Phone is sending packets to Facebook without the app installed

I just recently got an LG G5 and while I was logged the web interface on my pfSense box I noticed the firewall was blocking outbound packets from the IP address I assigned to my LG and I was curious about it so I looked closer.

The first dropped connection I noticed was to 54.85.237.103 which dnsstuff.com detected it as an AWS instance by Facebook:

Amazon Technologies Inc. AMAZON-2011L (NET-54-72-0-0-1) 54.72.0.0 - 54.95.255.255
Facebook AWS-FACEBOOK2 (NET-54-85-224-0-1) 54.85.224.0 - 54.85.239.255

So I checked my phone for anything to do with Facebook, maybe LG had the app installed by default but I couldn't find anything.

It was then that I noticed another curious connection was blocked by the firewall. This time the connection was to: [2a03:2880:1010:6f02:face:b00c:0:8e]:443 notice the face:booc in the IPv6 address.

DNS Lookup also lists the domain as going to edge-mqtt6-shv-06-atn1.facebook.com:

Does anyone have any idea why my phone is periodically sending packets to Facebook when the app isn't installed on my device.

Have Instagram or Whatsapp installed?

Could be the phone's inbuilt social features.

1 Like

I don't have Instagram or Whatsapp installed and as far as I can tell it doesn't have any builtin social features either.

Periscope?

I'm clueless.

Periscope is installed but I thought they were acquired by Twitter and not Facebook.

Oh yeah, I'm being an idiot... Wrong wiki page.

Have you ever used facebook on that device? How about shopping? I wonder if this would pop up from the api stuff that fb pretty has on everything lol

Only thing left would be cookies (flash cookies or regular ones)
Clear cookies, see if it still happens. If it does, try a factory reset. If that solves it, check again after browsing some sites.
If it continues to contact Facebook immediately after the factory reset, I'd suggest rooting the phone and flashing a more privacy-oriented ROM. Cyanogenmod for instance, with the OpenGapps "Pico" package if you really need the Play Store.

This could be traffic from anything that touches facebook in anyway, which is a lot of stuff.

1 Like

I don't use Facebook at all and I've just got the device and haven't done any shopping either.

I haven't used chrome since I got the device so it is unlikely to be cookies and since it is a new phone a factory reset likely wouldn't do much.

The packets have pretty much stopped completely at this point so this is likely the cause. I just found it strange because I wasn't using the device when I noticed the packets so thought the phone may have some tracking for Facebook.

Maybe the LG has put into the phone some sort of integration with Facebook for some kind of service they can provide. Everything stopped on it's own?

The phone has no integration with any service out of the box and it only had one third party app installed (aside from google apps) which was Evernote and I disabled that straight away. Other than that the packets completely stopped and I haven't noticed anything strange in the firewall logs since then.

I did notice some more IPv6 connections in the firewall logs to 2a03:2880:fffe:c:face:b00c:0 addresses but after looking closer they likely didn't come from my phone as the source address changes frequently and it doesn't correspond to the IPv6 address on my phone so I'd say they are from other devices on the network since I'm the only one here that doesn't use Facebook.

The most likely scenario is browsing the web. Many websites use scripts to send or draw data from other services. Like websites that allow you to login with your Facebook account.

The second scenario is the OS on your phone. If its stock then you are a slave to the carriers intentions. Install 3rd party ROM.

I don't think its due to web browsing as I wasn't using the web browser when it happened and hardly used it at all up until that point.

I had thought that it may be the carrier as they installed a shit ton of apps when I first put the sim card into the phone. I might have a closer look at the apps they installed and see if any of them have Facebook integration.

