Hacker News new | past | comments | ask | show | jobs | submit login

It's shameful of Google (but totally expected) that they don't supervise the Android One program AT ALL. All of the Android One mobiles appear on the top list of their Android One microsite and I'm sure most of them contain malware built-in.


Having said this, I never expected Nokia to be doing that, too. Both Nokia and HMD are Finnish, do they really need to outsource the creation of the ROM?!

Yeah, Android One is a bit of a joke really. I got a Nokia 7 Plus on the promise that it would have fast updates, be bug free, and not contain any OEM modifications. None of those have really been true. Admittedly, updates are still a bit faster than the likes of Samsung and other big OEMs, but the process has shown that it's not as simple as Google rolling out the updates.

OEMs still make changes to it, and it still seems dependent on carriers pushing through the changes - despite buying a SIM free phone, I waited 2 months longer for updates, which seemed to be the case with everyone on the same network in the UK.

It's far from bug free, with a few updates in the last few months introducing new bugs. Again, it shows that this isn't an update coming directly from Google, it is at least in some part developed and tweaked by OEMs. In this particular case, the process showed that HMD/Nokia is severely lacking in development and QA expertise, as there have been ongoing issues for months with no fix.

They also introduced their own battery optimisation software a few months ago, which massively changed how the phone handled multitasking and background applications (effectively, it killed them all). And then this news that they're sending unencrypted identifiable information to a third party? These things shouldn't be possible if Android One did what it claimed.

I avoid OEMs like Samsung because of all the bloat and junk that they add on top of Android, but Android One is clearly not a solution to that. I would still prefer it in theory in the alternatives, but I'll do more research next time - if a company doesn't have a proven track record, then Android One isn't going to solve that.

One minor point - Nokia the company isn't involved in the Nokia Android phones. HMD is just a small company that licenses the brand. Admittedly, a small company that was founded by ex-Nokia folk and based across the road from Nokia's HQ, but it's evidently not a company with Nokia's resources or much of their expertise.

One really big bugbears I have with HMD and the firmware updates is absolutely unusable WiFi after they released the January/February security updates for this year.

After installing the security updates, WiFi only works once after a reboot, the moment you disable it, you have to either sludge forward with modem speeds on 2.4GHz-band or none at all if you are on 5GHz-band. Since these problems manifested after installing the security updates, it's slowly starting to point towards a driver/firmware issue instead of a hardware problem as some have speculated.

Some fixes for this are "phantom SIM", resetting WiFi settings or booting into safe mode. Only common thing with these "fixes" is the reboot; so far it is the only thing that will fix the WiFi but turn it off once and you're boned. Similar issues are noticeable with the WiFi AP: first try after boot works just fine, next one you have to try to force 2.4GHz-band on the AP along with 5GHz, causing the AP to "soft reboot". After this, you are very likely in need of a reboot as the AP will no show up.

After this breach of privacy and data security, along with the WiFi issues, I'm slowly starting to lean towards filing a complaint to either HMD or the local customer protection agency here.

Worst of all, the support forum topics I've checked somewhat regularly on have no official replies from HMD or Nokia, only second-hand information from people who have been in touch with support.

This really stings. I purposefully chose a Nokia for exactly these reasons - Android One and European.

HMD is Finnish, but AFAIK they have zero own software development in Finland. Not sure whether it is public knowledge where they buy the SW from. Of course the Google part is known, but I assume the application reported here is not from Google.

Yeah. HMD is just license holding company with nothing but lots of managers as employees. All of their software development is outsourced to Finnish and foreign companies.

I know some of those people (in Finland) who worked in these outsourcing companies, but they just worked on the more high level components like Android apps etc. Not with bootloaders or OS images.

The firmware for my 7 Plus is littered with packages named "com.evenwell.*", including the very aggressive powersaving "feature".

You're right. My Android One Nokia 7.1 comes with at least 64 evenwell/HMDGlobal apps, albeit behind the scenes. There's no docs on any of them as far as I can tell so you can only guess from the name what they do.


That said I've not noticed anything obviously suspicious when I use a firewall to monitor it. I only did it as a test so I might have missed something. Also I'm in the UK, if that makes a difference.

I've got a Nokia 8 (also bought in the UK) with the Evenwell system apps as well, and I haven't noticed any unusual domains in my Pi-hole logs at home.

I wonder if it's only specific country builds that display this behaviour?

These apps can freely choose to only use the cellular modem for communication and thus communication may not show up in your firewall / proxy. In addition to this, your carrier can't distinguish legitimate traffic generated by you from malicious traffic generated by these applications.

How can I check it? I bought Xiaomi Mi A2 recently and I didn't find any non-Google software, it looks pretty authentic.

Here's pm list: https://pastebin.com/HjQED9fr (I installed few applications myself)

You have the problematic application: com.qualcomm.qti.autoregistration, also some stuff from Goodix that I'm not sure if you installed yourself...

> You have the problematic application: com.qualcomm.qti.autoregistration

Could you explain why this is problematic?

"security researcher Dirk Wetter reported that the culprit could be an APK package named “com.qualcomm.qti.autoregistration.apk.”"


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact