The authors don't know much about cheap smartphones. I examined a cheap Android tablet's ROM dump and it had a backdoor that would allow manufacturer to install any application remotely and an adware that would activate about 2 weeks after turning the tablet on and show ads above browser window (so that the user thinks that it is an ad from a website).
If the user tried to delete adware, the backdoor would reinstall it. The backdoor would not activate if the phone is in China.
I downloaded ROM from the link at the manufacturer's website to make sure it is really built-in into the ROM and the tablet was not infected by virus. Either manufacturer or those who made the ROM pre-installed backdoor to earn money from clicking on the ads.
Also on a Russian forum about smartphones I saw similar reports about other cheap models.
UPD: I googled around and it seems that the backdoor (named Cosiloon) has been found and described by antivirus vendors:
It never ceases to amaze how malicious manufacturers can get, installing so many anti-features, without breaking some law and going to jail.
Imagine if a real-estate agent kept breaking into houses he sold (through extra doors only he has the key to), and when people complained, he'd point to some fine print on page 23 of a contract you didn't even sign - it was just posted on the door, after you bought the house, stating that entering the house constitutes agreement.
There'd be a million laws against it in a heartbeat.
Even companies that used to be considered trusted by most people are doing it --- just look at Windows 10 for example... full of ads and telemetry which are nearly impossible to disable, thanks to that backdoor known as "Windows Update" which can easily revert all your changes (and is itself Hydra-like to disable.)
Until data storage becomes recognized legally as a kind of real property, your outrage won't matter. Most law is concerned only with computers as an extension of simpler technology, and the data as IP. There isn't any concept of people's "lives" being on these devices.
IANAL, but I've always wondered if one good way to approach this is as a "micro-theft" of user resources. Specifically, network bandwidth, battery capacity, and screen size.
An additional theft, which is your attention, can also be priced according to "the market", and indeed, if an ad obscures another sites ad then there is, in fact, another (large) set of people the manufacturer is stealing from. Moreover, that last class of people have some powerful advocates in the way of the networks, to wit, Google. But this theft is less straight-forward, I think.
I would argue that the most important theft, which is your right to be secure in your computer mediated dealings, is hardest to argue. But that's there, too.
It's entirely possible that this theory has already been tested, and lost, in US courts.
Without touching on legality of such things, it's interesting also in that these things probably have have a very clear record dollar amounts involved for such an act in terms of revenue generated, CPMs for ads, etc.
And in my case the backdoor (Cosiloon) wouldn't do anything if the tablet was in China (don't remember how it detected the country, maybe by IP address or language).
It is illegal and does break laws, but the enforcement of laws is very selective, and is usually limited to a single device. So, even if you were to sue the manufacturer, and win the case, the worst that can happen to the manufacturer is a slap on the wrist fine and the device being barred from selling in that country. Which is ridiculous because devices are sold for a few months, the cheaper ones even less, and are quickly replaced by newer models. The fines are offset by the revenue in selling user data and also direct payment for inclusion of third-party apps in the phone's OS image.
I get your point and I agree with you, but to be fair, spotting a physical backdoor would be a little easier than a software one, and I think that’s why there are no laws against it—people have no idea this is happening.
But once those backdoors are found and reported, nothing happens. Unless you're a regular schmuck who 'hacks' by guessing a URL - then you get raided by the FBI and do hard jail time [1].
Famously, Nokia (HMD Global), also had apps that could perform such functions, developed by Evenwell Digitech Inc. I wrote about it here -- https://news.ycombinator.com/item?id=17329825, though it didn't gain much traction for a while.
In the end, Nokia (HMD Global) appologised, and said that the apps were mistakenly included in global phone versions (they're supposed to be China-only), but they are being investigated by the Finnish DPO. -- https://uk.reuters.com/article/uk-finland-telecoms/finland-t...
When people buy a cheap Android phone, I always recommend that you take a look at the xda-developers form [1] to see if there is a custom rom available.
For some cheap phones even without the backdoor the some system components are unstable leading to a subpar experience.
Did anybody have a look at those custom ROMs, with sources from random repositories, modified by anonymous people, build on public build servers, distributed on random file hosting services?