Okay first off It doesnt matter if your using a web browser or not. stuff runs in the background on android regardless of you having a task killer or not (5.0+)

Lots of traffic touches Facebooks CDN.. the internet is a huge place and even the little facebook icon with like this on facebook which is on the majority of pages now sends traffic to facebook. See that edge-xxxx#-xxx-##-xxx#.facebook.com is a CDN address. there is nothing to honestly worry about. if your so concerned with facebook CDN's grab a list and put them in your host file. This will considerably slow down facebook but alleviate your worries. If your concerned about privacy consider this host file provider. Keep in mind this only works on rooted android devices so you can modify the linux subsystem

https://github.com/StevenBlack/hosts

So it is likely coming from an app installed by my carrier. I opened one of them and all these connections to Facebook were blocked:

Sep 26 20:24:11	WIFI	192.168.2.8:49974	54.85.227.147:8253	TCP:FA
Sep 26 20:24:10	WIFI	192.168.2.8:47834	54.85.227.147:8253	TCP:FA
Sep 26 20:24:09	WIFI	192.168.2.8:32953	54.85.230.146:8253	TCP:FA
Sep 26 20:24:09	WIFI	192.168.2.8:51322	54.85.238.45:8253	TCP:FA
Sep 26 20:24:06	WIFI	192.168.2.8:49977	54.85.236.251:8253	TCP:FA
Sep 26 20:23:46	WIFI	192.168.2.8:49974	54.85.227.147:8253	TCP:FA
Sep 26 20:23:46	WIFI	192.168.2.8:47834	54.85.227.147:8253	TCP:FA
Sep 26 20:23:45	WIFI	192.168.2.8:32953	54.85.230.146:8253	TCP:FA
Sep 26 20:23:45	WIFI	192.168.2.8:51322	54.85.238.45:8253	TCP:FA
Sep 26 20:23:44	WIFI	192.168.2.8:55751	54.85.224.234:8253	TCP:FA
Sep 26 20:23:44	WIFI	192.168.2.8:59692	54.85.227.100:8253	TCP:FA
Sep 26 20:23:44	WIFI	192.168.2.8:49977	54.85.236.251:8253	TCP:FA
Sep 26 20:23:34	WIFI	192.168.2.8:49974	54.85.227.147:8253	TCP:FA
Sep 26 20:23:33	WIFI	192.168.2.8:47834	54.85.227.147:8253	TCP:FA
Sep 26 20:23:33	WIFI	192.168.2.8:32953	54.85.230.146:8253	TCP:FA
Sep 26 20:23:33	WIFI	192.168.2.8:51322	54.85.238.45:8253	TCP:FA
Sep 26 20:23:33	WIFI	192.168.2.8:55751	54.85.224.234:8253	TCP:FA
Sep 26 20:23:33	WIFI	192.168.2.8:59692	54.85.227.100:8253	TCP:FA
Sep 26 20:23:32	WIFI	192.168.2.8:49977	54.85.236.251:8253	TCP:FA
Sep 26 20:23:27	WIFI	192.168.2.8:49974	54.85.227.147:8253	TCP:FA
Sep 26 20:23:27	WIFI	192.168.2.8:47834	54.85.227.147:8253	TCP:FA
Sep 26 20:23:27	WIFI	192.168.2.8:32953	54.85.230.146:8253	TCP:FA
Sep 26 20:23:27	WIFI	192.168.2.8:51322	54.85.238.45:8253	TCP:FA
Sep 26 20:23:27	WIFI	192.168.2.8:55751	54.85.224.234:8253	TCP:FA
Sep 26 20:23:27	WIFI	192.168.2.8:59692	54.85.227.100:8253	TCP:FA
Sep 26 20:23:27	WIFI	192.168.2.8:49977	54.85.236.251:8253	TCP:FA
Sep 26 20:23:24	WIFI	192.168.2.8:49974	54.85.227.147:8253	TCP:FA
Sep 26 20:23:24	WIFI	192.168.2.8:47834	54.85.227.147:8253	TCP:FA
Sep 26 20:23:24	WIFI	192.168.2.8:32953	54.85.230.146:8253	TCP:FA
