How to determine if my Android phone have really been infected by spyware? Please help

Background: I run a Telegram channel with thousands of subscribers that posts anti-government political stuff, and I’m based in a country where Telegram is banned by the government.

This morning at 7:49am, when I pick up my Android phone, I got a notification that a Telegram stranger pseudonymed “Edsel Joan” (I never knew this user before) sent me a photo on Telegram at ~5 hours ago. What was suspicious is that the photo failed to render and the notification only showed “[Photo]”. (Usually, if the photo succeeds to render, a photo preview is displayed, so I found this suspicious.)

When I saw this, I clicked on the notification to open the Telegram chat, but found that the original sender had deleted the chat from both parties sometime after they sent the photo, presumably to destroy evidence. (This is a Telegram feature; therefore, I can’t find the original sender who did this to me)

I suspected this was some kind of 0-day attack. So I used adb and the Mobile Verification Toolkit to scan my phone. The tool reported that it detected no IOCs matches. However, I saw logs of many system files and processes been touched or modified at around 1:58am in the results file timeline.csv, which is about the time I received the strange Telegram message.

Can anyone suggest whether I have been indeed infected by spyware or is this just paranoia that stemmed from a random spam message? What are my next steps?

It’s impossible to tell… If in doubt I’d factory reset the device, and reflash the device with adb sideload from fastboot.

Just a note recently there was a vulnerability related to webm images (CVE-2023-4863 and CVE-2023-5217 and if someone was to try utilize that they’d probably target old Android devices. I became aware of these recently with the Element update.

Unfortunately vendors are quite slow to update their OS. So it’s not uncommon, that a chain of n-days is all it needs (still difficult, but not for state-level actors).