back to article So, EE. Who IS this app on your HTC M9s sneakily texting, hmm?

EE has assured a customer that a pre-installed app found on new HTC M9 from the mobile operator is simply anti-fraud software. However, both customer Barney Scott and an independent security expert remain unconvinced by this explanation, arguing that even if the app isn't malicious, it's at best badly designed and unwanted. …

  1. Kaltern

    I have it it too, it sent an SMS full of encrypted data to a US number, and didn't delete the SMS afterwards. It's an EE M9.

    1. Anonymous Coward
      Anonymous Coward

      I have it it too, it sent an SMS full of encrypted data to a US number, and didn't delete the SMS afterwards. It's an EE M9.

      It's time you filed a complaint with the Information Commissioner's Office then, for a very simple reason: this app disclosed personal information about you without your explicit permission. In case you're wondering what the personal information is, it's your mobile number.

      There have been various attempts at building databases of mobile phone numbers, such as the Facebook and Google messages that providing them with your mobile number would make your account "more secure" - the real gain is getting your number because it follows you everywhere. The reason they use an SMS is because that makes the number absolute instead of whatever you store in the phone (which you can deny access to).

  2. Irongut

    If this app is an anti-fraud measure designed to help when phones are stolen then how can it anonymise the IMEI and other data? Surely they need that data to identify the phone and subscriber.

    1. Indolent Wretch

      Database of hashes

    2. Terry Cloth

      Anti-fraud = denial of service

      To be effective, an an anti-fraud system must have a way to shutdown the ``fraudulent'' service. So if someone a) hacks the anti-fraud software, or b) the software generates a false positive, your phone dies. No thanks.

  3. Paul Shirley

    SMS not so stupid a choice

    SMS is harder to block than using data, that could be enough to justify use in a genuine security app. Would increase the chance of stolen devices managing to dial out before being wiped.

    Whether this is a genuine helpful app is the problem. Certainly looks incompetently programmed if it's leaving copies of messages around.

    1. JonP
      Black Helicopters

      Re: SMS not so stupid a choice

      Agree, I tend to turn mobile data/wifi off when I'm not using them, so SMS makes sense. Your remark about leaving copies of the messages around is a little worrying though - should we infer that some apps are programmed more competently?

    2. Anonymous Coward
      Anonymous Coward

      Re: SMS not so stupid a choice

      Especially when roaming...

  4. Vimes

    Using a foreign company for purposes internal to the network isn't new.

    Not so long ago some telcos were using Bluecoat for their filtering system. Bluecoat is based in the US and even when the filtering is switched off the websites were still receiving shadoow requests from Bluecoat IP addresses in the US.

  5. Stuart Elliott

    Sign on the door.

    "It’s simply not correct to say that customers are not informed, it’s explained in the contract people sign."

    Beware of the leopard!

  6. Anonymous Coward

    Stock Rom

    (clickty...googling for stock rom..*enter*...voilá!)

    (After 10-20 minutes...) Done!

    I do it to all my new phones under warranty. After that, it's mine baby!

    1. Ben Tasker

      Re: Stock Rom

      If you look at the link to the forums, the guy apparently tried putting a stock ROM on there and it re-appeared. They've (at least in some cases) made it persistent by sticking it on a separate partition.

      Some flashing your ROM isn't necessarily a defence against it.

      1. Wzrd1 Silver badge

        Re: Stock Rom

        Or, there's a carrier push when the version/checksum is "wrong".

    2. Anonymous Coward
      Anonymous Coward

      Re: Stock Rom

      I simply don't buy any carrier-branded phone...

  7. Velv

    "It’s simply not correct to say that customers are not informed, it’s explained in the contract people sign."

    Really? Just been through the T&Cs on the website and couldn't find it (although I didn't use a fine tooth comb, so I'm happy to be corrected, and if it's that hidden, it probably breaches the rules on fair conditions within T&Cs). Or perhaps there's a special contract for the HTC

  8. wolfetone Silver badge

    Barney should speak to his brother Barry Scott. He's good at making this go away.

    1. wolfetone Silver badge

      THINGS, not this. F**king auto correct.

    2. VinceH


      Okay, so it's not quite as powerful as the icon... ;)

  9. Anonymous Coward
    Anonymous Coward


    The EE version of the Xperia Z3 I received also included the non-removable adware (although not the dodgy-sounding "fraud prevention" app). Fortunately I was previously familiar with Flashtool and XperiaFirm utilities so was able to upgrade my handset to "Generic" non-carrier firmware with a different set of pre-installed software, but fewer non-removable apps (mainly Vine/Facebook if memory serves). I was then able to remove the EE pre-installed software. No root required as it's official software.

    Is there a similar tool for HTC?

    1. Wzrd1 Silver badge

      Re: Crapware

      You'd have to check with GCHQ to find out, but probably.

