
The privacy trade-offs of cheap Android smartphones - imartin2k
https://www.fastcompany.com/90408472/cheap-smartphones-have-a-disturbing-secret
======
codedokode
The authors don't know much about cheap smartphones. I examined a cheap
Android tablet's ROM dump and it had a backdoor that would allow manufacturer
to install any application remotely and an adware that would activate about 2
weeks after turning the tablet on and show ads above browser window (so that
the user thinks that it is an ad from a website).

If the user tried to delete adware, the backdoor would reinstall it. The
backdoor would not activate if the phone is in China.

I downloaded ROM from the link at the manufacturer's website to make sure it
is really built-in into the ROM and the tablet was not infected by virus.
Either manufacturer or those who made the ROM pre-installed backdoor to earn
money from clicking on the ads.

Also on a Russian forum about smartphones I saw similar reports about other
cheap models.

UPD: I googled around and it seems that the backdoor (named Cosiloon) has been
found and described by antivirus vendors:

\-
[https://news.drweb.com/show/?i=10345&lng=en](https://news.drweb.com/show/?i=10345&lng=en)

\- [https://www.androidauthority.com/cosiloon-malware-android-
de...](https://www.androidauthority.com/cosiloon-malware-android-
devices-869407/)

\- [https://blog.avast.com/android-devices-ship-with-pre-
install...](https://blog.avast.com/android-devices-ship-with-pre-installed-
malware)

When I found it, there was no information about it anywhere.

~~~
deogeo
It never ceases to amaze how malicious manufacturers can get, installing so
many anti-features, without breaking _some_ law and going to jail.

Imagine if a real-estate agent kept breaking into houses he sold (through
extra doors only he has the key to), and when people complained, he'd point to
some fine print on page 23 of a contract you didn't even sign - it was just
posted on the door, after you bought the house, stating that entering the
house constitutes agreement.

There'd be a million laws against it in a heartbeat.

~~~
lr4444lr
Until data storage becomes recognized legally as a kind of real property, your
outrage won't matter. Most law is concerned only with computers as an
extension of simpler technology, and the data as IP. There isn't any concept
of people's "lives" being on these devices.

~~~
javajosh
IANAL, but I've always wondered if one good way to approach this is as a
"micro-theft" of user resources. Specifically, network bandwidth, battery
capacity, and screen size.

An additional theft, which is your attention, can also be priced according to
"the market", and indeed, if an ad obscures another sites ad then there is, in
fact, another (large) set of people the manufacturer is stealing from.
Moreover, that last class of people have some powerful advocates in the way of
the networks, to wit, Google. But this theft is less straight-forward, I
think.

I would argue that the most important theft, which is your right to be secure
in your computer mediated dealings, is hardest to argue. But that's there,
too.

It's entirely possible that this theory has already been tested, and lost, in
US courts.

~~~
shostack
Without touching on legality of such things, it's interesting also in that
these things probably have have a very clear record dollar amounts involved
for such an act in terms of revenue generated, CPMs for ads, etc.

This scene from Office Space comes to mind.[1]

[1][https://www.youtube.com/watch?v=yZjCQ3T5yXo](https://www.youtube.com/watch?v=yZjCQ3T5yXo)

------
meerita
I'm using a Xiaomi A2 Lite. The cheapest one I think (160€) and so far I am ok
with it. To my eyes, this is like the only phone I see it has Android One OEM
installed, and nothing on top of it. I am no expert, but this is how I've
chose when buying a phone. Should I be concerned? Privacy became important to
me (I've quit all social media) and I am setting up every single privacy
feature I can. I'm also considering moving to Apple since they offer more
layers of privacy than Android One.

~~~
mariushn
+1 for Xiaomi A2 as well. I would never buy a non-Android One device again,
after seeing the experience on this one.

My only complaints is lack of NFC on this device, and that A3 is worse
performance/weight wise.

~~~
Tepix
The A3 has a lower screen resolution (which should improve performance) but
better blacks/colors because it's an OLED screen.