Sep 26 20:23:24	WIFI	192.168.2.8:51322	54.85.238.45:8253	TCP:FA
Sep 26 20:23:24	WIFI	192.168.2.8:55751	54.85.224.234:8253	TCP:FA
Sep 26 20:23:24	WIFI	192.168.2.8:59692	54.85.227.100:8253	TCP:FA
Sep 26 20:23:24	WIFI	192.168.2.8:49977	54.85.236.251:8253	TCP:FA
Sep 26 20:23:23	WIFI	192.168.2.8:49974	54.85.227.147:8253	TCP:FA
Sep 26 20:23:23	WIFI	192.168.2.8:47834	54.85.227.147:8253	TCP:FA
Sep 26 20:23:23	WIFI	192.168.2.8:32953	54.85.230.146:8253	TCP:FA
Sep 26 20:23:23	WIFI	192.168.2.8:51322	54.85.238.45:8253	TCP:FA
Sep 26 20:23:23	WIFI	192.168.2.8:55751	54.85.224.234:8253	TCP:FA
Sep 26 20:23:23	WIFI	192.168.2.8:59692	54.85.227.100:8253	TCP:FA
Sep 26 20:23:23	WIFI	192.168.2.8:49977	54.85.236.251:8253	TCP:FA
Sep 26 20:23:22	WIFI	192.168.2.8:49974	54.85.227.147:8253	TCP:FA
Sep 26 20:23:22	WIFI	192.168.2.8:47834	54.85.227.147:8253	TCP:FA
Sep 26 20:23:22	WIFI	192.168.2.8:32953	54.85.230.146:8253	TCP:FA
Sep 26 20:23:22	WIFI	192.168.2.8:51322	54.85.238.45:8253	TCP:FA
Sep 26 20:23:22	WIFI	192.168.2.8:55751	54.85.224.234:8253	TCP:FA
Sep 26 20:23:22	WIFI	192.168.2.8:59692	54.85.227.100:8253	TCP:FA
Sep 26 20:23:22	WIFI	192.168.2.8:49977	54.85.236.251:8253	TCP:FA
Sep 26 20:23:22	WIFI	192.168.2.8:49974	54.85.227.147:8253	TCP:FA
Sep 26 20:23:22	WIFI	192.168.2.8:47834	54.85.227.147:8253	TCP:FA
Sep 26 20:23:22	WIFI	192.168.2.8:32953	54.85.230.146:8253	TCP:FA
Sep 26 20:23:22	WIFI	192.168.2.8:51322	54.85.238.45:8253	TCP:FA
Sep 26 20:23:22	WIFI	192.168.2.8:55751	54.85.224.234:8253	TCP:FA
Sep 26 20:23:22	WIFI	192.168.2.8:59692	54.85.227.100:8253	TCP:FA
Sep 26 20:23:22	WIFI	192.168.2.8:49977	54.85.236.251:8253	TCP:FA
Sep 26 20:23:21	WIFI	192.168.2.8:47834	54.85.227.147:8253	TCP:FA
Sep 26 20:23:21	WIFI	192.168.2.8:49974	54.85.227.147:8253	TCP:FA
Sep 26 20:23:21	WIFI	192.168.2.8:32953	54.85.230.146:8253	TCP:FA
Sep 26 20:23:21	WIFI	192.168.2.8:49977	54.85.236.251:8253	TCP:FA
Sep 26 20:23:21	WIFI	192.168.2.8:55751	54.85.224.234:8253	TCP:FA
Sep 26 20:23:21	WIFI	192.168.2.8:51322	54.85.238.45:8253	TCP:FA
Sep 26 20:23:21	WIFI	192.168.2.8:59692	54.85.227.100:8253	TCP:FA

I may do this soon. My old phone was rooted with a custom ROM but I'm too lazy atm to root this one, until then I'm going to see if I can uninstall or disable some of the apps installed by my carrier.

Or alternatively.. use my modified list that allows a few non intrusive things threw and doesnt eliminate convenience.

http://paste.ubuntu.com/23235071/

let me know what carrier you have if you decide to add those to this file. I could put them in there and into my personal git hub

Was going to add that to my DNSBL list but for some strange reason I am required to login with Ubuntu SSO to get a plain text version (why is this a thing). I may just add the list to my GitLab server and direct DNSBL to that instead.

Also, my carrier is Vodaphone UK.