  10. TonyJ

    They're lucky

    My wife and son can't seemingly send any text or imessages from either of their EE handsets at the moment!

    I don't have the detailed information to hand at the moment but they would appear to have started to exhibit it at the same time over the weekend.

  11. Anonymous Coward
    Anonymous Coward

    If you think ..........

    ...... that the only thing your Smarter-Than-U phone is doing is calling home to China you'd better learn to look again. How about you develop a skill called MITM and watch what your phone really does. As in YOU ARE ALREADY PWN'd!!!!!!

    POST /userlocation/v1/reports/1605150082?devicePrettyName=SAMSUNG-SM-N900A........








    1. Wzrd1 Silver badge

      Re: If you think ..........

      You do know that googleapis is part of Google, in the US, right?

      Google, who sells Google appliances to three letter US agencies.

  12. holozip

    I also discovered this recently, exactly the same means - dodgy SMS stuck in my outbox. I spent some time pulling it apart and am less than impressed. They set the initialisation vector for AES (used to secure messaging) to all zero's:

    That's the secure way to do encryption, right? (note, it's actually used that way, the 'default' isn't over-ridden later)

    The American company is AbsoluteSoftware (

  13. Terry 6 Silver badge

    Where it ends

    From go, it seems, we've allowed the makers and sellers of smart phones to supply them stuffed with what ever sh*t they have wanted to impose on us, that could not be removed by ordinary users.

    Installing crapware is a time(dis)honoured practice in computers.

    Making the stuff unremovable is a different matter. If we wanted the stuff we would not try to remove it. But this hasn't been seen as a good reason to stop them locking it into the devices.

    It's like buying a house and being told that we couldn't change the curtains or empty the wardrobes.

    1. Wzrd1 Silver badge

      Re: Where it ends

      In the US, those are called Homeowners Associations.

  14. Captain Queeg

    Haven't we seen this kind of thing before?

    ISTR an outage at Apple that caused loads of IOS devices to fail to authenticate on to wifi because devices couldn't talk to a broken page somewhere within

    Spurious outward comms always concern me.

  15. davenewman

    My £50 Chinese 4G smartphone has no crapware

    They are too cheap to bother to install anything other than standard Android on BluBoo phones. They just make them as cheap as possible (for a fast 4G phone with limited RAM).

  16. Shadow Systems

    Just wondering...

    1. Does anyone have their Contract handy to go over & search for where it says you've agreed to such conditions? If your contract does NOT, in fact, state that your phone will contain such "security" then return the machine as compromised & *KEEP RETURNING IT* until they provide one that isn't thusly "enhanced".

    2. I'd like to know what would happen if someone over there went into a store to buy such a handset, got right up to the point of handing over the cash, & then asked quite plainly "Does this phone contain any software that contacts a corporation outside of the EU?" If they say no then pimp slap the putz with a copy of this article & call them liars to their face. Bonus points for handing copies of the article to all the other customers on your way out. If they say that it does, ask *exactly* whom it contacts, why it does so, what data it transmits, & how it pertains to your Privacy Laws governing the dissemination of PII. If they can't or won't answer, slap them with the article & call them something nasty.

    3. If you already have one of these phones, is it possible to return it to the store & ask them to remove the unwanted software? If you claim that the application keeps locking up the phone & stopping it from sending/receiving text/calls & you want it removed, then wouldn't they have to remove the broken software or else replace the unit as defective? Because I'd stand there at the counter, unwrap the fresh phone right there in front of them, fire it up & see if that app tried to phone home. Sudden appearance of a text message in the outbox you can prove you didn't make? Oops, sorry but that's a Defective Device & I'll need another one. Lather, rinse, repeat. Until they either provide you with a phone that doesn't do it or they refund all your money &

    tell you to GTFO of the store.

    Don't mind me, I'm just a Creatively Vindictive Bastard & would love to be on that side of the Pond so I could make some poor CounterSchmuck's life a little miserable by making them admit that the phone is compromised, they're screwing us over, and we can either Like It Or Fuck Off.

  17. Alan Brown Silver badge

    a few issues

    1: EE's contracts say "you must accept all terms and conditions", then bury this deep in the fine print.

    "Unfair terms in consumer contracts 1999" kicks in - and the fact that they don't have a severability clause means that if the contract is voided they can't recover the phone.

    2: Computrace is spyware - unauthorised and foisted on everyone. It phones home and EE/samsung are engaging in a mutual fingerpointing exercise.

    Being unauthorised spyware it falls foul of both the Misuse of Computers Act _and RIPA.

    3: Absolute Software (the people who make computrace) make it clear that it's supposed to be installed by device owners.

    I could see someone who wanted to make serious trouble for EE demand its removal and then file criminal charges when they refuse to do so.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like