Down the Rabbit Hole With a BLU Phone Infection

msm1267 writes: BLU phones, marketed as affordable Android devices, have recently been pulled from Amazon and other retailers after allegations the devices were infected with spyware and posed a privacy threat to users. This is the tale of one such victim who purchased 11 devices that instantaneously began serving pop-up ads and downloading unwanted applications. The phones were analyzed and the root of the issue in this case was uncovered.

Maybe BLU should open source the SoC drivers?

[ctilsie242]

I wonder if stuff like this could be mitigated by BLU having the kernel drivers available, if not open-sourced, so people could make custom ROMs. Perhaps get LineageOS as a viable option on the devices?

That way, there would be some faith that the phones would have been shipped clean and decently secure.

Re:Maybe BLU should open source the SoC drivers?

I don't think it is limited to one manufacturer, my android phone keeps doing exactly the same thing even after a factory reset, so I conclude the firmware is compromised at the factory either deliberately or by negligence.

Re:Maybe BLU should open source the SoC drivers?

Why would they want to cut into their revenue stream by doing something silly like stopping adware on their phones?

Re:Maybe BLU should open source the SoC drivers?

[Stormwatch]

There is not much of a revenue stream when retailers refuse to carry their shit.

Re:Maybe BLU should open source the SoC drivers?

[slack_justyb]

I wonder if stuff like this could be mitigated by BLU having the kernel drivers available, if not open-sourced, so people could make custom ROMs.

Not everything that makes up all the needed bits for these devices have open sourced drivers. That's no excuses for at least releasing the open parts. However, this is actually a larger existential problem, so much so, that the maintainer of Android's Open Source Project AOSP basically quit his job and basically asked what's the f***ing point if an OS doesn't do anything on modern hardware. The Nexus 4 and 7 devices made by Google included lots of hardware that just was never going to be able to have drivers open sourced. Since then, the problem has only gotten worse, yes even the beloved Raspberry Pi has binary drivers and the people who make the Pi are not abashed by this point because, completely open sourced has never been one of their goals. True the OS is open since it is Linux, but what good is it when only the Kernel and a few support libraries are all that are open source? Or as the former AOSP maintainer put it, "There's no point being the maintainer of an Operating System that can't boot to the home screen on its flagship device for lack of GPU support"

But I digress, because I'm not getting to the point here. BLU contracted out to a third party to maintain their firmware, because maintaining an image is a lot of work. That third party was Adups Technology and they themselves had a set of ad networks that they use to serve up ads, much like how any other phone serves up Google ads. At anyrate, Adups' network of ads networks had some nodes that were serving up malware embedded into the ad. When Adups' software loaded the ad it loaded up the infection.

This is the thing about ads in apps. Those ads have to come from somewhere and you are putting a lot of trust in the person who's delivering those ads that those ads are trojans. Now you as a firmware company might also have your own ad agency (I know weird combination) as well, so basically people come to you and you design and deliver the ad. But if that's not you (more likely situation), then someone else designs the ad and sends it to the delivery network, the delivery network either sends it directly to the device or sends it on upstream to someone who aggregates these things to be sent out to the device. etc, etc, etc... Fun stuff.

Open sourcing things might help a bit, but not really. But honestly, piecemeal keeping up with licence is it's own job for really large projects. Some places, especially Chinese places, don't really care and grab whatever kernel version they are using from kernel.org and put that up on their website for GPL compliance. Same thing for the other bits. After that bit of hassle is done, it's basically a binary blob that's closed off. It's the fun part of cutting corners that goes on in some of the cut-throat mobile market.

That way, there would be some faith that the phones would have been shipped clean and decently secure.

Even if the phone shipped clean, if the ad network that you trust delivers the malware behind your back because the ad network didn't catch it, then you're hosed that way. Clean phone or not. To summarize here.

TL;DR - This infection was delivered via the ad network, so open source or not, you would have been hosed. However, open sourcing a device is a lot easier said than done as a lot of hardware is impossible (well, not impossible but many companies that make the ICs are very, very unwilling so you might as well say impossible) to open source. Additionally, even if you just gave out the parts that are open, that's an insanely complex task of putting it together that a lot of cut-throat companies won't go through.

Re:Maybe BLU should open source the SoC drivers?

[tlhIngan]

This is the thing about ads in apps. Those ads have to come from somewhere and you are putting a lot of trust in the person who's delivering those ads that those ads are trojans. Now you as a firmware company might also have your own ad agency (I know weird combination) as well, so basically people come to you and you design and deliver the ad. But if that's not you (more likely situation), then someone else designs the ad and sends it to the delivery network, the delivery network either sends it directly to the device or sends it on upstream to someone who aggregates these things to be sent out to the device. etc, etc, etc... Fun stuff.