This is what I like about LineageOS. I may not have the time or inclination to build it myself, but it's "open enough" to meet my standards, especially compared to the closed ROM supplied by my phone's manufacturer (OnePlus, FWIW).
I'm not implying they are, my question was honest. I once tried to see where the binary ROM actually came from, and met an astonishing lack of information. Granted, it's a model that isn't really supported.
But it felt that the community is far away from having plausible sources and builds.
I can understand that ultimately this begins with kernel sources that are already just a ZIP archive on some website.
Most are, yes, and the community is pretty good at pointing out the ones that aren't.
But the real question is are they any less trustworthy than Google itself and the phone manufacturers? From what I've observed, they are more trustworthy that that crowd.
Note that a custom rom will only get you "don't tell my roommate" levels of safe and secure, not "please don't inform foreign governments" safe. Backdoors can (and probably do) exist in bootloaders, recovery firmware, drivers and so on.
A lot of roms require you to use TWRP as a recovery. So that's where you get your recovery.
Most ROMs are based off of either AOSP or lineage. The list of unofficially supported devices is huge. Since, most devices share the same SOC's they're usually just forked off of each other with gradual tweaks. The Sony open device project is semi supported by sony but doesn't share any code with the stock images.
So, that really just leaves the bootloader. How much attack surface does the boot rom actually provide? I feel like most vendors would probably just assume a backdoored system or boot partition. Your boot rom would have to accommodate for all kinds of potential Android versions. It sounds like a lot of effort for a corner case so not really worth the effort.
Just to clarify, not many ROMs require a specific recovery, they simply expect certain functionality for updates. You can use many other forks of TWRP, which include backwards compatibility, without issue.
RedWolf [0] and OrangeFox [1] are both forked from TWRP and provide more features than upstream. Cyanogen and Lineage recovery are based on AOSP, again, with more features than upstream.
Don't forget all the binary blobs you need to get full functionality, the monstrous size of the codebase (and corresponding attack surface), the baseband processor, etc.
Also, don't get me started on the terrible security hygeine of the actual ROM distribution practices.
Yep. I had a Nomu S10 which got a Triada infected OTA (!) from the manufacturer.
For those unfamiliar with this: Triada, and it's relatives infect zygote, the java bootstrap system on Android. From there on rooting on it's own can't help, because the process binary is changed, so unless you can replace it with an uninfected one, it's gone. If there are ROMs out there without the infection, flashing helps.
It's also kind-of not fair to blame only the brand/manufacturer, they are complicit -- yes -- but no the only party to blame.
I work for a company that, in between other things, develops and sells Android devices (TVs, tablets, phones, watches, etc.)
We buy a design from a Chinese developer, customize it, add apps and other "value-add" bulls*it, and then import the manufactured products and sell them.
The problem is, we recently found malware in the OS images which were provided by the manufacturer/developer, and traces back to Mediatek themselves, but we were not made aware of it. On request, the developer removed the malware and we sent an OTA to all devices of most models that removes the malware.
The point I'm making is that in many cases, the backdoors and spyware aren't even provided by the company that sells the phones, they are usually secretly put in much closer to the actual manufacturer/developer of the device and/or SoC.
>It's also kind-of not fair to blame only the brand/manufacturer, they are complicit -- yes -- but no the only party to blame.
I blame the manufacturer for two reasons. First, because they're the highest level in the chain that's likely to have any knowledge of this stuff.
Second, because they're the one selling it to consumers, and they have a responsibility to their customers to perform due diligence regarding the software they're including with the device.
If batteries start exploding, the device manufacturer can't just throw up their hands and blame their suppliers. The same is true of software. Yes, that probably means accepting huge binary blobs from the ODM or SoC manufacturer puts the company selling it at risk. They can choose to accept that risk, or they can demand better. They have a whole lot more influence on the process than us consumers do.
(There are precious few options for consumers. I'm holding out hope for the Librem 5 and PinePhone here.)
Okay, that is a fair point. In the EU, thankfully, we have laws that protect consumers from such incidents, including malware and faulty software, and the party selling the device is the responsible one, no matter what the EULA/TOS/LOL/etc. say.
