[HN Gopher] Unremovable malware found preinstalled on low-end sm...
___________________________________________________________________
Unremovable malware found preinstalled on low-end smartphone sold
in the US
Author : fortran77
Score : 66 points
Date : 2020-01-10 20:35 UTC (2 hours ago)
(HTM) web link (www.zdnet.com)
(TXT) w3m dump (www.zdnet.com)
| JohnFen wrote:
| In my opinion, the prevalence of software that I consider to be
| malware has become so extreme that I don't consider any
| smartphone to be safe enough to use anymore.
|
| Although I'm marginally OK with my current one (an antique that I
| have a google-free ROM and a lot of security installed on), it
| will probably die within the next couple of years. At or
| (hopefully) before that time, I'll have completed my move out of
| smartphones entirely.
| butz wrote:
| Is it really unremovable? What about flashing custom AOSP build?
| droithomme wrote:
| Sure, why don't you buy these figure out how to do it then
| publish easy to understand instructions for the average
| purchaser to follow. Thanks!
| kick wrote:
| "Requires domain knowledge" is not the same as "unremovable."
| rimunroe wrote:
| That's a needless distinction for the vast majority of
| users. I imagine anything is removable with enough domain
| knowledge and the right equipment.
| kop316 wrote:
| This assumes you can unlock the bootloader and make an AOSP
| build.
| droithomme wrote:
| Is this too much different than the unremovable malware found
| preinstalled in _high-end_ smartphones sold in the US? Even big
| brands like Samsung are riddled with insidious malware these
| days, all which you consent to when clicking through the
| registration screens.
|
| We need regulation banning all this. Will never happen since
| malware benefits those who crave endemic surveillance.
| cs702 wrote:
| ...and on high-end smartphones too, arguably. Consider how
| difficult it would be to remove from any smartphone any piece of
| software that you as a consumer don't want (e.g., baseband
| firmware, call-home components, data-collection services, etc.).
| TrueDuality wrote:
| A lot of the comments here are complaining about trash software
| that exists on other phones that isn't removable. The difference
| here is that it isn't just garbage ware that might have
| vulnerabilities like the stuff Samsung puts on its phone, this is
| actively malicious.
|
| This especially sucks because the people who can't afford a good
| phone will pay not only in having a poorer user experience but
| they'll have their financial and social media information stolen
| as soon as its used on these devices.
|
| That means the people who can least afford (via both time and
| money) to deal with identity theft will be the ones hit the
| hardest.
| kop316 wrote:
| Heh, it's funny you say that. I just broke my phone and had to
| go get a new one. I was holding out for the PinePhone/Librem 5
| to be useful enough that I wouldn't need another Android
| device.
|
| The cheapest device that I trusted was the Pixel 3a, and that's
| because I can cleanly install GrapheneOS and not have google
| play install. That was $400. It was very tempting to get a $100
| phone, but this was my exact worry.
| jenkstom wrote:
| I bought three of these for my 8 year old triplets from
| twigby.com. I was really upset with twigby, but I guess they
| weren't the ones that did it. These phones would continuously
| install weird apps no matter what I did. I even had them locked
| down with the google family app and they still did their thing. I
| upgraded to to Moto G7 Plays and they are not only faster, they
| don't continuously install malware.
| xfitm3 wrote:
| Personally I consider this to be all phones: the baseband
| firmware is a blob that does who knows what, and is likely the
| weakest component of nearly every phone on the market. Most
| baseband processors are connected via DMA.
|
| Prior discussion from 2016:
| https://news.ycombinator.com/item?id=10905643
| jimmaswell wrote:
| There's no malware here that I can see, simply an auto-update
| mechanism that could theoretically be abused, like every auto-
| update mechanism (Chrome, Windows 10..)
| rahuldottech wrote:
| This is very common for low-end Android phones. I have seen and
| used many models from different companies (eg, Micromax, Gionee)
| (mostly Chinese) that remotely install apps or inject ads into
| the OS (notifications, home screen or lock screen).
|
| They also almost certainly are used to collect personal user data
| and sell it.
|
| Another bad thing is that these apps often come installed as
| "system apps", so you can't uninstall or disable them, or change
| permissions :(
| pmlnr wrote:
| I hope people remember when Kindles were possible to be bought
| with burned-in ads for cheaper.
| Jeff_Brown wrote:
| In which case the buyer knew what they were getting into,
| yes?
| tandr wrote:
| https://www.xda-developers.com/uninstall-carrier-oem-bloatwa...
|
| I have used these instructions in the past to remove things I
| don't need from Samsung phone.
|
| (There is also xda threads that talking about it as well,
| pointing what apps could be removed)
|
| I am not 100% sure if "cheap" phones would allow to do this
| though.
___________________________________________________________________
(page generated 2020-01-10 23:00 UTC)