it doesn't, download whatever files are needed to make the hash match.
Androids file signatures stuff is so close to achieving this - I think they'll finally implement it within a year or two, and that will finally allow reclaiming space when built in apps are deleted or upgraded while keeping the ability to factory reset.
You're really just describing a bespoke scheme to create an ad-hoc good image. It's much simpler (and therefore secure) to just do a bit-for-bit full image copy.
Hashes etc are the DRM direction I was talking about. A continuing push to lock phones to some remote root of trust under the guise of security, while making them tougher to actually secure by making them less transparent.
3rd-party recovery images (TWRP, ClockworkMod, ...) offer an option to "format" or "wipe" (mkfs, really) the /data partition. This should be much closer to what you seem to be expecting from a "factory reset".
Well TWRP can only erase. What you want is fastboot/heimdall/etc flash all partitions from a stock image, to restore everything [0] to a known good state.
I know enough to do this, but obviously most people think a "factory reset" is sufficient. That is a problem - defaults matter.
[0] modulo further hidden state that I am not aware of or in touch with. For example my S4-i9500's emmc firmware which got corrupted somehow and bricked the device.
Readit News
Interesting if you've never used chattr I guess
The especially frustrating thing about bespoke special/hidden state is that it doesn't straight up fail hard enough to get scrapped, but rather causes ongoing pain for the lifetime of the implementation. Every additional bit of unnecessary complexity is another layer of knowledge and "tricks" that someone needs to know to competently maintain a device.
Androids file signatures stuff is so close to achieving this - I think they'll finally implement it within a year or two, and that will finally allow reclaiming space when built in apps are deleted or upgraded while keeping the ability to factory reset.
Deleted Comment
Hashes etc are the DRM direction I was talking about. A continuing push to lock phones to some remote root of trust under the guise of security, while making them tougher to actually secure by making them less transparent.
I know enough to do this, but obviously most people think a "factory reset" is sufficient. That is a problem - defaults matter.
[0] modulo further hidden state that I am not aware of or in touch with. For example my S4-i9500's emmc firmware which got corrupted somehow and bricked the device.