38 comments

[ 3.1 ms ] story [ 81.8 ms ] thread
I assumed this was obvious. From my own anecdotal seeing, all three instances of cheap Android devices given to people via Lifeline, Assurance Wirleess had preinstalled stuff. It won’t go away even if you uninstall whatever BS. It’ll be back in a day or two. Slows the already weak phone down to a crawl sometimes.
It's a race to the bottom basically. When you can't skimp anymore on hardware you have to do so on software
A family member of mine has one of these. Of course, being a good grandson, I tell him to use it for phone calls only and never sign into anything. Soon after setting it up he started complaining that it was showing him ads; I was confused because he had barely touched it but turns out the phone has a hidden carrier “app updater” (read: remote installer) that had silently downloaded several adware packages to his device. It is outrageous that we push these devices to older, frequently technically illiterate people. There has to be a better system behind this than “we gave them a free phone, who cares if it’s actively unsafe to actually use”.
How much do these devices typically cost, e.g. to an end-user acquiring via the assistance programme?
Assurance Wireless has phones that are given to subscribers at no out of pocket cost. They also sell a number of current-ish phones. The free phones are carrier locked and the SIMs are locked so they're only usable in phones Assurance provides.
UNIMAX - is that's the same outfit which OEMed for DNS from recent news, and been caught doing the same in India, and few African countries?
Could you please elaborate what is meant by "OEMed for DNS"?
DNS is probably a typo of ANS (American Network Solutions). OEM is "Original Equipment Manufacturer", and "OEMed" means "we make the phone but put your brand on the phone so you appear to be the OEM".

So they seem to be saying UNIMAX may be the actual manufacturer of ANS phones.

Is this not a national security issue when looked at in a broader scope?

The Chinese company behind this seems to solely target the North American market and makes medical devices, IoT devices, and other things.

According to their homepage, their LA based office employs engineers from "United Bell Lab, Oracle, Motorola and other well-known international companies".

What else are they root-kitting? With this particular Android one they are freely able to brick devices at will, if it was ever necessary.

http://www.teleepoch.com/company.html

This is a national security issue, but I will tell you the most important thing I've discovered: talking about malware, especially when employed against the technically illiterate, as a national security issue will get you attacked online.

People either freak out and shoot the messenger (either because they misunderstand how deep the technical illiteracy goes amongst the aging population or they are a member technical illiterate aging population and resist any effort to be educated), or they directly profit from it (companies that are part of China's spy effort, domestic or foreign), or they're just so goddamned dense they give excuses like "well I've never seen it, so it doesn't exist".

Also, as a side note: we probably should start considering advertising platforms a form of malware as well. Given how many systems run a WebView to display their content, and ad systems run Javascript, and it's a pipedream to ever think Javascript in a browser can ever be made to be secure (even if all it does is leak metadata and perform tracking); ads are, fundamentally, a way to inject malware and should be considered a national security issue.

And yes, I'm aware two of the largest tech companies are ad platforms that have side gigs (Google and Facebook); I, frankly, don't care. If your business revolves around a criminal enterprise that is claimed to be legal purely because of a loophole, then you should go out of business once that loophole is closed.

> we probably should start considering advertising platforms a form of malware as well

Absolutely! They've been used as malware vectors numerous times in the past. One of infinite reasons to block them unconditionally and make no exceptions.

Are you saying advertising platforms revolve around criminal enterprise? And if so is that because of their reliance on untrusted code?
the advertising platform need not be willfully malicious - but given that their javascript bundles are injected across hundreds of the largest websites, they make themselves valuable targets. If I wanted to distribute malware I would hack taboola and let their servers do the work for me.
Yet that seems like malicious actors orbiting big platforms and not the other way around.
You're right, but I also think that lets the ad networks off the hook too easily for something they really could do more to combat if they felt like it.

