Slashdot Mirror

← Back to Stories (view on slashdot.org)

Second Chinese Firm In a Week Found Hiding a Backdoor In Android Firmware (bleepingcomputer.com)

Posted by EditorDavid on from the phoning-home dept.

An anonymous reader quotes Bleeping Computer: Security researchers have discovered that third-party firmware included with over 2.8 million low-end Android smartphones allows attackers to compromise Over-the-Air (OTA) update operations and execute commands on the target's phone with root privileges. This is the second issue of its kind that came to light this week after researchers from Kryptowire discovered a similar secret backdoor in the firmware of Chinese firm Shanghai Adups Technology Co. Ltd.. This time around, the problem affected Android firmware created by another Chinese company named Ragentek Group.
It apparently affects more than 55 low-end/burner phones from BLU, Infinix Mobility, DOOGEE, LEAGOO, IKU Mobile, Beeline, and XOLO. According to the article, the binary performing the insecure updates "also includes code to hide its presence from the Android OS, along with two other binaries and their processes... Without SSL protection, this OTA system is an open backdoor for anyone looking to take control of it." Even worse, three domains were hard-coded into the binaries, two of which were unregistered, according to the researchers. "If an adversary had noticed this, and registered these two domains, they would've instantly had access to perform arbitrary attacks on almost 3,000,000 devices without the need to perform a Man-in-the-Middle attack."

108 comments

  1. Fines? by Anonymous Coward · · Score: 0

    Will the companies be fined? If not, they won't change anything.

    1. Re:Fines? by Anonymous Coward · · Score: 0

      Will the companies be fined? If not, they won't change anything.

      In a better universe where ponies grow on trees the companies would get class action sued. If it happened again, sued out of business. However in our universe, the rich will buy their iphone or oneplusone and have significantly better 'protection' from all but nation-state level actors. As much expectation of privacy as you can afford is the same old normal. What a racket.

    2. Re:Fines? by FatdogHaiku · · Score: 2

      Will the companies be fined? If not, they won't change anything.

      In a better universe where ponies grow on trees the companies would get class action sued...

      Also, no one would picnic under trees...

      --
      You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
    3. Re:Fines? by skids · · Score: 1

      Also, no one would picnic under trees...

      I'm quite averse enough to arboreal detritus to avoid this already, but yeah.

      --
      Someone had to do it.
    4. Re: Fines? by Anonymous Coward · · Score: 0

      My wife has quit parking her red car under the big maple tree. For some reason birds have an affinity for red cars.

      But on the actual topic: is it possible that said "uneregistered domains" in the binaries are there as a convenience for dns-spoof exploits? I.e. if they resolve, the phone software knows the mitm state is active?

    5. Re:Fines? by Anonymous Coward · · Score: 0

      To think I nearly bought one of those BLU phones. I'm glad I passed on their shitty, generic, malware-laden products and bought a real phone instead.

    6. Re:Fines? by cjjjer · · Score: 1

      Glad I have a BLU windows phone... phew...

    7. Re: Fines? by FatdogHaiku · · Score: 1

      But on the actual topic: is it possible that said "uneregistered domains" in the binaries are there as a convenience for dns-spoof exploits? I.e. if they resolve, the phone software knows the mitm state is active?

      That's not a bad end run for activation...

      --
      You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
    8. Re:Fines? by Anonymous Coward · · Score: 0

      In that case you absolutely have malware on it. At least with the Android-based BLU phones you have a chance of not being infected.

  2. You mean "second LARGEST" by Anonymous Coward · · Score: 0

    Stop the fake conspiracy bullshit. Ragenteck is a diversified manufacturing firm. http://english.ragentek.com/plus/list.php?tid=14

  3. Non Issue by Anonymous Coward · · Score: 0

    This seems like a non issue if this only affects phones with over the air updates. Everyone knows Android phones don't have this capability anyway.

    1. Re:Non Issue by campuscodi · · Score: 2

      They don't have it for the OS itself, but there are firmware components for OEM-specific software that receives OTA updates.

  4. In a pure FOSS world... by Anonymous Coward · · Score: 1

    ... many eyes would better catch the most blatant attempts at such shenanigans.

    1. Re:In a pure FOSS world... by Anonymous Coward · · Score: 0

      But, Android uses Linux! Android firmware is open source! Now if only there were some way to be sure the compiled binaries correspond to the published source code. Oh right. There isn't a way. But you can keep dreaming.

