47 comments

[ 4.1 ms ] story [ 62.5 ms ] thread
Chinese brands always pull this stuff
I was possibly thinking of getting a Motorola with G.ràphenéOS when released.

Yeah, not now.

If an anti-worker company is getting fleeced, nothing wrong with that.

I hope motorola collaborates with Pine and brings linux to phones. In the age of LLM apps are obviously not a problem. (Hopefully windows Phone 7, not 8 also comes back)

> In further digging, we noticed that the URL the phone opens up is “kira-abboud.com,” a website that references fashion influencer “@kirasfashionfinds.” Notably, this exact URL isn’t listed anywhere on Abboud’s social media, and the affiliate codes don’t match up either. The redirect coming from Motorola phones is using Amazona affiliate code “sramz-kff-008-20” which is completely different from any of the codes we saw from links shared by Abboud’s accounts and linked websites.

Something funny is up; this doesn't seem deliberate.

Isn't this cookie stuffing? Same modus operandi using by Geo-something widget back in 2000s with hidden ebay affiliate links that got caught by FBI. Someone should go in jail for this.
I used to choose Motorola devices for a long time but since 2 years when I bought Edge 30 Fusion I started to notice they automatically (without my knowledge) add 3 stupid apps or games about two times a month :/ There is no way to stop it. My kids phones are stuffed with this sh*t.
Calling this "hijacking the Amazon app" is hyperbolic in my opinion. They replaced the shortcut in the app drawer. To me this looks like normal scummy OEM behaviour, like pre-installing spyware, "anti-" malware, adware etc. which sadly pretty much every mobile/computer manufacturer does.

Replacing the OS is one of the first things I do with every laptop, PC and mobile device to get rid of (most) crap that was installed without my consent.

That begs the question! Did they use a Sony rootkit ? XD
To think I was worried about buying a Xiaomi tablet while already using a Motorola.

Gonna flash a rom on the Xiaomi anyway, but all oems are doing this type of stuff.

This is really unethical, replacing original app shortcuts breaks trust.
The comments here say that all Android phone manufacturers do stuff like this. I have never noticed that kind of things on my Fairphone. But then again, I don't have many apps and certainly not Amazon.
Hmm, this thread and the reports of shady practices make me wonder if this will affect the partnership with GrapheneOS[1]. It seems that such things shouldn't really happen on a device where security is a top priority, whether intentional or not.

1: https://news.ycombinator.com/item?id=47214645

Is Motorola Chinese by any chance? I remember the Motorola company has been split to phones and the rest
I like the Stylus G better than most phones I've owned, but Motorola really needs to end its partnership with the offensive "Glance" ad platform. There should not be a third party app like that which keeps re-enabling and reinstalling on every update. I don't understand what Motorola would get out of a partnership with a scammy third rate ad market that would be worth pissing off so many of their customers, but maybe they have some high level corruption in the company.
I have a Motorola G70, so this is concerning. But its hard to believe that this is a deliberate action by Motorola. To me it seems more likely that an update was compromised. Still bad though.
Note that the smart feed "feature" is Taboola-provided adware[0] so it's par for the course. It's beyond comprehension Lenovo would trash the brand by shipping it on flagships.

[0] https://www.reddit.com/r/motorola/comments/1s61usi/edge_60_p...

You're flabbergasted that Lenovo would trash a sub-brand? Lenovo? The company who trashed their own brand with Superfish?
Lenovo also shipped a Superfish backdoor on their older computers.
I've a Xiaomi phone on which twice appeared obviously debug/hello-world notifications (something like "testtest111") from apps I've never seen or installed. Then another time all Xiaomi phones of close relatives started getting these cheap, spammy ads for Android games in the notifications, this time from some obscure system app: had to look up on reddit that there are settings that disable this specific behavior.

The degree to which I don't own my own device is insane.

This bodes well for the up-coming GrapheneOS cooperation..

Nothing screams "secure" better than app hijacking and url injections.

With the digital wellbeing app feature it is possible to set a timer of 0 minutes on all auto-installed and auto-reenabling apps to effectively disabling it for good.

Edit: the timer stays even after updates so the app is not enabled again

It is laborious to go through all the apps on a phone and dissable the default unessesary "open web link" feature on ALL the apps, but apparently it has some effect in reducing the "draft" from all the back doors
Think how bad the market got. Today we have preinstalled garbage apps like LinkedIn, garbage apps mandated to be preinstalled by the government, ads, cloud accounts, notifications spam, telemetry. This is not only Chinese smartphones, for example Samsung also plays this game. I assume there are Chinese backdoors, American backdoors and national government backdoors on almost every phone.

And there seems to be no way to buy a "free" smartphone without Google Services and telemetry below $250. Why 250? Because free OS have multiple bugs and issues and it is not rational to pay more than that.

I am considering two options, one, try to clean up and patch the firmware for a cheap smartphone (remove almost everything proprietary including Google Services, Unrusted Execution Environment, except for basic GUI and launcher), or two, port something like Lineage OS to my phone. Also I need to examine the network traffic and scan for potential weak points like SUID binaries. It is scary to think how much time I will have to waste for this.

Also, it is pretty stupid, in my opinion, to make an OS not based on Android, for example, use Qt for GUI, because there will be no apps for it.

Cheap smartphone path is harder and harder. Unfortunately the pixel series is easiest but comes in double they number for unlocking the bootloader and flashing lineage, etc.

Xiaomi has been ironically the pioneer in this field, but their phones are inaccessible in the USA assuming you’re USA based. The mediatek chipset also is more fun for this over Qualcomm.

Besides suid binaries, the radio firmware and subsequent radios for WiFi and Bluetooth do give out a lot of information and are open to exploitation.

The most opaque and privileged attack surface is often the modem/baseband and vendor diagnostic stack and allow carriers to process local side AT commands.

Qualcomm is more documented, though there are fun discoveries on mediatek I’ve made just using binwalk.

On that last point, GNOME/Gtk/Adwaita apps generally function really well on small screen sizes. The design language naturally suits it, and in my experience most apps will even make some layout adjustments where they're needed when resized to ~phone screen dimensions.

Anecdotally, out of the ~50 or so I have installed right now on my laptop, which covers the basic calculator/calendar/contacts/etc., and also things like file compression, torrenting, a Mastodon client, RSS reader, and so on, all of them are ready to use on a phone.

Alas, if only there was a (reasonably priced + fully functional) phone that could use them.

Buddy, there has been an un-removable Facebook app on literally every version of Android right from the very beginning. Not every handheld model for sure, but at least one model in every generation from the very beginning has had Facebook and other apps burned indelibly into the operating system.

Before we even had smartphones, your flip phone came with utterly indelible versions of Facebook and others.

And you'll be shocked to hear this I'm sure, but the very lowest level code that governs the radio in your phone is legally mandated to be managed by your service provider, and essentially always has been.

None of this is new. Not in the slightest. It's not even worse nowadays except that the apps themselves got more malicious. There aren't more baked in apps than before, and they aren't any more un-removable. The most important code on your device isn't yours, it never has been.

In the US DMCA provides "frigate harbor" for the the British consul, etc., etc. IF they've managed to get you to install the "app" instead of utilizing something preinstalled on the phone (a uh errr... web browser?). Potential law migrants banned by law!
Since Uber, Airbnb and Tesla, now every company thinks they can do borderline illegal stuff to make an extra buck.

What is next? Our banks selling our payment histories to the highest bidder?

Vertical videos converted to 16:9 are bad for your readers, Mr Senior Editor.

> Ben Schoon is a Senior Editor

Thank you so much for being not able to consume the screencast video in the article.