The CPU of the A3 should be roughly equivalent to the A2 CPU. The camera is
probably a lot better.

The lack of NFC is unfortunate.

------
ghgr
Wouldn't a solution be to install Lineage OS [1] or similar custom ROM and
have the advantages of a cheap phone and the privacy of a high-end one?

[1] [https://wiki.lineageos.org/devices/](https://wiki.lineageos.org/devices/)

~~~
pmlnr
Since the change - from Cyanogenmod to LineageOS - the amount of supported
devices shrinked and nowadays I can't even find old LineageOS builds any more
for devices they used to support, but not any more. I've lost faith in
LineageOS.

~~~
plett
Take a look at [https://e.foundation/](https://e.foundation/)

It's a LineageOS fork which bundles MicroG and several apps to make a more
usable out-of-the-box OS.

They have also re-added frequent builds for many of the phones that Lineage
had dropped - including the OnePlus X which I have.

~~~
0xdeadb00f
/e/ has quite a few security issues that haven't been addressed.

Infosec Handbook did a rundown when they first came about: [https://infosec-
handbook.eu/blog/e-foundation-first-look/](https://infosec-
handbook.eu/blog/e-foundation-first-look/)

Then they did it again, more recently: [https://infosec-
handbook.eu/blog/e-foundation-second-look/](https://infosec-
handbook.eu/blog/e-foundation-second-look/)

There's also this site:
[https://ewwlo.xyz/evil.html](https://ewwlo.xyz/evil.html)

------
sdan
Another reason privacy is becoming a commodity. Eventually only the rich will
be able to live a "private life" while everyone else can't afford it.

~~~
ekianjo
Thats not what commodity means. What you describe is privacy being a luxury.

~~~
aesh2Xa1
"Commodity" seems right. "Luxury" carries another sense that I think is
fitting, too.

\- Something useful that can be turned to commercial or other advantage.

\- Advantage; benefit

~~~
NeedMoreTea
Surely personal data is the commodity turned to commercial advantage? Personal
privacy, or lack of is the symptom or consequence. Privacy is a luxury for
those able to opt out, usually via wealth.

------
panpanna
I think the main issue here is that _resellers_ may modify perfectly fine
phones to include adware. This was pretty common with eBay resellers of xiaomi
phones a while back untill xiaomi stepped in and added some method to verify
device integrity.

I assume same thing could happen on iOS if one could find a way to make the
adware to survive system updates.

~~~
ljf
Exactly this - I bought a Xiaomi Mi Note Pro and found is was packed with
malware - I went to the Xiaomi site and got the right ROM and all was good -
it was obviously the reseller who stuck it on. The issue was the malware was
pretty ropey looking, it was easy to spot - if they had been cleverer I
wouldn't have guessed or updated the phone...

~~~
panpanna
I feel the device should refuse to register a new user from anything but the
clean state.

This is pretty straightforward on modern hardware.

If any Google engineers are reading this: maybe something to consider for
Android 11?

~~~
UncleMeat
I can see the angry HN comments now.

"Google bans reselling. Do you really own your phone?"

~~~
dylz
I think clean slate here means "factory image" \- resellers if you buy on
gearbest or other Chinese sites often will preload with malware and adware
before giving you the device.

~~~
UncleMeat
I know that. That wouldn't stop the HN comments.

------
hu3
I wonder if Xiaomi's Redmi Note 7 is affected.

It costs around $180 and is quite popular in Europe.

I ask because I've seen some users complaining about ads.

[https://www.amazon.com/s?k=redmi+note+7](https://www.amazon.com/s?k=redmi+note+7)

~~~
dylz
The Xiaomis are kind of interesting in that if you buy a legitimate one direct
from the official store it's likely to be in Chinese but also somewhat-clean
(for a questionable definition of clean - expect bullshit battery saver /
storage cleaner apps that to me would border on malware).

If you have the misfortune to buy through a reseller (gearbest, dx, unofficial
stores, amazon, etc) out of several phones I've purchased from resellers, they
have all come with malware on them.