    2. Re:In a pure FOSS world... by Anonymous Coward · · Score: 0

      But, Android uses Linux! Android firmware is open source! Now if only there were some way to be sure the compiled binaries correspond to the published source code. Oh right. There isn't a way. But you can keep dreaming.

      In a pure FOSS world... people are able to browse, slightly or more than slightly modify, recompile, and use their customized FOSS. While Google may not give a snot about being able self-host recompile Android, it's probably totally feasible with minimal modifications. And even without that, if everyone who could afford a $300 laptop had the power to work with their FOSS-based phone that easily... herd security would improve much more quickly in my estimation.

    3. Re:In a pure FOSS world... by Anonymous Coward · · Score: 0

      Years after the fact.

    4. Re:In a pure FOSS world... by Anonymous Coward · · Score: 1

      The GP refers to the possibility that the compiler is compromised to insert evil instructions even through it's compiling good code. From Thompson's work:

      "No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect."

    5. Re:In a pure FOSS world... by ArchieBunker · · Score: 2

      Right, ok like how all those eyes found the heart bleed bug in SSL?

      --
      Only the State obtains its revenue by coercion. - Murray Rothbard
    6. Re:In a pure FOSS world... by Anonymous Coward · · Score: 1

      Right, ok like how all those eyes found the heart bleed bug in SSL?

      "most blatant attempts at shenanigans".

      Bugs and extreme clever bits of TLA subversion both would still happen. Heart bleed would get found because as the herd security evolves, I think we would get to significant enough deployment of hard core full network analysis on each device (read: phone) and in enough cases outright pattern whitelisting that the paranoid could have even a bit of confidence against such things. Part of the "trust us we know whats best, don't look under the covers" pre-Snowden mentality is what might have severely amplified the number of never-detected heart bleed exploitations in the wild before public disclosure. Now if that helped the NSA prevent a million child molestations or terror attacks, then ... who knows, not I.

    7. Re:In a pure FOSS world... by Anonymous Coward · · Score: 0

      No amount of source-level verification or scrutiny will protect you from using untrusted code.

      Same goes for hardware. But begging the forgiveness of unassailable canonized cyber elders, I would argue that having complete source level verification is a necessary first step for beginning the process of real scrutiny to protect yourself from as much future malicious code as possible. It may be turtles all the way down, but if God gave me a pair of binoculars, I'll go ahead and take a look just to double check things as far as I can see. If however God didn't give me a pair of binoculars, yeah, I'll agree, I won't sweat it too much.

    8. Re:In a pure FOSS world... by Anonymous Coward · · Score: 1

      Of course there is. If the compiled output matches the binary release then you are fine. Otherwise you don't know.

      Still, many Android phone manufacturers have deiced to lock down the binaries as hard as they can, but not all.
      There are still a few Chinese brands where you are allowed to install whatever system you like without voiding the warranty.
      They just don't give support on custom builds. If you want support you will have to load their official binaries back on the phone.

      It's a bit sad that you have to look to the Chinese market to find the things you would expect from free market capitalism.

    9. Re:In a pure FOSS world... by Anonymous Coward · · Score: 0

      ... and they caught it fine. Still android is the best thing that ever happened to computing. It made it available to young and old and poor and rich.

    10. Re:In a pure FOSS world... by Anonymous Coward · · Score: 0

      I get your point, but your metaphor fails to capture the huge cost of using those binoculars. You should ask yourself whether the cost of reviewing the source code of every single component you rely upon -- given the proliferation of back doors (both software and hardware) in the current age -- is really worth it or not. In other words, are you willing to spend hundreds of hours doing a security code review if the possibility of a hardware trojan is really high and you will end up being owned anyway?

      With everything that surfaced over the past 3 years, I take it for granted that all computer chips are backdoored by at least either the Chinese or the American governments. Until we reach a point where open source firmware becomes the norm and we can bake our own chips using our homemade silicon-to-chip builder device, there is not much point in sweating it.

      The question is, if you're not going to review the source code of certain components because the cost is prohibitive, should it still matter whether the source code is available or not? All else being equal I would personally choose the open source component, but what if there was a significant difference in performance in favour of the closed source component?

    11. Re:In a pure FOSS world... by Anonymous Coward · · Score: 0

      "In other words, are you willing to spend hundreds of hours doing a security code review if the possibility of a hardware trojan is really high and you will end up being owned anyway?"

