Covert downloaders found preinstalled on dozens of low-cost Android phone models

Low-cost phones surreptitiously install and reinstall unwanted apps.

Read the whole story

 

[SiberX]

The only name I recognize on that list is "Lenovo" - way to hang with classy company, guys.

 

[kansanian]

Interesting to see a couple Lenovo models, but glad not to see the "Moto" series listed.

 

[rabish12]

SiberX[/url]":se2ed7hu]The only name I recognize on that list is "Lenovo" - way to hang with classy company, guys.

Given their history with their laptops, is it any surprise?

 

[flunk]

I was really surprised to see Lenovo on that list along with all those no-name off brands. I'm disturbed by the direction Lenovo seems to be going in after the spyware incidents with their notebooks and now this. Previously I would have thought nothing about buying Lenovo products but I don't think I'll be doing that again any time soon.

 

[XMegaManX]

Because cheap/free is always cheap/free

/s

 

[Calavaro]

THANK YOU for posting the dirty devices instead of relying on innuendo and generalizations.

 

[Death_wish01]

Can google PLEASE start unifying OS versions and distributions so that carriers and OEMs can't fuck it up.

this has been going on for too long and not having a regulation set by the OS maker is really hurting the consumer more then helping.

 

[stormcrash]

Really surprising and extremely concerning to see Lenovo devices on this list. I guess they didn't learn their lesson from the Windows firmware rootkit debacle. They're destorying what remaining trust they had in their brand, and I doubt that Moto and ThinkPad will go on unaffected both in reputation and factory installation of malware.

On a funny note, this makes my last employers decision to change suppliers after the IBM division purchase seem a lot less paranoid. It seems the fears of buying from a Chinese company were valid after all.

 

[Tcee]

rabish12[/url]":3rkl0scd]

SiberX[/url]":3rkl0scd]The only name I recognize on that list is "Lenovo" - way to hang with classy company, guys.

Given their history with their laptops, is it any surprise?

Im surprised, yes. I thought the laptop debacle made them less likely (compared to other manufacturers) to make such a mistake again. But with this news.. really pretty disappointed. I've been drooling over a Thinkpad, but that's now lost its appeal somewhat.

 

[InfiniteWisdom]

How many people have even heard of these devices? Are they only found in 3rd world countries? Yes we have all heard of Lenovo but no one here is surprised they are on the list.

 

[SiberX]

Tcee[/url]":5x4zewto]

rabish12[/url]":5x4zewto]

SiberX[/url]":5x4zewto]The only name I recognize on that list is "Lenovo" - way to hang with classy company, guys.

Given their history with their laptops, is it any surprise?

Im surprised, yes. I thought the laptop debacle made them less likely (compared to other manufacturers) to make such a mistake again. But with this news.. really pretty disappointed. I've been drooling over a Thinkpad, but that's now lost its appeal somewhat.

I used to be a huge Thinkpad fan, but Lenovo has run the brand into the ground. These days I'm mostly using Surface devices (excellent build quality, which was the Thinkpad trademark back when IBM owned them) and I pair it with a Thinkpad bluetooth keyboard to get my trackpoint fix.

 

[logic_88]

rabish12[/url]":354fzl8y]

SiberX[/url]":354fzl8y]The only name I recognize on that list is "Lenovo" - way to hang with classy company, guys.

Given their history with their laptops, is it any surprise?

Yes, I am surprised. I expected them to clean up their act after that debacle.

Now with this news, I'm telling everyone I know to avoid even the Motorola brand.

 

[clarityoffline]

Tcee[/url]":2kt579q7]

rabish12[/url]":2kt579q7]

SiberX[/url]":2kt579q7]The only name I recognize on that list is "Lenovo" - way to hang with classy company, guys.

Given their history with their laptops, is it any surprise?

Im surprised, yes. I thought the laptop debacle made them less likely (compared to other manufacturers) to make such a mistake again. But with this news.. really pretty disappointed. I've been drooling over a Thinkpad, but that's now lost its appeal somewhat.