I blame automatic OTA, not the manufacturer. There should be rigorous virus scanning of each OTA before sent to the customer and even then it shouldn't be allowed to be automatically installed.
Google actually serves the OTA for most devices, meaning they can "see" and check for malware. The files are stored on and downloaded from their serves. Given the "rigorous" testing the apply to devices before they get Google Play certification, I assume they could revoke the certification remotely if malware is detected in an OTA, or even reject the OTA binary.
Seriously, Google should act more harshly on those devices, to the point of making them lose their Google Play certification and trigger a SafetyNet non-compliance..
Can I ask how you did this? Did you have to physically remove the ROM from the board and read it with some sort of chip reader? Or is there an interface to read the ROM into a dump without any damage to the board
Honestly, the easiest way is to simply download the ROM or a full non-delta update from manufacturer, unpack it, and start decompiling.
Another option if you are able to unlock the bootloader is, using a custom recovery, to create a tarball of each partition and unpack and start decompiling.
I found suspicious application (with name like ePlayService or eVideoService, don't remember exactly) in app list, then connected using ADB and examined the filesystem, and decompiled suspicious packages. Then I downloaded ROM from manufacturer's site to make sure that the backdoor was there too.
Also I checked signatures on applications to exclude unmodified third party apps like Youtube and check only those with unknown signatures. This is where I found that the manufacturer signed their system applications using publicly available Android test key (which means device is vulnerable because anyone can make an app signed with that test key and gain high privileges on device).
Also, some chipsets (like MediaTek) allow downloading storage contents to PC using proprietary Windows application.
Huh, I'm surprised that manufacturers of cheap android even bother providing downloadable firmware,I might pick up a cheapo android and play around with it.
It is often available for download at the manufacturer's site. In my case, I first connected to the tablet using ADB and examined files in the filesystem, found suspicious packages, decompiled them and later checked ROM dump to verify that the backdoor is pre-installed.
Some chipsets (like MediaTek) support "uploading" data from device storage to PC using a proprietary Windows utility and USB cable.
ADB is a CLI tool made by Google [1]. You download the tool and Windows driver from Google, then you edit USB VID/PID in driver's config so that it matches your device, then you install drivers, conenct device using USB and use adb command line tool.
I'm using a Xiaomi A2 Lite. The cheapest one I think (160€) and so far I am ok with it. To my eyes, this is like the only phone I see it has Android One OEM installed, and nothing on top of it. I am no expert, but this is how I've chose when buying a phone. Should I be concerned? Privacy became important to me (I've quit all social media) and I am setting up every single privacy feature I can. I'm also considering moving to Apple since they offer more layers of privacy than Android One.
Generally speaking, Android One devices cannot ship with malware, even invisible, because Google has to inspect the software. In any case, a manufacturer COULD put malware after Google approves the software, but they would certainly lose Android One license, and possibly the ability to get ANY phone certified as Google Play compatible, EVER. So, they won't do it, no matter the incentives and possible revenue in stealing user data.
I mean, you don't need Google Play in China, given that it's blocked. You DO need China-specific services, that consumers in China will not buy your phone without. i.e. all Tencent things...
This is not practical for many phones and many people (even those who frequent this site) because you need to unlock the bootloader, which may be impossible, and then port LineageOS, which is probably not too hard in the best case, but is not a trivial undertaking.
I tried building LOS from source recently for my OnePlus 7 Pro, which is mainlined into LOS. Installing build prerequisites was easy for me because I use an OS with a package manager and a large catalog of packages. Then, it started downloading the LOS git repos. After a few hours all 58 GB of the free space on my disk was used. I cancelled it and will just stick with the provided LOS builds. Time is worth something too.
All the privacy aware people should actually do is to check the list of officially supported phones on the LineageOS site before buying, then spend 15 minutes to read the installation instruction and follow it.
You can download prebuilt images for supported devices. Installation is not always a smooth ride, but once you spend 30 minutes you generally forget about it.
The post I replied to was talking about installing LOS on cheap phones. But LOS mostly doesn't exist on cheap phones, unless you want to do the work of porting it yourself. My post showed that for many people just building LOS from scratch may be a big challenge - I gave up even though my phone is already ported and has official builds available.
