Exposed: Chinese smartphone farms that run thousands of barebones mobes to do crime Chinese upstarts are selling smartphone motherboards – and kit to run and manage them at scale – to operators of outfits that use them to commit various scams and crimes, according to an undercover investigation by state television broadcaster China Central Television (CCTV) revealed late last week. The report shows what …
The thing is, you don't need a phone either - you can, in principle, do it with any computer. And if the only route to make the comment or place the order is via an app, there are plenty of cheap Android TV sticks and several phone emulators out there, too. I'm trying to work out the USP of this solution.
PS: Not my downvote.
Presumably many things in China are app-only and have no web alternative, and the app is a slurpy one that will ban you if it thinks it's in a VM
That or when you have such cheap hardware and cheap hardware engineers, nobody thinks of running android in a VM
Also worth noting that these things probably have network via USB-C as well as power, video and input. So they don't all have to be on WiFi/cellular unless they need to be, to pick up a verification SMS message
> cheap Android TV sticks
Even an expensive Android TV can't run all the apps an Android phone can run. By using stacked phone motherboards they can run any Android app. Since they don't need case, screen, etc and are probably buying from the back door at the OEM they are probably just as cheap.
"I think those halcyon days of just going to the hotel vending machine and getting a SIM along with a snack are well behind us (....and that was in the UK)."
Then it's down to the corner shop for same. It's handy to have a "burner" SIM when traveling to a different country. You get a local number to use while there and that's often less than the 30 days it might be good for. If you are bouncing across the Atlantic, you don't want calls on one side finding you on the other. The bills could become rather astounding.
All those smartphone motherboards who will never feel the loving embrace of a plastic shell; who are forced to work 24/7 in hot, cramped, overcrowded conditions; who will never see an Android system update in their miserable lives; who will be callously recycled when they are no longer useful. These are the real victims here.
No, I mean that whatever apps these phones are attacking/manipulating/defrauding/whatever might be apps that make use of Safetynet, or some other security features, to ensure that they can't be run on anything other than genuine devices, with official, unmodified firmware and locked bootloaders. That is likely why they're using racks of physical phones rather than VMs or emulators.
The harder it is to fake, the harder it is for you to determine whether a real person is real. If you're looking for entropy, I can replace the tilt sensor chip with one that fires off random numbers from a certain formula. You have to develop increasingly complex hueristics to detect that, and my chip can advance as well. In the meantime, your real users will be doing all sorts of stuff with their phones which will generate different levels of tilt action. If you're not careful, you'll eventually refuse some of them for not moving enough or moving so much that you think it's a fake chip.
There are some methods that can work a little better, but the more reliable they are, the more likely they are to be invasive and annoying to your users. For example, you could use the phone's camera, have them scan their face, and have them perform a series of actions you print on the screen using graphics that change a lot so they're not easily scripted but the human eye can easily distinguish. This will keep out a lot of bots, but it will also keep out a lot of users who cannot (E.G. movement problems, vision problems) or don't want to perform an odd validation dance to use your app. The simpler you make the methods, the more likely someone is to be able to automate it.
sure, but talking non-theoritically, there definitely are a whole bunch of apps and games, out there right now, which do make use of google safetynet to ensure that they can't run on devices with modified, rooted, or non-official firmware. in some cases, even just unlocking your bootloader, so as you can unbrick your device by manually flashing the unmodified official firmware, is enough to stop these apps working. we're talking a whole bunch of banking apps, streaming apps, online games with microtransactions, even some apps where there's no clear reason why they would prevent them running on modified firmware.
I can guarantee you none of these apps would work in a VM or in emulation, and it is really not easy to fake or bypass. there is a constant arms race between app developers and the people who develop things like magisk modules for bypassing Safetynet, and still there are always apps that just can't seem to ever be forced to work on a modified phone.
so if you were going to run a bunch of instances of these apps, for example to farm in-game currency, or manipulate streaming stats, the way to go would definitely be to bulk buy a bunch of phone motherboards. they're probably not even that expensive if they're from discontinued devices, it's the screens that keep their value.
On John Oliver's recent show about pig butchering scams you could clearly see those data centres and their phone skeletons racks
That's the subject of most of the discussion in other threads, and for a lot of possible tasks, yes it really does seem inefficient. However, if there is a task that requires a phone, there can be a few reasons why this would be the most efficient option. The obvious reason is if you need to use cellular connections. If you need active phone numbers, you can't do that with a typical server, and the hardware that allows you to connect one SIM, let alone many SIMs, to something that's not a phone tends to be more expensive than just getting the motherboards out of the cheapest phones that aren't selling and using them. The theory is that Chinese dictatorship-linked tracking of phone numbers would make that difficult, but their repression might have some bugs that allow an organized criminal to get phone connections easier than we think.
The other option is that they're using some app that doesn't make it very easy to do anything outside the app. I'm imagining something that has no web interface available, no desktop access method, and actually secures the network communication so you can't inspect the traffic, reverse-engineer their protocol, and poke their API directly. The discussion has considered the ways you could virtualize Android, but in my experience, many of those are limited in some crucial ways, such as being easily detected by applications running in it, missing important system services, or just unstable in the first place. That could make buying cheap boards more reliable than trying to virtualize it, especially if they end up being as expensive as the server you're using. The article's quoted prices are about that of a mid-range desktop, so if you know a good Android VM, how many do you think you could run simultaneously on that machine before running out of CPU or RAM (I'm thinking RAM is probably the worse one, but it's also the cheaper one to fix). If you do know a good Android VM, I'd be interested to hear which one it is, because I've been relatively disappointed with the ones I've seen.
"The obvious reason is if you need to use cellular connections. If you need active phone numbers,"
That's the rub. Often you don't need to go through a cellular service since many phones will work via wifi especially for data. If necessary, the phone can have a SIM with a duff number since it won't be required to access a cellular network that would reject it. The unique IMEI and other numbers will be what matters. If the phone will work via wifi, it will work through a hardline connection so you wind up not broadcasting incriminating radio waves. Even reused IP addresses aren't a problem. If each rack of 20 phones has one IP number, each phone in the rack is doing something discrete from the others. Perhaps it's not a problem to have 2-3 phones with the same IP number since that's what might happen with an internet cafe/public access point. So 2 phones in one rack are posting fake Amazon feedback and another couple are building up eBay accounts. Each rack allocates a certain number of phones per task multiplied by as many racks as a firm wants to run so there's an array of IP addresses being reported.
What I meant was if the phone needs to act as a phone, I.E. sending or receiving calls or SMS messages, which can't be done without a valid number. That is an obvious reason to use phones themselves. If you're just sending calls, VOIP services seem to work well enough, but if you're doing something that uses SMS 2FA and requires unique phone numbers, that could be one reason why you would need a bunch of SIMs and a bunch of devices capable of using one. This is only one possibility, and for the reasons in my first comment there's reason to wonder if they're actually doing it, but that would not work just with a network connection over USB.
"What I meant was if the phone needs to act as a phone, I.E. sending or receiving calls or SMS messages, which can't be done without a valid number."
I've had that issue. Any company that requires their services to be accessed with a phone and won't work with a desktop/laptop is being silly. I used to have text/messaging disabled at my telco, but my new provider won't do that. For me, all of it is a waste of time. It's only useful 2-3 times a year and I could work around that. I expect that companies could figure out how to manage 2FA things with just a couple of humans in the loop. Does the phone posting the fake feedback have to be the one getting sent the security code? If that's not a requirement, it's just a matter of coordination. It makes the process more expensive, but not impossible.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
