Traffic Type TOR showed up after I plugged my phone in to my PC?

On January 3rd I received my new phone in the mail. My old phone, a Galaxy S3 that had previously been bootloader unlocked, rooted, custom recovery installed and custom rom OctOS installed, was giving me weird issues and I swear it was taking pictures of me and turning the microphone on at random times (not related to google now or talk back settings).

Anyway, so I plug in my s3 to my pc to back up pics n whatnot and right after I do so I see traffic type Torpark Onion routing @ 3.4KB in Glasswires Usage view. Well, I got freaked out because I don’t use TOR and AFAIK the custom ROM I was using doesn’t have any TOR incorporated into it - and even if it did, WTH is it doing making connections to the TOR network without my consent/knowledge and why did it do so after being plugged to my PC (sadly USB debugging was enabled, and root password was never changed). So I flashed the locked bootloader KK NDE odin TAR package to my phone, essentially reverting everything to stock, and after that I didn’t get any other TOR data usage in Glasswire.

So I’m not sure what the point of this post is, other than to get feedback - has anyone else experienced TOR traffic type showing up after plugging in a rooted, ROM’d android phone? Is there a government sponsored TOR backdoor that is infecting custom rom’d & rooted phones? Or could it have been the sneaky russians?

I haven’t seen anyone report anything like this before. I guess it’s possible GlassWire could be detecting an incorrect traffic type. Perhaps if you look carefully at the host the TOR traffic was going to you can figure out if it’s truly TOR traffic or not.
I haven’t seen anyone report any false TOR traffic types either.

Thanks for the reply, I couldn’t find anything either, but I didn’t check out any forums on the dark web - probobly the only place something like this would be properly discussed. I went to look for the traffic log files, but I couldn’t find any, and there is no App associated with the Traffic Type in Glasswire, and I’ve essentially restored the phone to factory (md5 and everything!) so I can’t even try to replicate it.

The only thing I can say that may add to what I’ve already posted is that under the custom ROMs update check feature, I was never able to receive an update because my “ROM build could not be detected” which is odd because that info is stored in a simple system.db (sql) file. I honestly think it was a virus, but I’ve reached out to the dev’s of the ROM (just in case) to find out if their ROM’s kernal came prebaked with TOR support. I’ll update this post if/when they respond.

GlassWire has the ability to show the host IP the TOR traffic was communicating with. Maybe if you research this host you can figure out if the detection was legit.

You told that your phone is rooted, takes pictures of you and enables the microphone… So either you got hacked or you installed a security suite with these features. Why not communication these secret informations via tor (at least you got hacked)?

Possible that it use the usb network connection trough you host when plugged in.