Since the change - from Cyanogenmod to LineageOS - the amount of supported devices shrinked and nowadays I can't even find old LineageOS builds any more for devices they used to support, but not any more. I've lost faith in LineageOS.
There are also MicroG builds, they just add MicroG and the F-Droid Privileged Extension, which allows F-Droid to install and update apps without the need of user interaction or the unsafe "Unknown sources" option.
due to problems with bootloader unlocking most devs prefer pixel or oneplus or poco phones. you can lose faith in lineageos - but it is not a company - just group of devs - trying to help each other in their time.
Well, space is not infinity and you need to remember that this is mostly voluntary work. If they're a company I would understand your claims, however they're not and there is no need for then to keep builds for your ancient device.
Also these builds will be based on old Android versions that are full of known security holes by this point. It would be irresponsible of them to knowingly distribute insecure software.
As far as companies go... Will Microsoft sell you a copy of one of their old unsupported OSs? Of course not.
This is likely because LineageOS has adopted a Charter, which includes fairly rigorous Device Support Requirements [0] before a device can get Official status. Maintainers and device maintenance have more stringent requirements also.
I think this is a step in the right direction.
As for old builds being removed, this is completely asinine. and their rationale really doesn't hold any water. You can likely find an archived version for your device, or continue building from source, 14.1 still gets Android Security Bulletin patches, for the time being.
I think they meant "commodity" in the general sense of "something you have to pay for" or "something subject to market pricing" as opposed to something always assumed.
Surely personal data is the commodity turned to commercial advantage? Personal privacy, or lack of is the symptom or consequence. Privacy is a luxury for those able to opt out, usually via wealth.
I think the main issue here is that resellers may modify perfectly fine phones to include adware. This was pretty common with eBay resellers of xiaomi phones a while back untill xiaomi stepped in and added some method to verify device integrity.
I assume same thing could happen on iOS if one could find a way to make the adware to survive system updates.
Exactly this - I bought a Xiaomi Mi Note Pro and found is was packed with malware - I went to the Xiaomi site and got the right ROM and all was good - it was obviously the reseller who stuck it on. The issue was the malware was pretty ropey looking, it was easy to spot - if they had been cleverer I wouldn't have guessed or updated the phone...
I think clean slate here means "factory image" - resellers if you buy on gearbest or other Chinese sites often will preload with malware and adware before giving you the device.
The Xiaomis are kind of interesting in that if you buy a legitimate one direct from the official store it's likely to be in Chinese but also somewhat-clean (for a questionable definition of clean - expect bullshit battery saver / storage cleaner apps that to me would border on malware).
If you have the misfortune to buy through a reseller (gearbest, dx, unofficial stores, amazon, etc) out of several phones I've purchased from resellers, they have all come with malware on them.
This may partially be why Xiaomi is enforcing up to 180 day minimums before they allow a bootloader unlock (to prevent flashing/sideloading system malware apps) by shitty resellers for $ before they ship. It does piss me off once I get the device that I have to go sign up on their forum and beg for a "possible approval" for a bootloader unlock.
I have a Ulefone from China, with an American operating system. It was locked with Factory Reset Protection when I got it so I used Albanian hacking software to circumvent that, as it was easier than shipping it back.
I do not trust this phone a single bit, luckily I only use it as an emergency phone for outdoors using a separate Google account and a separate SIM-card.
[original]
Root it. Unless it's something like Triada[^1], in which case, it's f'd.
Around ~2001, everyone at high school knew how to reinstall windows and find cracks for games. Maybe it's time to be at least that "tech savvy" again with smartphones.
Unfortunately, a majority of new Unisoc (Spreadtrum) chips have bootloaders that cannot be unlocked without a key, which is not provided by the SOC manufacturer, and is beyond the control of the ODM. Many low-end Android smartphones are powered by such chips, and the end result is that root is impossible on those devices, i.e. ZTE Blade A5 2019, Doogee N10, etc. (Unisoc SC9863A)
edit: I have obtained the source code of the U-boot bootloader used on those devices, however, the algorithm for the key verification is stored on the Trusted Execution Environment, which means it cannot be extracted (the TEE is a SecureEnclave-like device, with no possible direct access to it's memory or storage, besides de-capping it and reading the bits with an electron microscope) -- more info here: https://source.android.com/security/trusty
Oh, Mediatek is so-"friendly" to unlocking, with no verified boot and the ability to flash it with the infamous SP Flash Tool.