Those phones are actually from time of their use of Superfish, one is from 2014 and the other was released in Jan 2015.

 

[fuzzyfuzzyfungus]

InfiniteWisdom[/url]":1jrxr344]How many people have even heard of these devices? Are they only found in 3rd world countries? Yes we have all heard of Lenovo but no one here is surprised they are on the list.

The Slashdot writeup of this story reported that they were "sold mostly in Russia", which might be why they sure don't sound familiar. Apparently all Mediatek-based as well.

I'd be curious to know if that's just because Mediatek makes cheap SoCs and vendors shoddy enough to ship with malware like cheap SoCs; or whether the same bottom-feeder 3rd party was involved in munging the Mediatek BSP into a system ROM for a bunch of differently branded devices and took the opportunity to do a little 'value add' in the process.

 

[Neopassive]

Perhaps we could have an alphabetical sort for the phone names?

 

[logic_88]

clarityoffline[/url]":2i01sepi]

Tcee[/url]":2i01sepi]

rabish12[/url]":2i01sepi]

SiberX[/url]":2i01sepi]The only name I recognize on that list is "Lenovo" - way to hang with classy company, guys.

Given their history with their laptops, is it any surprise?

Im surprised, yes. I thought the laptop debacle made them less likely (compared to other manufacturers) to make such a mistake again. But with this news.. really pretty disappointed. I've been drooling over a Thinkpad, but that's now lost its appeal somewhat.

Those phones are actually from time of their use of Superfish, one is from 2014 and the other was released in Jan 2015.

Was any update ever released to remove the malware from those devices?

 

[GroBeMaus]

I sooooo wish providers would start being fined/held accountable when the devices they provide do crap like this!

 

[agent888]

I'm sure google can just push an update to fix all this mess.

LOL

 

[billyok]

Leno-go. That name is mud now.

 

[ArcadeBumstead]

billyok[/url]":lqz4hra4]Leno-go. That name is mud now.

I hope they don't rebrand, people need to know they're buying garbage.

 

[KAL1989]

Almost all the brands on there are likely Chinese.

The fact that we see Lenovo on there begs the question: Does Lenovo license their brand out to budget android ODMs? It may explain why only a few of their android models are on this list and not all of them. Lenovo doesn't list any of those models on their website currently, but I have seen products like them at bestbuy and retail big box stores.

A cursory glance through Lenovo's USA and Canadian website shows there are no model A6000 or A319 under their support page. Are these models that sell elsewhere?

 

[fuzzyfuzzyfungus]

GroBeMaus[/url]":bnpqgxy4]I sooooo wish providers would start being fined/held accountable when the devices they provide do crap like this!

Unfortunately, that seems like a distant dream:

At least when hackers do it; it's theoretically illegal, if fairly rarely prosecuted.

When your vendor does it, it's just a few paragraphs of fine print on page 46 of the EULA.

 

[arsetechnica0324]

<accidental duplicate comment>

 

[arsetechnica0324]

Apparently a PR nightmare, fines and lawsuits weren't enough to dissuade Lenovo from their malicious practices...

In a blog post, Lenovo CTO Peter Hortensius apologized and promised that Superfish will not be included on any Lenovo PCs in the future.

And apparently, other brands of adware and other types of devices were not included in this apology.

 

[clarityoffline]

logic_88[/url]":3bdkihn8]

clarityoffline[/url]":3bdkihn8]

Those phones are actually from time of their use of Superfish, one is from 2014 and the other was released in Jan 2015.

Was any update ever released to remove the malware from those devices?

No idea, I kinda doubt it.... actually thought about that for a second and if drweb is just now reporting it i would assume it was never removed unless they're only discovering it on phones that weren't updated.

I was just pointing out that it is possible Lenovo did learn their lesson from the superfish debacle and didn't include this crap in any phones made after that.

 

[NexusKoolaid]

Calavaro[/url]":20ik9ywg]THANK YOU for posting the dirty devices instead of relying on innuendo and generalizations.

