Malware infecting Androids somewhere in the supply chain Smartphones from Samsung, LG, Xiaomi, ZTE, Oppo, Vivo, Asus and Lenovo have been spotted sporting malware they apparently carried when they were shipped. The malware discovered by Check Point Software Technologies included info-stealers, ransomware like Slocker; Loki, which shows “illegitimate advertisements” to generate …
Let's not forget that when Apple declined to assist the FBI in unlocking that infamous iPhone the FBI was able to do so anyway with help from elsewhere. My point being that irrespective the device there will always be a method for the determined to gain access and don't be fooled by claims to the contrary from the manufacturer...
What the heck does Android phones for sale with built in malware have to do with the FBI paying an Israeli firm a million bucks to break into an iPhone running a older version of iOS and older less secure hardware?
No one broke into these Android phones to install malware on them. They were brand new, and had no passcode or any other security enabled. That's one advantage Apple has, they have much tighter control of the retail chain than any Android OEM. Not that this sort of thing would be impossible, someone could unbox them, jailbreak them, and pre-install crap for you, but the bar is a lot higher.
I have had a few iphones and a few android phones. I like Android better.
I develop for both platforms and so try and keep them in pretty much factory standard mode to be as similar as possible to target devices.
However, the fact that Android is open source is the opposite of dumb, because i can (if i choose to) root my phone and install android from scratch and be sure that it is secure. I am more and more tempted to do that despite mostly just using my phone for email and games on the move.
I'm not sure how giving me the opportunity to look after my own security and not have to rely on Apple's lawyers is a dumb thing.
It isn't about you. Sure, _you_ can root and re-install Android from scratch, and be secure thereby, but there's a common expectation, among the billions of purchasers of consumer goods that what they get on opening the package is what was put there--exactly, deliberately--by the manufacturer. And, let's not pretend that even single-digit percentages of those consumers are anything but completely copeless (and kept so) with regard to the words "appropriate technology". Which seems to be what has been applied here. Shame on the manufacturers for not having seen it coming and done something to prevent it, but that is the ever-devouring markets in operation...
That's the theory.
In practice, do you have the time and the know how to check hundreds of thousand of files for integrity and hidden malevolent code?
Even being a formidable programmer doesn't mean you can spot highly technical security fails and/or devious code written by people with time and means to not appear as suspect.
Assuming you do, can you spare the time, each and every time a file has been changed in the Android repository ?
Google do alot to protect their platform. You need to stop listening to scareware vendors on the Internet. Seriously, would you trust these companies to provide any security products, given their marketing tactics? I wouldn't,,,,
https://i.kinja-img.com/gawker-media/image/upload/s--DCQ3tMp2--/c_scale,fl_progressive,q_80,w_800/193dtvab4yyfmjpg.jpg
Jesus what is it with you idiots thinking vulnerability counts mean anything? Linux distributions include a far wider range of software than Windows does, so of course they will have more security issues. Plus there are multiple distributions, so the same issue will be reported multiple times. You would need to include Windows with Windows Server, IIS, SQL Server, Exchange, Office, Outlook, Skype plus a bunch of third party software to equal all the things that ship as part of RHEL.
As for iOS, Apple is the ONLY company that reports every single security issue they fix to get a CVE number assigned - even issues they discover internally. Read Android's release notes next time and note all the security issues that get fixed without a CVE number. All of Apple's security fixes include a CVE number, so their count is artificially much higher.
Even without that, there are plenty of ways to count things. You could discover 12 bugs in a single component, and if they are reported all at once, get a single CVE that covers them all. Or you could file them all separately either deliberately or because they weren't all discovered at the same time, and end up with a lot of CVEs assigned for the same component that has a common fix.
Used to love smartphones had many early HTC XDA's - no complaints. Now though, I just use a $20 disposable phone. Amazed more people haven't rebelled against the tech that's selling them out. For example, if the phones are used for something standard like online banking etc, who will be liable?
Amazed more people haven't rebelled against the tech that's selling them out
"More people" would be the people that don't give a fsck about anything as long as their social network and fruit-bursting games still work. These'll be the same people that also don't give a fsck about Vault 7 and the Snoopers Charter.
(SWMBO managed to get my last one crushed - dont ask).