SC9863A and many other SOCs are flashable with Spreadtrum's ResearchDownload Tool. However, Spreadtrum actually does verify the whole boot process, meaning that booting a modified binary is impossible. If you change the boot partition, it will infinitely reboot with a black screen and vibration. If you leave the boot as-is, but change system, it will get to the splash screen and then reboot. etc.
It genuinely does cryptographicaly verify the signature and hash of every partition. Which is great for security, in theory, unless the OS has preloaded spyware, but the secureboot process prevents you from removing it.
re-edit: Doogee N10 costs 85$. I don't think you can go much lower-end, without basically giving the manufacturer a huge profit margin (i.e. a phone that costs $60, but has 512 MB RAM, has a bigger profit margin than a phone that costs 85$ but has 3 GB RAM.)
> SC9863A and many other SOCs are flashable with Spreadtrum's ResearchDownload Tool. However, Spreadtrum actually does verify the whole boot process, meaning that booting a modified binary is impossible. If you change the boot partition, it will infinitely reboot with a black screen and vibration. If you leave the boot as-is, but change system, it will get to the splash screen and then reboot. etc.
Been there, and I didn't even realised the cause. I'm sorry if my previous comment seemed light hearted, I didn't want it to be so.
I understand fully. I just want to shine light on the problems of consumers loosing control of their devices that they own and paid for. I would understand that a work-provided device has such protections, and spyware, because it's provided for a single purpose, usually under contract.
A device that you buy with your own money cannot "hand-wave" the contract (TOS, EULA, Policies, etc), and say it's OK that you don't own your device or your data.
I chose MTK because of it being open-by-default and all the leaked datasheets/programming guides/source code available. You can really run whatever you want on those devices, with enough effort.
It's somewhat surprising that the other low-end SoCs are locked by default... I wonder if the key is the same for all of them, and just hasn't been leaked yet.
MTK is quite good, but it's becoming worse in the perf/$ ratio, i.e. the SC9863A is a octa core A55 chip at 1.5GHz, while similar MTK devices are dual core A7 at 1.2 GHz. The architecture improvements alone are excellent, not mentioning the extra cores and higher clock speed.
The key is most certainly not the same, because I doubt they would go through the trouble of doing actual secure boot verification, and storing the data in the TEE, and just have the same key. Additionally, the U-boot code I obtained lies to the user about commands not being found, if the command doesn't contain a valid unlock key.
But if you were handed either a Samsung note or a Windows laptop that belonged to someone else. Where you wanted to quickly sign into your bank account.
What would you feel more comfortable to use?
Arguments of user freedom also includes malware freedom. And for the average user who just wants to consume, that's a decent tradeoff.
That's why there's tamper-evidence - my phone displays a message stating it's rooted on boot.
Getting the best of both security and user-freedom has already been done, but manufacturers prefer to lie that the choice is exclusive - that we can have security or freedom, but not both. And as the article clearly shows, they delivered neither.
I think we can't assume that these people have access to a computer, which is necessary to be able to root it. In the article the author refers to "smartphone only users" who can barely afford a 17$ smartphone. Even if there was a service available in their region which offers rooting Android devices, a lot of people might not afford to do so.
We return to the same adage(s):
-there is no such thing as a free lunch
-if it is free then you are the product.
As always I suggest NoRoot Firewall for everything-Android. But yes it's called a trade-off, like accepting a "free" security software from your ISP which technically invalidates all your encryption efforts.
Too true. I'm in the market for a new phone and came across dontkillmyapp.com [1]. I find this ranking lines up pretty well with high privacy risk + low cost given the hardware.
For those unaware, a new thing phones do is quietly kill apps in order to extend battery, and the extent to which this is done can vary by device and/or software.
It's a quite dirty way to save battery. It may say something about the tendency of certain manufacturers to cut corners instead of walking the right path.