This list is a little helpful, but concerning phones not on the list we have no way of knowing which phones aren't affected (tested and found safe), or which ones might be affected (haven't been tested).

 

[Netherhigal]

KAL1989[/url]":2itf7qg7]
A cursory glance through Lenovo's USA and Canadian website shows there are no model A6000 or A319 under their support page. Are these models that sell elsewhere?

That might be because these are Dual Sim devices, which almost never come to the US, and are rarely compatible with North American networks in general. These models seem to have been sold in India, specifically.

For reference:

http://shopap.lenovo.com/in/en/smartpho ... ries/a319/

http://shopap.lenovo.com/in/en/smartpho ... ies/a6000/

 

[Velma Velvet]

It's the reason I root, wipe and install the most recent version of the OS available for my phone. At least exists the possibility of removing crap with full access to the phone.

Of course users should not have to root their phones but they have a right to do so if they choose without jumping through hoops. If the hackers have control and providers don't even make even the minimal effort to keep them safer the very least they can do is allow access so they or a trustworthy professional can take over that role.

Oh and BTW, fuck you Lenovo.

 

[JungArs]

Oh no, not my Oysters T72HM 3G! I love that phone. I will have to switch back to a clam shell phone.

 

[nmalinoski]

Are there any tips for detection and/or removal, other than kill it with fire?

 

[Ordeith]

UGH. This spy and advertise world Google brought us is getting out of control.

 

[fuzzyfuzzyfungus]

KAL1989[/url]":s61uyov0]Almost all the brands on there are likely Chinese.

The fact that we see Lenovo on there begs the question: Does Lenovo license their brand out to budget android ODMs? It may explain why only a few of their android models are on this list and not all of them. Lenovo doesn't list any of those models on their website currently, but I have seen products like them at bestbuy and retail big box stores.

A cursory glance through Lenovo's USA and Canadian website shows there are no model A6000 or A319 under their support page. Are these models that sell elsewhere?

I doubt that Lenovo licenses their brand out; but it would be absolutely unsurprising if they do some 'badge engineering' to fill out their product line in areas they don't care too much about.

This is common practice: "Original Design Manufacturers" exist for a wide variety of more or less generic/commodified electronic bits; and they will sell the same basic product to anyone who satisfies the minimum order quantity; but do some customization to-suit of bezels, splash screens, packaging, exterior plastics kits, etc. so that their product matches the trade dress/design language/etc. of the company that will be selling the stuff to end users.

It isn't necessarily problematic or deceptive: ODM gear tends to be pretty generic(though some niches, like Clevo for crazy-desktop-replacement laptops, have fairly specialized ODMs) since it is targeted at companies that aren't interested in doing engineering in-house to distinguish the product; and it needs to be easy to rebrand for multiple customers; but it isn't necessarily inferior to other gear in the same price range(and, while this practice is ubiquitous in the cheap seats; it's not uncommon to find thinly-veiled SuperMicro stuff with rack rails and 5+ figure pricetags); but it does tend to mean that the most of the same software and firmware is shared between 'different' products than casual inspection would suggest; which can be a real problem if there is a defect. This Ars story mentions a situation where one IP camera design and firmware was distributed under ~70 different brand names; a look at the Openwrt wiki turns up tons of routers that are sold by 2-4 different people with no difference but the plastic and the graphics on the web interface, lots of other examples.

Low-end cellphones and tablets are pretty commodified at this point, so while a company probably wouldn't farm out one of their 'flagship' models(unless they are in the process of getting out of the hardware business entirely; or are basically a software company, like the 'Blackphone' guys); it seems totally plausible that less-loved segments might well be served by rebadges. It's fast, has minimal design/engineering costs; and allows you to either exploit the strength of your brand(to command a relatively premium price for inexpensive hardware) or fill gaps in your product lineup that might induce customers to buy from a competitor.

 

[BasP]

Lenovo are just the ones who got caught. How do I know this sort of thing isn't on any other Android phone?

