A lot of the comments here are complaining about trash software that exists on other phones that isn't removable. The difference here is that it isn't just garbage ware that might have vulnerabilities like the stuff Samsung puts on its phone, this is actively malicious.
This especially sucks because the people who can't afford a good phone will pay not only in having a poorer user experience but they'll have their financial and social media information stolen as soon as its used on these devices.
That means the people who can least afford (via both time and money) to deal with identity theft will be the ones hit the hardest.
Heh, it's funny you say that. I just broke my phone and had to go get a new one. I was holding out for the PinePhone/Librem 5 to be useful enough that I wouldn't need another Android device.
The cheapest device that I trusted was the Pixel 3a, and that's because I can cleanly install GrapheneOS and not have google play install. That was $400. It was very tempting to get a $100 phone, but this was my exact worry.
I really wish this was more than just a privacy concern. Google for all the shady, immoral, and frankly weird data collection they do on people; Google doesn't actively discriminate against classes of people with their services. They'll track a high income individual the same as a homeless one.
These low-end phones, preloaded with malware, and likely running and outdated and vulnerable version of the base OS with no hope of patches...
Having a hope of being successful in our society right now in any meaningful way requires some level of access to the internet and these bare-minimum phones are it for a lot of people. Security online is a massive social issue that we can't rely on end-user awareness to solve.
This is a supply chain attack that only hurts the worse off. You're on this site which in its own way gives you a certain baseline technical merit; You're actively are aware of the threat of these low-end phones so you don't fall into that potential trap.
The people that can't make that jump between the $100 and $400 phone shouldn't have to deal with additional ongoing personal and financial repercussions from trying to participate in our modern society.
The problem is that it's increasingly harder to run a non Google certified Android phone.
For example many German (EU?) Banks now have some form of 2FA system for credit card payments which requires a Android/iPhone app which does only run on non rooted certified phones. (Through it should be noted that in Germany credit card is not the major payment method and many people don't even have one, instead dbit cards with V-Pay, giropay, etc. are dominant. )
As a site note this is also the case for their online banking Apps, but you can just use their website instead.
Banks here used to support client digital certificates well, but have switched to this mess because of poor browser support (removing things like KEYGEN without viable alternatives).
Personally I consider this to be all phones: the baseband firmware is a blob that does who knows what, and is likely the weakest component of nearly every phone on the market. Most baseband processors are connected via DMA.
I'm reminded of the 90s joke about Windows PCs being pwned within minutes after going online. That is, going online directly via dial-up modem, rather than through a router.
So yeah, the baseband firmware is a huge vulnerability. But if you use a separate modem/router, and disable the onboard baseband, that's far less of an issue.
These days almost everyone is behind a NAT, which effectively defeats all the scanners trying to exploit Internet-listening services (and XP comes with an unfortunately large number of them in a default install.)
All modern smartphones came out after XP SP2 so the industry knew the problems with exposed ports - I don’t believe any shipping smartphone in the US today comes with any processes with open listening ports by default (even carrier bundleware) - please correct me if I’m wrong.
That said - because of the sheer number of phones in existence, on IPv4 you’re guaranteed to be running behind a giant NAT operated by your network carrier - and on IPv6 the address space is too big to port-scan (at least) but while it’s no help if attackers know your address - I understand there’s still a mix of carrier-based and handset-based network lockdown going on.
Sure, industry learned that exposing ports is dangerous. But they apparently didn't understand the deeper risk of trusting the network.
Cellular baseband is poorly secured, and it's privileged over userland. And its firmware is a closed-source blob, so it's ~impossible to fully assess the risks.
And so it's arguable that adversaries can pwn smartphones through baseband.
That's the analogy to Windows XP machines. Windows Firewall was just a stopgap. What helped most was going from dial-up modems, which are no more secure than network interfaces, to modem/routers with NAT firewalls.
So smartphones ought to have discrete cellular modem/routers. And that's an easy option for the PinePhone, given the kill switch.
OK, so they used a femtocell (miniature cell tower) that had been exploited to allow console access. In particular, a Sprint Airave. Basically that gave them direct access to Sprint's WAN. And this is mind-blowing:
> It turns out that any Sprint device anywhere in the country can communicate [as in telnet] with any other Sprint device anywhere in the country.
So remote devices do have network connectivity to cellular baseband. At least on Sprint.
Back around 2000 I tried restoring Windows from the original CD and the thing would get hacked before it could install it's updates. Eventually punted and bought a hard drive with Windows pre-installed.
No iphone currently sold is connected to its modem via DMA. They've all got some type of iommu.