      I said it was a necessary first step, not the only step. Obviously an environment of pervasive hardware trojans negates a great deal of utility, so a few steps are going to have to eventually deal with that.

      But the spiritual answer to your question is- no, I don't believe in giving up and having faith that my security is in good enough hands with Trump and Google. They are not my gods even if they imagine themselves to be.

    12. Re:In a pure FOSS world... by Anonymous Coward · · Score: 0

      Keyword: Reproducible Builds

      Or Compile them yourself.

      https://reproducible-builds.org/news/2015/10/16/new-homepage/

    13. Re:In a pure FOSS world... by Anonymous Coward · · Score: 0

      If you have multiple compilers, especially one that is simple, yet optimized you can do some guarding against these sorts of behaviors.

    14. Re:In a pure FOSS world... by Anonymous Coward · · Score: 0

      How? Aren't different compilers going to produce different binaries? How is it useful to compare the output from different compilers?

  5. Re: Strange... by Anonymous Coward · · Score: 5, Funny

    iPhone users experience a different sort of "backdooring". Now put your man bag down and taste my latte.

  6. Duh! by Ol+Olsoc · · Score: 1

    It's in all of them. If it hasn't been found in your Android, it just hasn't been found - yet.

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    1. Re: Duh! by Anonymous Coward · · Score: 0

      It's called google play services.

  7. Re:Strange... by Anonymous Coward · · Score: 0

    Not your iPhone. You are just licensing it from Apple. You can't modify it in any way without their permission. You had nothing to do with its creation. You have no reason to be smug.

  8. Selling my Android, getting an iPhone by Anonymous Coward · · Score: 0

    Goodbye Chinese!

    1. Re:Selling my Android, getting an iPhone by Anonymous Coward · · Score: 0

      Damn right. Why have a Chinese backdoor when you can have an American backdoor instead?

    2. Re:Selling my Android, getting an iPhone by lucm · · Score: 3, Informative

      Damn right. Why have a Chinese backdoor when you can have an American backdoor instead?

      The iPhone is not American. It's designed by Indian rental employees and manufactured by Chinese slaves.

      --
      lucm, indeed.
    3. Re:Selling my Android, getting an iPhone by Anonymous Coward · · Score: 0

      The iPhone is not American. It's designed by Indian rental employees and manufactured by Chinese slaves.

      And the profits go to an Irish company.

    4. Re:Selling my Android, getting an iPhone by Freischutz · · Score: 1

      The iPhone is not American. It's designed by Indian rental employees and manufactured by Chinese slaves.

      And the profits go to an Irish company.

      ...and there in a nutshell we have capitalism at work. Now stop bitching about it and get over it. The system is working as intended.

    5. Re:Selling my Android, getting an iPhone by Anonymous Coward · · Score: 0

      I'd much rather have a Chinese backdoor than an American one. The Chinese are less likely to use the information they steal from me against me.

    6. Re:Selling my Android, getting an iPhone by Anonymous Coward · · Score: 0

      Exactly what I have been saying all along....

    7. Re:Selling my Android, getting an iPhone by Anonymous Coward · · Score: 0

      Goodbye Chinese!

      iPhones are Chinese phones.

    8. Re:Selling my Android, getting an iPhone by Anonymous Coward · · Score: 0

      Gigabyte iram's not a hdd or software ramdisk lucm. Apk burnt you on it! Your sockpuppet self upmod here exposed it https://hardware.slashdot.org/...

    9. Re:Selling my Android, getting an iPhone by Khyber · · Score: 1

      Funny, it explicitly says in listing "GIGABYTE - PC Components - - Legacy - GC-RAMDISK"

      That's the iram. I own two. It is exactly both an HDD and software RAMDISK.

      Who's the sockpuppet, here?

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    10. Re:Selling my Android, getting an iPhone by budgenator · · Score: 1

      Deep in the bowel of Fort Meade, some Deputy Director of the NSA is saying "God Damn those fucking Chinese, who told them to put an extra backdoor into those cheap-assed burner phone? We paid for exclusivity!"

      --
      Apocalypse Cancelled, Sorry, No Ticket Refunds
  9. BURNERS? by Anonymous Coward · · Score: 0

    ~~Happy Kwanzaa~~

  10. SPIES by Anonymous Coward · · Score: 0

    Over/under on Chinese gov't backing this? I'm betting it's... high.