I don't mind this if they let me decide which apps to kill and let me override any app from being killed.
Unless it has changed recently on iOS you are very restricted what you can run in the background. I want the freedom to run anything and I have that on Android.
If you click into the manufacturer you can read details about how they came up with the rankings. For example,
> UPDATE: On some phones with EMUI 9+ (Android P+) Huawei introduced a new task killer app called PowerGenie which kills everything not whitelisted by Huawei and does not give users any configuration options. See below how to uninstall it.
I find it ironic (for lack of a better word) that Android is based on Linux, yet it's the single largest spyware vector in the world. There's maybe a story to be told here about how an altruistic motive or dont-care liberalism or whatever contributes to its own demise and the enslavement of large parts of the populace behind addictive spam devices and into cloud dystopies, tragedy of the commons and all. But at least a discussion about Linux licensing wrt proprietary drivers and boot loaders, as well as mandatory apps seems about time.
It brings to mind paradox of tolerance, how knowledge includes the ability to abuse it and the morality of hammers and knives - it is fundamentally up to the user if they want to build a house, prepare a meal, remove a tumor, or murder and any attempt to limit it only sabotages the purpose.
Blame would be misplaced -
even the most zealous licensing wouldn't have made a bit of difference in the end. Linux itself was a free rederived fork of Unix. If Google had to rederive their own fork of Linux they could have easily done so with only a little more early expense and reputation damage. At the cost of another proprietary fork gaining influence and control over free software or even open source.
Using an old unpatched version of Android might also suggest the hardware could be older and easier to support by other systems. Did anyone attempt at flashing a free OS + free drivers on one of those cheap phones, that is, removing entirely the factory software/firmware?
If doable that would turn them into interesting devices.
>In the United States, these users are mainly made up of economically disadvantaged individuals, who are disproportionately black and Hispanic.
I mean you could say the same thing about everything. This affects poor people, and those are "disproportionately black and Hispanic". It's like the writer is trying to trigger someone.
Race, gender and age enjoy stronger legal and social position as protected classes than economic standing, political orientation, or education does.
As a result one way to fight for justice for the economically disadvantaged is to make use of the racial correlation.
The fact that an issue disproportional impacts the poor and as a result disproportionally impacts people of particular races can also contribute to race-specific second order effects. For example, evidence strongly suggests that some race are treated particularly harshly by the judicial system in the US, leading to increased rates of convictions and harsher sentences-- so having backdoored phones is quite possibly a double whammy, causing additional harm that another population with the same devices wouldn't experience.
Ideally we'd also protect the economically disadvantaged from things like this without needing to reference a particular subset of victims, but when someone advocates for the welfare of others they do it in the world we actually live in, not the world that we would ideally have.
If you look at the data its about race, income educational attainment and age. But race and income are two of the examples with the obvious disparities. Them's the facts.
It's more like the writer was saying "nobody cares about poor people, but hey, if we say the victims are blacks and latinos... that's going to get some support from someone". Which is rather sad since being poor is bad for everybody, no matter whether you're black white or green.
All android smartphones data are exploited by Google through google services, by manufacturers through uninstallable bloatwares and by app providers through apps. If a user disables a permission, the app refuses to work.
The cheap smartphones are sold mostly in the Asian and African markets where the mass can afford that, and data privacy means nothing to those users.
So, Your data, my data, all are up there somewhere, no matter how cheap or expensive devices we use. Why do we still live in the illusion of data privacy? Is there any?
If the user tried to delete adware, the backdoor would reinstall it. The backdoor would not activate if the phone is in China.
I downloaded ROM from the link at the manufacturer's website to make sure it is really built-in into the ROM and the tablet was not infected by virus. Either manufacturer or those who made the ROM pre-installed backdoor to earn money from clicking on the ads.
Also on a Russian forum about smartphones I saw similar reports about other cheap models.
UPD: I googled around and it seems that the backdoor (named Cosiloon) has been found and described by antivirus vendors:
- https://news.drweb.com/show/?i=10345&lng=en
- https://www.androidauthority.com/cosiloon-malware-android-de...
- https://blog.avast.com/android-devices-ship-with-pre-install...
When I found it, there was no information about it anywhere.