
Unremovable malware found preinstalled on low-end smartphone sold in the US - fortran77
https://www.zdnet.com/article/unremovable-malware-found-preinstalled-on-low-end-smartphone-sold-in-the-us/
======
TrueDuality
A lot of the comments here are complaining about trash software that exists on
other phones that isn't removable. The difference here is that it isn't just
garbage ware that might have vulnerabilities like the stuff Samsung puts on
its phone, this is actively malicious.

This especially sucks because the people who can't afford a good phone will
pay not only in having a poorer user experience but they'll have their
financial and social media information stolen as soon as its used on these
devices.

That means the people who can least afford (via both time and money) to deal
with identity theft will be the ones hit the hardest.

~~~
kop316
Heh, it's funny you say that. I just broke my phone and had to go get a new
one. I was holding out for the PinePhone/Librem 5 to be useful enough that I
wouldn't need another Android device.

The cheapest device that I trusted was the Pixel 3a, and that's because I can
cleanly install GrapheneOS and not have google play install. That was $400. It
was very tempting to get a $100 phone, but this was my exact worry.

~~~
dathinab
The problem is that it's increasingly harder to run a non Google certified
Android phone.

For example many German (EU?) Banks now have some form of 2FA system for
credit card payments which requires a Android/iPhone app which does only run
on non rooted certified phones. (Through it should be noted that in Germany
credit card is not the major payment method and many people don't even have
one, instead dbit cards with V-Pay, giropay, etc. are dominant. )

As a site note this is also the case for their online banking Apps, but you
can just use their website instead.

~~~
silon42
Some web sites even require an android app to login (key generation)

~~~
silon42
Banks here used to support client digital certificates well, but have switched
to this mess because of poor browser support (removing things like KEYGEN
without viable alternatives).

------
xfitm3
Personally I consider this to be all phones: the baseband firmware is a blob
that does who knows what, and is likely the weakest component of nearly every
phone on the market. Most baseband processors are connected via DMA.

Prior discussion from 2016:
[https://news.ycombinator.com/item?id=10905643](https://news.ycombinator.com/item?id=10905643)

~~~
mirimir
I'm reminded of the 90s joke about Windows PCs being pwned within minutes
after going online. That is, going online directly via dial-up modem, rather
than through a router.

So yeah, the baseband firmware is a huge vulnerability. But if you use a
separate modem/router, and disable the onboard baseband, that's far less of an
issue.

And with the PinePhone, it's easy:
[https://wiki.pine64.org/index.php/PinePhone#Killswitch_confi...](https://wiki.pine64.org/index.php/PinePhone#Killswitch_configuration)

~~~
teruakohatu
It was not a joke. I once saw a new WinXP install get hacked soon after being
plugin into a modem.

The Register reported the avaerge time to infection was 20 minutes.

[https://www.theregister.co.uk/2004/08/19/infected_in20_minut...](https://www.theregister.co.uk/2004/08/19/infected_in20_minutes/)

~~~
userbinator
These days almost everyone is behind a NAT, which effectively defeats all the
scanners trying to exploit Internet-listening services (and XP comes with an
unfortunately large number of them in a default install.)

~~~
mirimir
Except for almost all people using smartphones ;)

~~~
DaiPlusPlus
All modern smartphones came out after XP SP2 so the industry knew the problems
with exposed ports - I don’t believe _any_ shipping smartphone in the US today
comes with any processes with open listening ports by default (even carrier
bundleware) - please correct me if I’m wrong.

That said - because of the sheer number of phones in existence, on IPv4 you’re
guaranteed to be running behind a giant NAT operated by your network carrier -
and on IPv6 the address space is too big to port-scan (at least) but while
it’s no help if attackers know your address - I understand there’s still a mix
of carrier-based and handset-based network lockdown going on.

~~~
mirimir
Sure, industry learned that exposing ports is dangerous. But they apparently
didn't understand the deeper risk of trusting the network.

Cellular baseband is poorly secured, and it's privileged over userland. And
its firmware is a closed-source blob, so it's ~impossible to fully assess the
risks.

And so it's arguable that adversaries can pwn smartphones through baseband.

That's the analogy to Windows XP machines. Windows Firewall was just a
stopgap. What helped most was going from dial-up modems, which are no more
secure than network interfaces, to modem/routers with NAT firewalls.

So smartphones ought to have discrete cellular modem/routers. And that's an
easy option for the PinePhone, given the kill switch.

------
jenkstom
I bought three of these for my 8 year old triplets from twigby.com. I was
really upset with twigby, but I guess they weren't the ones that did it. These
phones would continuously install weird apps no matter what I did. I even had
them locked down with the google family app and they still did their thing. I
upgraded to to Moto G7 Plays and they are not only faster, they don't
continuously install malware.

~~~
swiley
I had a similar experience with a track phone I bought as a cheap balloon
tracker: As soon as I put it on WiFi it pulled down maybe a gigabyte of random
crap (it looked like mostly games but also “facebook” and some other things
like that.) It refused to install termux until it had installed a dozen or so
worthless things.

------
rahuldottech
This is very common for low-end Android phones. I have seen and used many
models from different companies (eg, Micromax, Gionee) (mostly Chinese) that
remotely install apps or inject ads into the OS (notifications, home screen or
lock screen).

They also almost certainly are used to collect personal user data and sell it.

Another bad thing is that these apps often come installed as "system apps", so
you can't uninstall or disable them, or change permissions :(

~~~
pmlnr
I hope people remember when Kindles were possible to be bought with burned-in
ads for cheaper.

~~~
jzwinck
I too hope people remember that, because it was the case one minute ago. You
save $20 or so by having ads on your Kindle when it is sleeping. The ads are
not burned in, they are delivered via WiFi the same as other Kindle content. I
don't see the problem with it.