Given that most traffic is encrypted (eg any major website via https, or mail provider with smtp-over-tls, or most apps via https), a baseband vulnerability isn't a great deal of help without an iommu bypass (AFAIK only one has ever been publicly disclosed for ios, and it took the researchers over 6 months).
IIRC correctly (from a few years back) the pixel phones also have one, but most Samsung phones did not.
I bought three of these for my 8 year old triplets from twigby.com. I was really upset with twigby, but I guess they weren't the ones that did it. These phones would continuously install weird apps no matter what I did. I even had them locked down with the google family app and they still did their thing. I upgraded to to Moto G7 Plays and they are not only faster, they don't continuously install malware.
I had a similar experience with a track phone I bought as a cheap balloon tracker: As soon as I put it on WiFi it pulled down maybe a gigabyte of random crap (it looked like mostly games but also “facebook” and some other things like that.) It refused to install termux until it had installed a dozen or so worthless things.
This is very common for low-end Android phones. I have seen and used many models from different companies (eg, Micromax, Gionee) (mostly Chinese) that remotely install apps or inject ads into the OS (notifications, home screen or lock screen).
They also almost certainly are used to collect personal user data and sell it.
Another bad thing is that these apps often come installed as "system apps", so you can't uninstall or disable them, or change permissions :(
This. In fact this is quite common in Chinese domestic market phones too.
E.g. The Vivo branded (subsidiary of BBK who is also the parent of Oppo and Oneplus) phones are generally domestic market targeted and use FuntouchOS which has arguably adware/spyware built in to the OS level.
It's also impossible to flash a custom ROM as it has a locked bootloader.
I too hope people remember that, because it was the case one minute ago. You save $20 or so by having ads on your Kindle when it is sleeping. The ads are not burned in, they are delivered via WiFi the same as other Kindle content. I don't see the problem with it.
Is this too much different than the unremovable malware found preinstalled in high-end smartphones sold in the US? Even big brands like Samsung are riddled with insidious malware these days, all which you consent to when clicking through the registration screens.
We need regulation banning all this. Will never happen since malware benefits those who crave endemic surveillance.
That's not "malware". Adware maybe, but malware does assume something more ... malicious. Asking for consent is annoying, but we are talking about stuff that doesn't ask for your consent.
People keep focusing on how these Chinese phones have malware and are being used in the West but I tend to believe that is more of a nice side effect, the real purpose is for China to keep a tight leash on those inside it's borders. I mean if we think about it they have to monitor, survail and keep in check more people than the entire US and EU combined.
...and on high-end smartphones too, arguably. Consider how difficult it would be to remove from any smartphone any piece of software that you as a consumer don't want (e.g., baseband firmware, call-home components, data-collection services, etc.).
There's no malware here that I can see, simply an auto-update mechanism that could theoretically be abused, like every auto-update mechanism (Chrome, Windows 10..)
Actually unremovable, i.e. unrootable and with a locked bootloader? That's pretty bad. On the other hand, when I looked into the Android community a few years ago, it was almost "common knowledge" that a lot of the cheap and unbranded ones come with preinstalled crap, but they're unlocked by default and easily rootable so you can remove it, and there's various guides on how to do that and make a custom ROM.
In my opinion, the prevalence of software that I consider to be malware has become so extreme that I don't consider any smartphone to be safe enough to use anymore.
Although I'm marginally OK with my current one (an antique that I have a google-free ROM and a lot of security installed on), it will probably die within the next couple of years. At or (hopefully) before that time, I'll have completed my move out of smartphones entirely.
The PinePhone will be launching soon, and you could install any flavor of mobile Linux you want if you are still interested in owning a smart phone: https://www.pine64.org/pinephone/
Yes, I've already investigated the PinePhone. I have nothing against it -- there are a great many things about it that are wonderful -- but I don't find it particularly appealing on the whole.
My escape plan is to use the dumbest feature phone I can find and also carry a pocket computer (running standard Linux) that lacks cell capability.
Yes, it's much too bulky. I've also become very fond of the idea of keeping my compute and my cell physically separate. That's not really necessary from a security perspective as long as I can install my own copy of Linux on it, but the idea gives me warm fuzzies.
I thought malware was the business model of low-end smart phones. Random game company pays them to install their game on x000 devices. It's really a question of when, not if, those companies would ship malware. You can't imagine they are actually vetting any of that stuff they install.
I know one of the companies who ships the software embedded with privileges which then installs the garbageware apps (designated by the carrier).
The garbageware apps are definitely not vetted to my knowledge.
This especially sucks because the people who can't afford a good phone will pay not only in having a poorer user experience but they'll have their financial and social media information stolen as soon as its used on these devices.
That means the people who can least afford (via both time and money) to deal with identity theft will be the ones hit the hardest.