  11. Where is Google? by Anonymous Coward · · Score: 0

    They are in their counting room, of course.
    Does anyone actually believe that Google didn't know about this?
    and as long as they profit, they could care less.
    Google even makes Microsoft look honorable.

  12. Re:Strange... by Anonymous Coward · · Score: 0

    That's because you have a real phone.

  13. The solution is obvious... by SeaFox · · Score: 4, Funny

    We just have to avoid all phones built in China.
    Oh, wait...

    1. Re: The solution is obvious... by Anonymous Coward · · Score: 0

      You do get some choice as a consumer. You can have a Chinese phone that spies on you, or a Korean phone that catches fire and explodes.

    2. Re:The solution is obvious... by Anonymous Coward · · Score: 0

      Samsung builds some phones in South Korea. Unfortunately, they do use some American chips and an OS partially developed by a US company that is on very good terms with US espionage agencies.

    3. Re:The solution is obvious... by Anonymous Coward · · Score: 0

      Google Pixel and most of the HTC phones are made in Taiwan. Also Apple will soon begin to produce some of their phones in India.

    4. Re:The solution is obvious... by SeaFox · · Score: 1

      Google Pixel and most of the HTC phones are made in Taiwan. Also Apple will soon begin to produce some of their phones in India.

      I betcha the only iPhones Apple will be making in India are the ones for the Indian market. Much like making iPhones in Brazil because of their ridiculous import tariffs.

  14. Another reason I love my Lumia by TheRealQuestor · · Score: 0

    I really appreciate my Lumia phone more and more. Great OS and hardware and hardly any apps which keeps my chances of having these issues very small. 0 userbase + 0 apps = no reason for hackers to mess with me :)

    1. Re:Another reason I love my Lumia by bug1 · · Score: 3, Interesting

      I still have my Nokia N900, real keyboard, battery lasts days, too old and obscure to be target platform.

      Security through obscurity ???

    2. Re:Another reason I love my Lumia by jonwil · · Score: 2

      Same here, my N900 still works great and I will keep using it until it dies, my carrier makes a change that means I cant use it anymore or I can somehow afford something better (which basically at this point means a Neo900)

    3. Re:Another reason I love my Lumia by Parker+Lewis · · Score: 2

      Yeap, let's hail the privacy hero, Microsoft!

    4. Re:Another reason I love my Lumia by Anonymous Coward · · Score: 0

      I still have my Nokia 3510i, real (numeric) keyboard, battery lasts weeks, too old and obscure to be target platform.

    5. Re:Another reason I love my Lumia by rholtzjr · · Score: 1

      Yup. Motorola Razor flip phone. Gotta love it.

  15. My BLU Studio 5.0C not affected by Zombie+Ryushu · · Score: 1

    I just checked for this binary, and it was not on my phone. I did have a binary file called debuggerd but it was not the same as debugs.

    1. Re:My BLU Studio 5.0C not affected by Anonymous Coward · · Score: 1

      How did you check for the binary? From TFA: "The binary responsible for the firmware OTA update operations also includes code to hide its presence from the Android OS, along with two other binaries and their processes."

    2. Re:My BLU Studio 5.0C not affected by Zombie+Ryushu · · Score: 1

      I have root, a USB Cable, and a Full Rom dump of my firmware stored on my Hard Drive. I just used adb. I su to root as well.

  16. Why are security firms so full of shit? by LostMyBeaver · · Score: 5, Informative

    1) "By determining that it utilized Rui Maciel’s JSON library, it was straightforward to reverse the expected data structure of the server response. As shown below:"

    What the hell did this have to do with anything... it forced me to hate reading the entire rest of the article. I mean it was like reading "It's a UNIX machine, I know this!" If this sentence has any meaning what-so-ever to the author other than to show off that he could identify linked libraries... well never mind... not worth writing a book on it here.

    2) It's an oob updater

    It's very likely that if the intent of this code was to be malicious, it would have been hidden better. From what I can see, it looks like they were trying to keep the software installed and operating even through shutting down most of android and bringing it back up.

    By using a fixed process id, it makes it easier to identify numerically and by removing the code which appears to be clearly marked as debugging code from the process output, it might even be possible that the process will survive cycling through run levels. It's also clear that it should allow the external server to bring the phone back up.

    3) Likely a development tool more than an updater.

    It is very likely that the developer who was making the firmware base image made a series of tools that would allow pushing and testing a lot of changes remotely. It feels like a "poor man's version" of RSH on top of a REST API.