~~~
wmeredith
You can also go into the settings, pay the extra $20, and turn them off.

------
droithomme
Is this too much different than the unremovable malware found preinstalled in
_high-end_ smartphones sold in the US? Even big brands like Samsung are
riddled with insidious malware these days, all which you consent to when
clicking through the registration screens.

We need regulation banning all this. Will never happen since malware benefits
those who crave endemic surveillance.

~~~
ggggtez
That's not "malware". Adware maybe, but malware does assume something more ...
malicious. Asking for consent is annoying, but we are talking about stuff that
_doesn 't_ ask for your consent.

------
hpoe
People keep focusing on how these Chinese phones have malware and are being
used in the West but I tend to believe that is more of a nice side effect, the
real purpose is for China to keep a tight leash on those inside it's borders.
I mean if we think about it they have to monitor, survail and keep in check
more people than the entire US and EU combined.

------
apta
Yep, people keep buying Chinese phones without thinking. How does the
government allow them to be imported?

------
cs702
...and on high-end smartphones too, arguably. Consider how difficult it would
be to remove from any smartphone any piece of software that you as a consumer
don't want (e.g., baseband firmware, call-home components, data-collection
services, etc.).

------
butz
Is it really unremovable? What about flashing custom AOSP build?

~~~
droithomme
Sure, why don't you buy these figure out how to do it then publish easy to
understand instructions for the average purchaser to follow. Thanks!

~~~
kick
"Requires domain knowledge" is not the same as "unremovable," so it's a valid
question.

~~~
rimunroe
That’s a needless distinction for the vast majority of users. I imagine
anything is removable with enough domain knowledge and the right equipment.

~~~
alasdair_
Once one person knows how to do it, they can document and even automate the
process, then other people don’t need to have any domain knowledge.

~~~
okcando
This may be the dream but is not and has not been the reality of rooting
phones and flashing them with custom software.

It's ugly, it's error-prone, and the software that attempts to simplify it
doesn't and is of unknown trustworthiness. A very unhappy path.

Absolutely not a reasonable option for the typical user, and an even less
reasonable expectation that they should do it or should have known to.

------
jimmaswell
There's no malware here that I can see, simply an auto-update mechanism that
could theoretically be abused, like every auto-update mechanism (Chrome,
Windows 10..)

~~~
JohnFen
I pretty much consider all auto-update (and telemetry, for that matter)
mechanisms that I can't disable to be malware.

~~~
awinter-py
the department of the interior made disabling all phone-home (including auto
updates) a condition of their DJI drone buy

and cautioned that the level of testing they need to do for future updates is
a large expense of the project

------
userbinator
Actually unremovable, i.e. unrootable and with a locked bootloader? That's
pretty bad. On the other hand, when I looked into the Android community a few
years ago, it was almost "common knowledge" that a lot of the cheap and
unbranded ones come with preinstalled crap, but they're unlocked by default
and easily rootable so you can remove it, and there's various guides on how to
do that and make a custom ROM.

------
JohnFen
In my opinion, the prevalence of software that I consider to be malware has
become so extreme that I don't consider any smartphone to be safe enough to
use anymore.

Although I'm marginally OK with my current one (an antique that I have a
google-free ROM and a lot of security installed on), it will probably die
within the next couple of years. At or (hopefully) before that time, I'll have
completed my move out of smartphones entirely.

~~~
makerofspoons
The PinePhone will be launching soon, and you could install any flavor of
mobile Linux you want if you are still interested in owning a smart phone:
[https://www.pine64.org/pinephone/](https://www.pine64.org/pinephone/)

~~~
JohnFen
Yes, I've already investigated the PinePhone. I have nothing against it --
there are a great many things about it that are wonderful -- but I don't find
it particularly appealing on the whole.

My escape plan is to use the dumbest feature phone I can find and also carry a
pocket computer (running standard Linux) that lacks cell capability.

~~~
spurgu
Why not combine those two into a Cosmo Communicator or its predecessor Gemini
PDA?

I'd love to get a Cosmo but I'd hate to carry it around _everywhere_ due to
its bulkiness. I guess that might be your concern as well.

~~~
JohnFen
Yes, it's much too bulky. I've also become very fond of the idea of keeping my
compute and my cell physically separate. That's not really necessary from a
security perspective as long as I can install my own copy of Linux on it, but
the idea gives me warm fuzzies.

------
ggggtez
I thought malware was the business model of low-end smart phones. Random game
company pays them to install their game on x000 devices. It's really a
question of when, not if, those companies would ship malware. You can't
imagine they are actually vetting any of that stuff they install.

~~~
w3bshark
I know one of the companies who ships the software embedded with privileges
which then installs the garbageware apps (designated by the carrier). The
garbageware apps are definitely not vetted to my knowledge.

