On my Samsung Galaxy S6 phone I see service.odtcfactory.sec.com.odtcfactoryservice in Settings > Apps when I click Show system apps. A while ago I started to suspect that my phone might have been hacked and when I connected to it I noticed in Phone\Android\data a folder named service.odtcfactory.sec.com.odtcfactoryservice that was created around the time when the intrusion might have taken place (in hindsight).
Inside this folder there is an empty cache folder that has the same Created and Modified datetime as that of the following lines that contain the string 'odtc' in the adb logcat output:
07-15 16:12:44.502 D/MountService( 3663): getExternalStorageMountMode : final mountMode=1, uid : 1000, packageName : service.odtcfactory.sec.com.odtcfactoryservice
07-15 16:12:44.541 I/ActivityManager( 3663): Start proc 5087:service.odtcfactory.sec.com.odtcfactoryservice/1000 for broadcast service.odtcfactory.sec.com.odtcfactoryservice/.odtcfactory.BatteryAlarmReceiver
07-15 16:12:44.561 I/SELinux ( 5087): SELinux: seapp_context_lookup: seinfo=platform, pkgname=service.odtcfactory.sec.com.odtcfactoryservice
07-15 16:12:44.608 I/ActivityManager( 3663): DSS on for service.odtcfactory.sec.com.odtcfactoryservice and scale is 1.0
07-15 16:12:44.644 D/ODTCFactoryService:BatteryAlarmReceiver( 5087): ACTION_POWER_CONNECTED received
07-15 16:12:44.648 W/ContextImpl( 5087): Calling a method in the system process without a qualified user: android.app.ContextImpl.sendBroadcast:906 android.content.ContextWrapper.sendBroadcast:452 android.content.ContextWrapper.sendBroadcast:452 service.odtcfactory.sec.com.odtcfactoryservice.odtcfactory.BatteryAlarmReceiver.onReceive:54 android.app.ActivityThread.handleReceiver:3309
07-15 16:12:45.067 I/ODTCFactoryService:AlarmReceiver( 5087): Alarm received
07-15 16:12:45.071 D/ODTCFactoryService:AlarmReceiver( 5087): Scheduled for alarm after 1800000 (ms) and session time is 180000 (ms)
07-15 16:12:45.071 D/ODTCFactoryService:PowerMonitor( 5087): sessionStartTime 1531696365071
07-15 16:12:45.073 W/ContextImpl( 5087): Calling a method in the system process without a qualified user: android.app.ContextImpl.startService:1403 android.content.ContextWrapper.startService:664 android.content.ContextWrapper.startService:664 service.odtcfactory.sec.com.odtcfactoryservice.odtcfactory.AlarmReceiver.onReceive:105 android.app.ActivityThread.handleReceiver:3309
07-15 16:12:45.078 D/ODTCFactoryService::LockscreenEncoderFactory( 5087): LockscreenEncoderFactory instantiated
07-15 16:12:45.094 D/ODTCFactoryService:ProcessLockManager( 5087): Lock released
07-15 16:12:45.105 I/ActivityManager( 3663): Process service.odtcfactory.sec.com.odtcfactoryservice (pid 5087) has died(54,1194)
I have Forced Stopped this app and it starts again. I have also Factory Reset my phone twice this week, but the app is still there. After the first Factory Reset I installed the most recent system update so my Android version is 7.0:
Kernel version 3.10.61-13731302 Mon Jun and 4 2018
Build number NRD90M.G920W8VLU6DRF1
Android security patch level June 1 2018
Is this system app legitimate? I couldn't find much information about it in a Google search, which made me even more suspicious. If it is not valid, how do I uninstall it? I tried running the following command but got DELETE_FAILED_INTERNAL_ERROR.
adb shell pm uninstall service.odtcfactory.sec.com.odtcfactoryservice
I also see other seemingly suspicious activity in the log file related to a reSIProcate service. The following line is an example, but there are many similar instances of what looks like my phone sending messages to a server.
07-15 15:51:08.226 I/reSIProcate( 3132): SipResp: 200 tid=68e64ae9ac9d2c9f cseq=29 REGISTER contact=xxxx@[2605:8d80:2:8c1c:d6a:ab6e:8708:44c4]:6100 / 29 from(wire)