The big difference about ads in apps and ads in the OS itself is at least ads in apps are limited by permissions granted to the main app itself. Sure there are plenty of ways to break out of the Android sandbox, but in general, that's why apps are sandboxed to begin with.

Ads in the main OS though can have full run of the OS, permissions be damned. It's why you can install apps without popping up the dialog (something in-app ads need to ask the user). From the looks of things, it looks like it ran with full system permissions, so the ads bascially had full root permissions to do whatever they wanted. Including maintaining a root session for themselves.

Re:Maybe BLU should open source the SoC drivers?

[hairyfeet]

BLU doesn't do anything other than rebrand Chinese phones so all they have to do is change their name and the address on their letterhead and away they go, not like BLU was a top shelf brand in the first place.

For those that want a cheap Android phone without all the bullshit? Get an Alcatel, they have an app on their phones that let you root it in under 3 minutes without using any third party malware like Kingoroot. I had mine rooted 4 minutes after booting, it was simple and easy and the phones are actually nice for the price.

Re:Maybe BLU should open source the SoC drivers?

[greenfruitsalad]

while they may be easy to root, there's almost no interest in them (on forum.xda-developers.com) and thus ZERO 3rd party rom support. it's sad because they're nicely priced and some of the hardware is really interesting.

Re: Maybe BLU should open source the SoC drivers?

Open source doesn't solve that... your device ships with binaries installed , not sources. And those binaries might be built by a process that includes extras not in the open source project.

Open source for security or customization only makes sense when you build it yourself. If you trust the vendor, or aren't going to be modifying what you got, then open source doesn't matter.

Re:Maybe BLU should open source the SoC drivers?

[someoneOtherThanMe]

Had an Alcatel Poptouch C3. It kept getting slower and slower, to the point of needing ~1 minute from locked screen to dialing. Rebooting only helped temporarily.

Re:Maybe BLU should open source the SoC drivers?

[thejynxed]

Well, the interesting bit is that the two Trojans identified as being the culprits didn't use the ads and app installs for anything else but to rake in unearned cash. They themselves autoroot any device they find themselves on and then the show begins. The question is, did the Chinese firmware company intentionally use those trojans, or not. I would have to think that they did, considering their past behavior.

Re:Maybe BLU should open source the SoC drivers?

Motorola also makes good phones for the money. They have an official bootloader unlock procedure, after which you can simply flash recovery/supersu. So no exploits needed there. And the Moto G series always had very good custom rom support (which Alcatels haven't).
Personally I only have experience with the Moto X1 made during Google ownership, idk about later models under Lenovo, but worth looking into.

Re:Maybe BLU should open source the SoC drivers?

[hairyfeet]

I never bother with third party roms since I have not the time nor the prerequisite android coding exp to vet their code, whereas with first party roms as we have seen with BLU researchers will find out if they are doing anything nasty soon enough.

The hardware is good and affordable and easy to unlock, that is what matters to me. simply strip out anything you do not want, install the apps you do and voila! Your own custom phone that only does what YOU want.

Re:Android is a cesspool

You're an idiot.

Re:Android is a cesspool

http://www.businessinsider.com/android-most-vulnerable-operating-system-in-2016-2017-1

Re:Android is a cesspool

You're a moron.

Re:Android is a cesspool

You're a moron.

Re:Android is a cesspool

I wouldn't put too much faith in a chart claiming Windows 10 and 8.1 are more secure than Debian. - misspelled ubuntu, and listed the "linux kernel" as an operating system

Sure android is probably more insecure than iOS - that occurs when one manufacturer creates all the hardware and makes their operating system vs letting third parties create hardware for android.

it also occurs when 90% of the smartphone market is android (your article's words, not mine), so every time a new update or a new model comes out there could be more vulnerabilities. - similar to how most of the viruses target Windows, because that's what most people are running.

Re:Android is a cesspool

You're a moron.
 

Re:Android is a cesspool

You're a moron..

Re:Android is a cesspool

You're a moron.
 

Re:Android is a cesspool

So, then it is MORONS all the way down... good to know

Re: Android is a cesspool

[mSparks43]

android 3 4 and 5 were pretty terrible. 6 was all about security. 7 will overtake Apple in all meaningful ways.
But lets be honest, if you know what you are doing, even the open and broken walls of android 3 could be secured to a greater level than the black box that is apple devices will ever.

oh, and

Youâ(TM)re a moron.