This may partially be why Xiaomi is enforcing up to 180 day minimums before
they allow a bootloader unlock (to prevent flashing/sideloading system malware
apps) by shitty resellers for $ before they ship. It does piss me off once I
get the device that I have to go sign up on their forum and beg for a
"possible approval" for a bootloader unlock.

------
systemtest
I have a Ulefone from China, with an American operating system. It was locked
with Factory Reset Protection when I got it so I used Albanian hacking
software to circumvent that, as it was easier than shipping it back.

I do not trust this phone a single bit, luckily I only use it as an emergency
phone for outdoors using a separate Google account and a separate SIM-card.

------
pmlnr
> has apps that can’t be updated or deleted

[edit] sell them rooted

[original] Root it. Unless it's something like Triada[^1], in which case, it's
f'd.

Around ~2001, everyone at high school knew how to reinstall windows and find
cracks for games. Maybe it's time to be at least that "tech savvy" again with
smartphones.

[^1]:
[https://forums.malwarebytes.com/topic/200072-trojantriada](https://forums.malwarebytes.com/topic/200072-trojantriada)

~~~
milankragujevic
Unfortunately, a majority of new Unisoc (Spreadtrum) chips have bootloaders
that cannot be unlocked without a key, which is not provided by the SOC
manufacturer, and is beyond the control of the ODM. Many low-end Android
smartphones are powered by such chips, and the end result is that root is
impossible on those devices, i.e. ZTE Blade A5 2019, Doogee N10, etc. (Unisoc
SC9863A)

edit: I have obtained the source code of the U-boot bootloader used on those
devices, however, the algorithm for the key verification is stored on the
Trusted Execution Environment, which means it cannot be extracted (the TEE is
a SecureEnclave-like device, with no possible direct access to it's memory or
storage, besides de-capping it and reading the bits with an electron
microscope) -- more info here:
[https://source.android.com/security/trusty](https://source.android.com/security/trusty)

~~~
pmlnr
I wasn't aware of this, for some reason I thought most of the low-ends are
mediatek, and unlocking android 6 mediateks was not a hard feat.

EDIT I don't think Doogee N10 falls into low end, at least not by specs.
Compare it with Moto C, which is indeed low end.

~~~
milankragujevic
Oh, Mediatek is so-"friendly" to unlocking, with no verified boot and the
ability to flash it with the infamous SP Flash Tool.

SC9863A and many other SOCs _are_ flashable with Spreadtrum's ResearchDownload
Tool. However, Spreadtrum actually does verify the whole boot process, meaning
that booting a modified binary is impossible. If you change the boot
partition, it will infinitely reboot with a black screen and vibration. If you
leave the boot as-is, but change system, it will get to the splash screen and
then reboot. etc.

It genuinely does cryptographicaly verify the signature and hash of every
partition. Which is great for security, in theory, unless the OS has preloaded
spyware, but the secureboot process prevents you from removing it.

re-edit: Doogee N10 costs 85$. I don't think you can go much lower-end,
without basically giving the manufacturer a huge profit margin (i.e. a phone
that costs $60, but has 512 MB RAM, has a bigger profit margin than a phone
that costs 85$ but has 3 GB RAM.)

~~~
pmlnr
> SC9863A and many other SOCs are flashable with Spreadtrum's ResearchDownload
> Tool. However, Spreadtrum actually does verify the whole boot process,
> meaning that booting a modified binary is impossible. If you change the boot
> partition, it will infinitely reboot with a black screen and vibration. If
> you leave the boot as-is, but change system, it will get to the splash
> screen and then reboot. etc.

Been there, and I didn't even realised the cause. I'm sorry if my previous
comment seemed light hearted, I didn't want it to be so.

~~~
milankragujevic
I understand fully. I just want to shine light on the problems of consumers
loosing control of _their_ devices that they _own_ and paid for. I would
understand that a work-provided device has such protections, and spyware,
because it's provided for a single purpose, usually under contract.

A device that you buy with your own money cannot "hand-wave" the contract
(TOS, EULA, Policies, etc), and say it's OK that you don't own your device or
your data.

------
Integrity
I suppose privacy is a premium now.