Maybe there's a useful analogue in tort law: https://en.m.wikipedia.org/wiki/Attractive_nuisance_doctrine

You've got a thing, and your thing is fine, but negligently allowing others to harm themselves (or in this case, third parties) with said thing can be a problem.

For instance, an ad network could decide to serve only static content and not accept any third-party js, greatly reducing the odds of someone coming along and using the network as a vector for malware. But the network has no incentive to do this because they make more money the other way. If they're made to cover some of the externalities of their product, they gain an incentive to not serve malware.

Running an ad network that accepts and distributes dynamic content is like leaving loaded firearms scattered around your property (in a jurisdiction without special safe-storage laws, I guess - the analogy isn't perfect).

They already do. Online advertising was infamously a race to the bottom, so much so that even in the early 2000s we were complaining about how risque and insane advertisements have gotten. 20 years of big-tech lobbying, Chrome dominance and Javascript adoption hasn't made the business any less criminal.
> talking about malware, especially when employed against the technically illiterate, as a national security issue will get you attacked online

Perhaps because "national security" tends to involve a foreign adversary?

Adverts and adware as we see them now would have been considered 'spyware' 15/20 years ago. It's worth re-watching the IT Crowd scenes where someone's got ads all over their computer and they don't see the problem with it but it's obvious to the protagonists / viewer it's malware. And then through that lens have a look at a normal person's computer or smartphone in 2020. It's very disturbing
You'd think the world would've stopped trading with the chinese by now.
(comment deleted)
“China’s opening strike in WWIII consisted of a decapitation attack in which the embedded medical devices used by a large fraction of the older political and managerial class were used to mass euthanize them via a software update…”
... Shortly after, the entire power distribution network destroyed itself, modern nuclear power stations came close to a meltdown, and any devices still left on bricked themselves or set themselves on fire.

If its any consolation, the intelligence agencies HN hates so much would respond with something similar.

Nukes aren't the only form of mutually assured destruction.

You’d think this would be good fodder for a class action lawsuit, no?
Against the chinese?
These Lifeline phones are sold, or given away, by major USA telecoms.

You would think they would be partially liable for malware on their phones?

They make money counting on low income Americans going over their free rate tier, and advertising.

In consumer law in the UK _sellers_ are responsible for what they sell.

This seems right as it means you can sue the seller, they can sue their supplier if they too were sold a product that didn't meet the description of what they were sold.

That way the seller, who can afford to spend on expertise to make sure products are up to scratch, bears responsibility.

It's not perfect, but it makes sense this way IMO.

It's the same in America
What tools should I use to dump filesystem from Android device and scan it for malware?
As far as filesystem goes, it depends if your device is rooted or not. Assuming nonroot, you could use adb to list then download all packages. This would provide copies of most apps. In many cases, these can be decompiled with apktool.

You could also use adb to pull other files, though not all, from the phone for inspection.

If it is not rooted you may not be able to see everything. And still no warranties that the bootloader isn't full of crap, but that's a bit more rare.
I see that Malwarebytes calls this malware and from browsing the comments, everyone here seems to agree.

What makes this malware while other pre-installed adware from other companies is just "built-in"ads?

Why does Google or Amazon get to "use ads to subsisidize their devices" while this company is using "pre-installed malware"?

Does this "malware" exfiltrate personal data in violation of a the privacy policy? What does it do (besides annoy the user and show ads) that is malicious?

Modern proprietary operating systems come with non-removable adware. That is the world we live in. I don't like. I don't use these operating systems. But they all do it.

what adware is preinstalled without consent?
One issue in particular that makes it malware is that it attempts to download 3rd party apps from non-Google Play store. That’s a major security risk for introducing malicious APKs onto your phone.
Given most Android phone and definitely bMS Windows regularly have third party bundled software I fail to see the difference here.

While there is malware distributed outside of Google Play, unless you can point to an actually malicious thing this software did, I have give it a pass.

Remember, the world has already decided that nonconsensual updates, ads, tracking, etc is normal if bundled with the OS and therefore not malware.