    4) Six month timer?

    In other words, it probably just means "go to sleep... I'm done". Indefinite is more appropriate for production code.

    If they were really trying to hide something, do you think they would have made it so obvious?

    This was just the case of a programmer dropping his/her image building and debugging code into the production image. He/she was probably also asked to add some possibility to update the firmware of the image remotely for tech support reasons. He/she probably just figured "I already have something".

    At the end of the article I take this away

      DANGER!!!! Some developer left highly insecure debugging code in the firmware used on a gazillion phones.

      DANGER!!!!!!! There's some publicity loving series of security losers trying to make headlines and sound important trying to scare everyone when in reality, they no have their own backdoor to a gazillion phones and didn't even consider ... "Wait... I could run a remote command to fix the problem and make it a non-issue".

    Yes... instead of trying to make headlines and run a fund raiser, you didn't even need to actually tell us about it, you could have just simply pushed a patch that any phone connecting to one of those URLs would be patched.

    1. Re:Why are security firms so full of shit? by Anonymous Coward · · Score: 4, Insightful

      But you're missing the point, that if OTHER actors were to find these issues out ahead of time, 3 million + phones would be rootable by simply registering a couple of otherwise unclaimed domain names. That's not a "backdoor" as much as it is an open hole to the backyard...

    2. Re:Why are security firms so full of shit? by lucm · · Score: 1

      More devices to join the IoT botnets and take down the interwebs. To anyone expecting to use their new game console on Christmas day this year: it would be wise to have a Plan B that works offline (such as sex or Monopoly).

      --
      lucm, indeed.
    3. Re:Why are security firms so full of shit? by LostMyBeaver · · Score: 2

      Nope... I see the point... they caught the problem.. they even mitigated it. Now they possess two domain names that can be used to root 3 million+ firms and frankly, I don't have much interest in a company that gets its rocks off on spreading FUD like they're the White House as a fund raiser. I also don't trust them.

      Now that they have those domains AND can execute commands on those phones AND have even used them for information gathering on all those phones, why not push something on to the end of /etc/hosts to block those three domains. How do we know they're not gathering terabytes of nudie pictures of 14 year old boys taken by kids who heard sending pictures of your penis to a girl is a great way to get lucky?

      Better yet, they have no advertised that they are a great target to hack to get access to 3 million phones. Most security companies have the worst security themselves. This is because anyone they have that is any good doesn't work on their network but instead is being billed out to customers.

  17. Poor people are destroying Apple by lucm · · Score: 0

    I haven't noticed this kind of problem with my iPhone 5S...

    What, you can't afford a more recent iPhone?

    --
    lucm, indeed.
    1. Re: Poor people are destroying Apple by Anonymous Coward · · Score: 0

      There is a very good reason not to buy anything newer than a 5s - NFC. Apple just refuses to have a model without it.

    2. Re: Poor people are destroying Apple by Anonymous Coward · · Score: 0

      you don't have to enable it you know.
      Sheesh, some people are really thick.
      Perhaps you would be better off with one of these cheap android burner phones. Then the FBI/NSA can use that back door and make sure that you don't have subversive thoughts (read '1984' for what I'm talking about)

    3. Re:Poor people are destroying Apple by Mashiki · · Score: 1

      What, you can't afford a more recent iPhone?

      Wait until you find out that some of us are still using 5+ year old smart phones. Mine works(everywhere), does what it needs to, and I see no reason to upgrade. If I could have gotten away with a simple dumb cell phone I would have, but they sell them quick and usually only with limited stock numbers.

      --
      Om, nomnomnom...
    4. Re:Poor people are destroying Apple by JaredOfEuropa · · Score: 1

      The 5s is 3 years "old", and still work fine after 3 years if you take care of it a little. Same for a 3 year old high end Android phone, I suspect. If you buy cheap rubbish however, you do need to replace it a lot sooner.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    5. Re: Poor people are destroying Apple by Anonymous Coward · · Score: 0

      But you can only disable it with "software."

      I have thought for a long time that there needs to be a website called "drillhere.org". The purpose of the website would be information exchange. It would direct people how deep and with what size drill to disable unwanted functions on their electronic gadgets. To do things like take out the NFC function downstream in the analog pathway.