Re:Android is a cesspool

You're a moron.

 

Re:Android is a cesspool

Since you chose to criticize minutia on the particular linked site, here are more "reputable" sources.

https://www.bleepingcomputer.com/news/security/android-was-2016s-most-vulnerable-product/

https://tech.slashdot.org/story/17/01/04/1554243/android-was-2016s-most-vulnerable-product-oracle-the

You can make an Android phone/OS install as secure as you want. The problem is Google Play and an app's unrestricted ability to "infect" an Android phone.

The most incompetent CISOs always use Android devices to access work emails and allow their company's employees to use Android devices. They are putting their employer's sensitive information and reputation in serious jeopardy and should be terminated immediately.

Defending Android is like defending Harvey Weinstein. Cool product. Bad implementation.

Re:Android is a cesspool

Slashdot: come for the news, stay for the engaging discussions.

Re: Android is a cesspool

android 3 4 and 5 were pretty terrible. 6 was all about security. 7 will overtake Apple in all meaningful ways.

That's why I stayed on Android 2.3 and never upgraded!

Re:Android is a cesspool

You're a moron.

Re:Android is a cesspool

You're a maroon.

Re:Android is a cesspool

You're maroon.

still for sale

As of right now, there is a whole slew of BLU phones for sale on Amazon.

Re: Android is a cesspool

Gingerbread rocked.
I loved being able to mount my SD card on my computer with the USB cable.
At least in Jelly Bean I could still copy files onto my SD card using KDE Connect.
The excuses for making SD cards less usable on Android have always been lame, when the companies involved have an obvious incentive to keep you from copying files from your computer.

Re: Android is a cesspool

2.3? I'm still on 1.1 you insensitive clod!

Malware simply doesn't work on 1,1 - it's bulletproof!

The problem is ADUPS

[Zombie+Ryushu]

BLU Needs to stop locking their boot loaders, and start letting people LineageOS their devices. ADUPS is turning into a Meanace!

Best cheap phone option still is the no data

[deviated_prevert]

That way any crapware on the phone can be castrated. It comes down to carefully choosing the phone to make sure it is not hosed with either carrier crapware or manufacturer crAPPS.

Polaroid tried to break into the unlocked market and seems to be failing without having a secret revenue stream. Their 6 inch dual sim is a decent and super cheap phone and is as close to a stock android install as I have seen. I bought one for my wife and found it to be free from adware and garbage apps. Obviously some of the cheap unlocked phones are going to try the adware/spyware route. The only solution I see is if you just want a phone with no carrier lock then make dam sure that the android install is not polluted and you can remove garbage apps that try to go online without consent.

The phone plan that we have is setup so that the browser function and any other app including e-mail cannot use LTE, the voice search function of chrome is switched off. NO DATA PLAN PERIOD. It does mean that we cannot send text with pics but this is how you dig yourself into the cell phone 100 plus dollars a month rabbit hole and the carriers love it! SCREW THAT We only use the phone on the net if there is wifi available and keep the wifi turned off until we chose to enable it. For us it is a phone that can do the net but first and foremost it is a phone that we can chose to shut off when not in use and it does not keep us in the poor house!

Re:Best cheap phone option still is the no data

Tello (Sprint MVNO) has a $4/mo for 200MB data plan. They also claim that 4G LTE is unlimited but will throttle to 64kbps when data runs out. So, if you don't mind 64 kbps, then you might not even need to spend the $4/mo (untested - I'd contact customer service first before trying this route).

On Tello, for $6/month, 100 minutes talk + unlimited texting. That beats Tracfone by about $3/mo.

Regardless not good enough

[Carrot007]

I tried a BLU device because of the price. But the quality control was horrible. The backlight was not even and often did not work. Decided to go to the next tier and got a Wiley Fox and could not be happier.

Re: Android is a cesspool

Better than being orange.

Re: Android is a cesspool

My Gingerbread 6.0 phone allows me to do that, on Windows anyway.

So where are the RED phones?

[Chris+Mattern]

Reliable Excavation Demolition wants to know!

Blu R1 Plus

[SeriousTube]

I got a Blu R1 Plus last spring on Amazon for $160. I am very happy with it. It doesn't have any unremovable crap on it or Amazon ads. It is a very nice piece of hardware imo. I mean obviously it isn't the same quality as Nexus 6P or something. I don't know of any other $160 phones that are as good though.