At least reflashing the ROM is easy, and usually the first thing I do when a new phone arrives, as they never seem to update the ROMS they install at the factory - so it can be several patched versions behind when I get my sweaty hands on it.
Xiaomi Fanboi - that's me.
I managed to not notice it dropping from my pocket into the office waste paper bin - on bin collection day; and she managed to not notice when changing the nearly empty bin bag 10 minutes later.
By the time I realised my phone was not in my pocket - and tried to ring it and follow the ring tone, it was already crushed and dead in the back of the rubbish lorry.
Gutted, it was my Christmas present to myself, and I had a few photos of my daughter being really cute that I hadnt uploaded to my NAS that day.
REALLY gutted; it was only a few days outside of the cover you get for Credit Card purchases.
No, probably not them, considering the rather commercial nature of the malware concerned. Instead, it is probably some corrupt SOBs who are involved in moving the phones from the OEM to the carrier's store, and some scammer/spammer scum who agreed to slip them a little on the side in return for placing the desired malware on the devices in transit.
But if it were a sigint operation...
"NSA, CIA, GCHQ all like to brag about their access to the supply chain, right?
No, probably not them, considering the rather commercial nature of the malware concerned."
--------
'Lets make it look like ad-revenue stealing malware so we have plausible deniability' - NSA and CIA manual page 125
Jokes aside, we know from document leaks that they will use foreign language in code and make fake username/Desktop directories in such a way as to avoid attribution. As much as you might think this is not state sponsored, this would be the perfect way to disguise the fact if it was.
Probably is them. Consider all the corrupt law enforcers that have been arrested for criminal actions. Now consider the dick perves who get an ego rush out of spying on people. So whilst they are corruptly hacking phones for thei corrupt government would they hack some phones for themselves, hmm, let me think, YES.
Especially considering the cover they would get from their own government because they can not exactly publicly prosecute them, without prosecuting themselves. Now add contractors into that toxic mix and it will and likely does spread pretty widely.
"Instead, it is probably some corrupt SOBs who are involved in moving the phones from the OEM to the carrier's store, and some scammer/spammer scum who agreed to slip them a little on the side in return for placing the desired malware on the devices in transit."
I'd have thought it more likely someone in the telco/retailer responsible for localising/branding the phone from factory defaults. They have the tools and the access and it's probably outsourced to a 3rd party in China/Thailand/Taiwan/India etc.
It shouldn't be that hard to track down the guilty party. That's a lot of devices, there must be a common source or we'd see this popping up everywhere.
It sounds like they were targeting a specific company, probably for corp. espionage.
(Collecting personal information from the phones, for a password hack on the corp. network)
Alcatel Onetouch POP2 45, defective out of the box.
Had endless trouble with popups, excessive bandwidth use etc, even put Kaspersky on it but all that did is slow the phone down even more.
This particular unit seemed to have fakeflash as well, as it only let you use 1GB of the internal memory
yet it had "2.97GB free".. yeah right.
LCD later failed for good measure so I gave it up as a lost cause.
Hint: if anyone wants it for forensics purposes and has a somewhat working screen unit with good cable feel free to send it in my general direction!
This post has been deleted by its author
The amount of shite that network/operator supplied devices come with pre-installed (uninstallable and in some cases undisable-able) you could smuggle a forest of malware past the average user.
"What's this app for ?"
"What's that app for ?"
Oh look, there's an app with the operators logo. What's that for ?"
In years to come, one of the sever ages of man will be when he gets fed up of network/operator locks and cruft, and buys a plain unlocked phone as standard.
The Android OS comes designed so that the user has no control of the software that has been preloaded on their own machines, whether they like or want it or not. This is overtly cynical. The software sits on your device without your having any choice in the decision.( A model that MS seem to like enough to have emulated BTW). This is, and always was wrong in principle. It takes choice away from they consumer and forces software on them. There are big leaps from just having a pre-installed inbuilt unremovable OS that users choose to buy into, to preinstalled OS with unwanted and undeclared software bloat to inbuilt OS with unremovable software bloat.
Making it unremovable is no different from saying that "we're going to make you have it, whether you like it or not." Because, if we wanted it we wouldn't want to remove it.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