  18. budget phones? by NottaMehere · · Score: 1

    i'm sure they're (whoever they are) are going to love the data they retrieve from the people who use low-end phones ;-)

  19. Re:Strange... by GrandCow · · Score: 1

    You can modify an iPhone all you want, you just void the warranty.

    Apple isn't the first company nor will it be the last to void warranty for opening a device up and messing with it.

    --
    "Well kids, you tried your best, and you failed. The lesson is, never try." -Homer Simpson
  20. Chinese garbage by Anonymous Coward · · Score: 0

    Another Chinese piece of shit. What a shocker. Why anybody would purposefully buy any Chinese insecure, cheaply built, or toxic garbage products is beyond me. The Chinese govt also forces vendors and companies to open up their source code to do business in China. How convenient for them that these obvious backdoors "slip" through.

    1. Re:Chinese garbage by Anonymous Coward · · Score: 0

      So you don't buy Apple, we get it.

  21. Burner phones? by bigbang137 · · Score: 1

    Wait; we have burner smartphones now? When did this happen? 1) Buy burner 2) Deal !@#$ 3) Toss burner 4) Profit!

    1. Re:Burner phones? by SeaFox · · Score: 1

      Have you checked you local grocery store? Many sell prepaid smartphones right alongside the refill cards, with prices as low as $10 (yes, for an actual Android touchscreen smartphone).

  22. There is a movie about something like this by BreandánHeiliger · · Score: 0

    It's called Dragon Day and it's about how the US is held hostage because China has put backdoors in all the tech we buy from them.

  23. Has got to be by Anonymous Coward · · Score: 0

    One of the most poorly written articles that I've ever read. I feel stupid after reading it.

  24. Re:Strange... by Anonymous Coward · · Score: 0

    The CEO of apple might disagree. Now bend over and get ready to be backdoored.

  25. ES File Explorer by drinkypoo · · Score: 2

    I was warned here that ES File was probably phoning home to China, so I removed it and my devices actually work better now. Is there any analysis of precisely what ES File Explorer is doing?

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    1. Re:ES File Explorer by Anonymous Coward · · Score: 1

      ES File Explorer is made by Baidu, a company that is well know for malpractices and spying on its users.

  26. Heck we have Lifeline Smartphones by laurencetux · · Score: 1

    okay so they are simple back three versions things that can't do 80% of the things current phones can but if you are in the US i would bet that 80% of the PONFA folks have smart phones now.

  27. Re:Strange... by Anonymous Coward · · Score: 0

    Oh yes you can. It is called jailbreak

  28. Re:The President Elect by Anonymous Coward · · Score: 0

    Better that than another full 4 years of monkeys in the white house, or a couple of decrepit sexual maniacs.

  29. used by marketing offices supported by google by Anonymous Coward · · Score: 0

    enough said. those fuckers even block phone calls to my mobile.

  30. Dirty COW by Artem+S.+Tashkinov · · Score: 1

    Sometimes I've got a feeling that Google actively encourages security vulnerabilities considering that this particular local ROOT vulnerability affects at least 99% of all existing Android devices and Google skipped it in its latest security update.

    Welcome rootkits and unremovable trojans.

    1. Re:Dirty COW by The+MAZZTer · · Score: 1

      Google had already finalized the latest security update when Dirty COW was discovered. December's update will be their first chance to patch it.

      Furthermore given Android is an open platform ANYONE can develop for it, and this isn't Google's code at fault here. This is just a case of getting what you pay for when you buy a low-end Android phone that was made without adequate code review or security testing.

  31. Chinese Intelligence agency at work? by cold+fjord · · Score: 1

    I wonder if this is the work of the Chinese intelligence agencies? That would almost certainly be everyone's explanation if it happened in a phone from a US company.

    --
    much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
    1. Re:Chinese Intelligence agency at work? by Anonymous Coward · · Score: 0

      US agency at work? How easy would it be for an agency to get a Chinese company to place backdoors on burners. After all US officials usually use high end phones, while thieves and terrorist often use burners.

    2. Re:Chinese Intelligence agency at work? by Anonymous Coward · · Score: 0

      Some of those companies are actually owned by Chinese government. They are literally Chinese intelligence agencies.

  32. It's in there by Anonymous Coward · · Score: 0

    I got a cheap 10 inch Android No name Chinese tablet ,about 6 months ago It had a Virus in its firmware , Detected by 4 Major Antivirus solutions, and since it was in the firmware , No way to get rid of it ,factory restore therefore restored Virus The antivirus software said, Cant be removed As infection is in a system File Unable to remove system file It served up Hundreds of ads and did hundreds of false system updates at every restart

    1. Re: It's in there by Anonymous Coward · · Score: 0

      If it's rootable, then root it and you can remove those apk's manually.