 

[coheedesu]

nmalinoski[/url]":3kgu2gmb]Are there any tips for detection and/or removal, other than kill it with fire?

Root and install a system apps remover or flash a rom made by the Android community? I go that way whenever I get a new phone. Bone stock android is the way to go for me.

 

[aaronb1138]

Death_wish01[/url]":d4b9ha29]Can google PLEASE start unifying OS versions and distributions so that carriers and OEMs can't fuck it up.

this has been going on for too long and not having a regulation set by the OS maker is really hurting the consumer more then helping.

Why would they do that? Their current marketing direction is about shaming other OEMs to make the Pixel look like it is worth the cash.

As a sideways related matter, could you imagine if anti-trust regulators came down on Apple and Google about unbundling the OS, browser, and other software from hardware the way they did to Microsoft 15+ years ago?

As for the people all happy to see a list, why would you expect any off the off-brand phones not to come with adware / covert apps? Even the major OEMs were putting CarrierIQ on flagships at the behest of carriers until the name became toxic. Carriers are still putting on plenty of spyware / adware / questionable diagnostics (looking at you com.tmobile.pr.adapt).

But really in an stock market economy where even Google is constantly lambasted for not providing enough profits for shareholders and CEOs are responsible to them instead of running a successful company, what do you expect?

Corporations are people... method actors, but people. Just ask what's their motivation... /s

 

[jdale]

GroBeMaus[/url]":1njhzmx7]I sooooo wish providers would start being fined/held accountable when the devices they provide do crap like this!

Yes. No consequences = expect this to continue to be common.

Surreptitious data collection needs to be illegal and heavily penalized.

 

[fuzzyfuzzyfungus]

aaronb1138[/url]":8rg52704]

Death_wish01[/url]":8rg52704]Can google PLEASE start unifying OS versions and distributions so that carriers and OEMs can't fuck it up.

this has been going on for too long and not having a regulation set by the OS maker is really hurting the consumer more then helping.

Why would they do that? Their current marketing direction is about shaming other OEMs to make the Pixel look like it is worth the cash.

As a sideways related matter, could you imagine if anti-trust regulators came down on Apple and Google about unbundling the OS, browser, and other software from hardware the way they did to Microsoft 15+ years ago?

As for the people all happy to see a list, why would you expect any off the off-brand phones not to come with adware / covert apps? Even the major OEMs were putting CarrierIQ on flagships at the behest of carriers until the name became toxic. Carriers are still putting on plenty of spyware / adware / questionable diagnostics (looking at you com.tmobile.pr.adapt).

But really in an stock market economy where even Google is constantly lambasted for not providing enough profits for shareholders and CEOs are responsible to them instead of running a successful company, what do you expect?

Corporations are people... method actors, but people. Just ask what's their motivation... /s

There's also the problem that the ARM world is a balkanized hellscape compared to x86. Getting Linux to work well on a cranky laptop with shoddy firmware may not be fun or even possible; but pretty much every Wintel sold is practically family compared to all the things that share a given ARM ISA; but not necessarily much else.

This is not at all helped by the fact that prominent x86 vendors tend to be a mixture of not-too-flagrantly-GPL-violating(sometimes even downright helpful!); or at least competent about being proprietary(eg. Nvidia, for the most part).

ARM BSPs, Not. So. Much. Things have improved a bit, if only because getting worse would have been harder; and ARM Ltd. has been trying to beat its licensees into submission with their "Server Base System Architecture in the hopes of better taking on Intel in the datacenter; but your basic ARM application processor can do more or less whatever it wants; and getting even minimal vendor cooperation can be like pulling teeth.

As much as Microsoft's dominance in the PC space has had some negative effects, it has also had the virtue of making it more or less the case that "If it can't boot Windows; it might as well not be x86" which minimizes the amount of truly crazy stuff any vendor can try, since their product has to at least be able to get a not-necessarily-all-that-new version of Windows far enough to load the driver that papers over their horrible hacks. With Android, they get to brutalize a fork of Linux into their awful little BSP and do just about anything.