~~~
HenryBemis
We return to the same adage(s): -there is no such thing as a free lunch -if it
is free then you are the product.

As always I suggest NoRoot Firewall for everything-Android. But yes it's
called a trade-off, like accepting a "free" security software from your ISP
which technically invalidates all your encryption efforts.

~~~
tcd
Except even if you _pay_ you're _still_ the product. Data is a currency,
they'll happily take it if you offer it :)

------
unityByFreedom
Too true. I'm in the market for a new phone and came across dontkillmyapp.com
[1]. I find this ranking lines up pretty well with high privacy risk + low
cost given the hardware.

For those unaware, a new thing phones do is quietly kill apps in order to
extend battery, and the extent to which this is done can vary by device and/or
software.

[1] [https://dontkillmyapp.com](https://dontkillmyapp.com)

~~~
Jonnax
This has nothing to do with privacy.

It's battery saving.

You can create exceptions for apps.

~~~
noisem4ker
It's a quite dirty way to save battery. It may say something about the
tendency of certain manufacturers to cut corners instead of walking the right
path.

------
nobrains
Solution: Android One devices

------
tannhaeuser
I find it ironic (for lack of a better word) that Android is based on Linux,
yet it's the single largest spyware vector in the world. There's maybe a story
to be told here about how an altruistic motive or dont-care liberalism or
whatever contributes to its own demise and the enslavement of large parts of
the populace behind addictive spam devices and into cloud dystopies, tragedy
of the commons and all. But at least a discussion about Linux licensing wrt
proprietary drivers and boot loaders, as well as mandatory apps seems about
time.

~~~
Nasrudith
It brings to mind paradox of tolerance, how knowledge includes the ability to
abuse it and the morality of hammers and knives - it is fundamentally up to
the user if they want to build a house, prepare a meal, remove a tumor, or
murder and any attempt to limit it only sabotages the purpose.

Blame would be misplaced - even the most zealous licensing wouldn't have made
a bit of difference in the end. Linux itself was a free rederived fork of
Unix. If Google had to rederive their own fork of Linux they could have easily
done so with only a little more early expense and reputation damage. At the
cost of another proprietary fork gaining influence and control over free
software or even open source.

~~~
rrix2
Yeah, I doubt Fuschia, for example, will magically make mobile malware
disappear

------
Tepix
_By 2025, WARC estimates that 3.7 billion people, or over 72% of projected
internet users, will be smartphone-only internet users._

Things will get so much worse, it's frightening!

------
egdod
How much can the private data of poor people really be worth? The whole point
is to send them ads, right?

------
squarefoot
Using an old unpatched version of Android might also suggest the hardware
could be older and easier to support by other systems. Did anyone attempt at
flashing a free OS + free drivers on one of those cheap phones, that is,
removing entirely the factory software/firmware? If doable that would turn
them into interesting devices.

~~~
pm7
Main issue is that drivers are only in binary form and not compatible with
recent linux (kernel) versions.

------
mwyah
>In the United States, these users are mainly made up of economically
disadvantaged individuals, who are disproportionately black and Hispanic.

I mean you could say the same thing about everything. This affects poor
people, and those are "disproportionately black and Hispanic". It's like the
writer is trying to trigger someone.

~~~
Jonnax
The person that got triggered is you.

~~~
mwyah
It's more like the writer was saying "nobody cares about poor people, but hey,
if we say the victims are blacks and latinos... that's going to get some
support from someone". Which is rather sad since being poor is bad for
everybody, no matter whether you're black white or green.

------
strooper
All android smartphones data are exploited by Google through google services,
by manufacturers through uninstallable bloatwares and by app providers through
apps. If a user disables a permission, the app refuses to work.

The cheap smartphones are sold mostly in the Asian and African markets where
the mass can afford that, and data privacy means nothing to those users.

So, Your data, my data, all are up there somewhere, no matter how cheap or
expensive devices we use. Why do we still live in the illusion of data
privacy? Is there any?