      If not, then you can connect it to your PC and use Android Debloater from XDA developers forum to permanently disable them.

  33. Timothy's back door by Anonymous Coward · · Score: 0

    timothy likes it in the back door from kdawson. That's why they left slashdong. To practice more gay anal sex on each other. Boom!

  34. We need the *complete* set of source code always by Anonymous Coward · · Score: 0

    It's not a matter of the device being secure it's a matter of being step #1 to securing our devices. The way things are done right now is utterly terrible.

  35. It houses my pagefile lucm sockpuppet by Anonymous Coward · · Score: 0

    See subject lucm sockpuppet (that I've crushed before too Khyber see below) - it is a hardware card w/ 4gb RAM on it, not software ramdisk you dumb fuck (criminal & liar too).

    * It is NOT placing a pagefile onto a software ramdisk (lucm's blunder, lol - or, should I say YOURS since you show up 'suddenly' to 'defend him' (if YOU are his defense? You're a KNOWN liar & scumbag, proof's below)).

    APK

    P.S.=> Still "stinging" loser Khyber https://tech.slashdot.org/comm... where you called my ware a "virus" stupid & I proved otherwise? Yes, obviously -

    You're a KNOWN fucking liar right there!

    (You are also a KNOWN loon & criminal from what I understand Mr. A. Marshall McQuown http://www.cadailysun.com/news... )... apk

    1. Re:It houses my pagefile lucm sockpuppet by lucm · · Score: 1

      APK,

      do you know what all those arguments you're having with other people have in common? You.

      I did a quick search and it appears that more than 80% of what you post is a reply to other people where you call them liars and sockpuppet - and you frequently post in the wrong threads. That makes you a net negative for this community.

      Why do you spend so much time and energy spamming the forum with your bitter, confused accusations? Are you one of those people who thrive on misery and anger?

      You're not a victim, APK. You're a nuisance.

      --
      lucm, indeed.
    2. Re:It houses my pagefile lucm sockpuppet by Anonymous Coward · · Score: 0

      Tell us more about you being a 160lb. whimp that got put in a cage lucm=khyber http://www.cadailysun.com/news...

      Don't like being exposed after you trolled apk, impersonated him and that you blew it https://hardware.slashdot.org/... lucm?

      Top that off with known criminals defending you and they too being found to have failed against apk in Khyber the criminal (your obvious sockpuppet) https://slashdot.org/comments.... which makes you a criminal and liar too lucm = khyber.

  36. Develop for it, but not install it. by Anonymous Coward · · Score: 0

    That is the cornerstone of the problem with smartphones: We don't control the software, and the OS software and the modem software are often intimately connected, just as often via tightly coupled hardware as tightly coupled software. Neither of which are good for user data security. And that does not take into account signed bootloaders and OS images which disallow the end user/owner of the hardware from installing custom patched updates which may be needed to work around vendor shortcomings in updating the software for their particular device.

    Trustzone and non-user servicable consumer hardware need to die painful deaths. It looks like there are many more years of government and corporate exploitation even if the sheeple decide to rebel and demand change.

  37. If there's not one for the DoD by Anonymous Coward · · Score: 0

    then google will be required to put one there. Of course, open firmware would allow you to replace firmware you do not trust, and a PROPER lock down would let you change the firmware and lock that in no matter what the manufacturer wanted, and is 100% compatible with open source. It's only lockdowns that lock YOU, the owner of the device, out that is incompatible with openness.

  38. learn how to spell wimp by Anonymous Coward · · Score: 0

    it helps.

    1. Re:learn how to spell wimp by Anonymous Coward · · Score: 0

      Khyber lucm is a puny stupid monkey in a cage? Hahahahaha yes http://www.cadailysun.com/news...

  39. Making themselves look bad by sentiblue · · Score: 2

    Now it would be stereotyping to direct the cheat intention at the Chinese... but the numerous occassions related to them is undeniable. First Lenovo, then other smaller fishes...

    My propossal to this problem is: To ban the brands indefinitely from the US and to permanently bar all executives at those companies from entering the US. This way, they learn their lesson... corporations stealilng from consumers is a crime that should not go unpunished. Phucking cheaters!!!