 

[aaronb1138]

jdale[/url]":2195pcac]

GroBeMaus[/url]":2195pcac]I sooooo wish providers would start being fined/held accountable when the devices they provide do crap like this!

Yes. No consequences = expect this to continue to be common.

Surreptitious data collection needs to be illegal and heavily penalized.

Well, if we used the "old" or "antiquated" computer hacking laws on the books, the ones where using "cpu time" without permission of the owner / operator was a crime, it already is covered.

That said, I am in favor of opt-in data collection when it is for product improvement. When it is for advertising, buying, selling, or otherwise interferes with the full performance of my device, that is the problem.

At the end of the day though the problem is people. People suck.

fuzzyfuzzyfungus[/url]":2195pcac]

aaronb1138[/url]":2195pcac]

Death_wish01[/url]":2195pcac]Can google PLEASE start unifying OS versions and distributions so that carriers and OEMs can't fuck it up.

this has been going on for too long and not having a regulation set by the OS maker is really hurting the consumer more then helping.

Why would they do that? Their current marketing direction is about shaming other OEMs to make the Pixel look like it is worth the cash.

As a sideways related matter, could you imagine if anti-trust regulators came down on Apple and Google about unbundling the OS, browser, and other software from hardware the way they did to Microsoft 15+ years ago?

As for the people all happy to see a list, why would you expect any off the off-brand phones not to come with adware / covert apps? Even the major OEMs were putting CarrierIQ on flagships at the behest of carriers until the name became toxic. Carriers are still putting on plenty of spyware / adware / questionable diagnostics (looking at you com.tmobile.pr.adapt).

But really in an stock market economy where even Google is constantly lambasted for not providing enough profits for shareholders and CEOs are responsible to them instead of running a successful company, what do you expect?

Corporations are people... method actors, but people. Just ask what's their motivation... /s

There's also the problem that the ARM world is a balkanized hellscape compared to x86. Getting Linux to work well on a cranky laptop with shoddy firmware may not be fun or even possible; but pretty much every Wintel sold is practically family compared to all the things that share a given ARM ISA; but not necessarily much else.

This is not at all helped by the fact that prominent x86 vendors tend to be a mixture of not-too-flagrantly-GPL-violating(sometimes even downright helpful!); or at least competent about being proprietary(eg. Nvidia, for the most part).

ARM BSPs, Not. So. Much. Things have improved a bit, if only because getting worse would have been harder; and ARM Ltd. has been trying to beat its licensees into submission with their "Server Base System Architecture in the hopes of better taking on Intel in the datacenter; but your basic ARM application processor can do more or less whatever it wants; and getting even minimal vendor cooperation can be like pulling teeth.

As much as Microsoft's dominance in the PC space has had some negative effects, it has also had the virtue of making it more or less the case that "If it can't boot Windows; it might as well not be x86" which minimizes the amount of truly crazy stuff any vendor can try, since their product has to at least be able to get a not-necessarily-all-that-new version of Windows far enough to load the driver that papers over their horrible hacks. With Android, they get to brutalize a fork of Linux into their awful little BSP and do just about anything.

But when you answer my earlier question, the answer explains the Balkanization and brokenness of ARM and Android. The motivation is to maintain a constant stream of obsolescence and consumers enslaved to upgrades. This is the opposite of the way consumers for quite some time treated a PC as an investment to be kept for multiple years, even when they commonly sold at smartphone price points (sub $1k).

Microsoft, unlike Google or Apple has supported customers treating hardware and software as investments. They offer advantages to the subscription model (O365) but don't severely penalize you for holding onto old software / hardware. Heck, I still have a Surface Pro (1) that I use daily for taking notes. Got a free upgrade to Windows 10, still getting updates, device has gotten a little worse on battery life, but nowhere near the extreme suckage an iPad or smartphone from the same year would operate now.

 

[clackerd]

Oysters T72HM 3G

Why does the rest of the world get the best phone model names?