Down the Rabbit Hole With a BLU Phone Infection

msm1267 writes: BLU phones, marketed as affordable Android devices, have recently been pulled from Amazon and other retailers after allegations the devices were infected with spyware and posed a privacy threat to users. This is the tale of one such victim who purchased 11 devices that instantaneously began serving pop-up ads and downloading unwanted applications. The phones were analyzed and the root of the issue in this case was uncovered.

Maybe BLU should open source the SoC drivers?

[ctilsie242]

I wonder if stuff like this could be mitigated by BLU having the kernel drivers available, if not open-sourced, so people could make custom ROMs. Perhaps get LineageOS as a viable option on the devices?

That way, there would be some faith that the phones would have been shipped clean and decently secure.

Re:Maybe BLU should open source the SoC drivers?

[Stormwatch]

There is not much of a revenue stream when retailers refuse to carry their shit.

Re:Maybe BLU should open source the SoC drivers?

[slack_justyb]

I wonder if stuff like this could be mitigated by BLU having the kernel drivers available, if not open-sourced, so people could make custom ROMs.

Not everything that makes up all the needed bits for these devices have open sourced drivers. That's no excuses for at least releasing the open parts. However, this is actually a larger existential problem, so much so, that the maintainer of Android's Open Source Project AOSP basically quit his job and basically asked what's the f***ing point if an OS doesn't do anything on modern hardware. The Nexus 4 and 7 devices made by Google included lots of hardware that just was never going to be able to have drivers open sourced. Since then, the problem has only gotten worse, yes even the beloved Raspberry Pi has binary drivers and the people who make the Pi are not abashed by this point because, completely open sourced has never been one of their goals. True the OS is open since it is Linux, but what good is it when only the Kernel and a few support libraries are all that are open source? Or as the former AOSP maintainer put it, "There's no point being the maintainer of an Operating System that can't boot to the home screen on its flagship device for lack of GPU support"

But I digress, because I'm not getting to the point here. BLU contracted out to a third party to maintain their firmware, because maintaining an image is a lot of work. That third party was Adups Technology and they themselves had a set of ad networks that they use to serve up ads, much like how any other phone serves up Google ads. At anyrate, Adups' network of ads networks had some nodes that were serving up malware embedded into the ad. When Adups' software loaded the ad it loaded up the infection.

This is the thing about ads in apps. Those ads have to come from somewhere and you are putting a lot of trust in the person who's delivering those ads that those ads are trojans. Now you as a firmware company might also have your own ad agency (I know weird combination) as well, so basically people come to you and you design and deliver the ad. But if that's not you (more likely situation), then someone else designs the ad and sends it to the delivery network, the delivery network either sends it directly to the device or sends it on upstream to someone who aggregates these things to be sent out to the device. etc, etc, etc... Fun stuff.

Open sourcing things might help a bit, but not really. But honestly, piecemeal keeping up with licence is it's own job for really large projects. Some places, especially Chinese places, don't really care and grab whatever kernel version they are using from kernel.org and put that up on their website for GPL compliance. Same thing for the other bits. After that bit of hassle is done, it's basically a binary blob that's closed off. It's the fun part of cutting corners that goes on in some of the cut-throat mobile market.

That way, there would be some faith that the phones would have been shipped clean and decently secure.

Even if the phone shipped clean, if the ad network that you trust delivers the malware behind your back because the ad network didn't catch it, then you're hosed that way. Clean phone or not. To summarize here.

TL;DR - This infection was delivered via the ad network, so open source or not, you would have been hosed. However, open sourcing a device is a lot easier said than done as a lot of hardware is impossible (well, not impossible but many companies that make the ICs are very, very unwilling so you might as well say impossible) to open source. Additionally, even if you just gave out the parts that are open, that's an insanely complex task of putting it together that a lot of cut-throat companies won't go through.

Re:Maybe BLU should open source the SoC drivers?

[tlhIngan]

This is the thing about ads in apps. Those ads have to come from somewhere and you are putting a lot of trust in the person who's delivering those ads that those ads are trojans. Now you as a firmware company might also have your own ad agency (I know weird combination) as well, so basically people come to you and you design and deliver the ad. But if that's not you (more likely situation), then someone else designs the ad and sends it to the delivery network, the delivery network either sends it directly to the device or sends it on upstream to someone who aggregates these things to be sent out to the device. etc, etc, etc... Fun stuff.

The big difference about ads in apps and ads in the OS itself is at least ads in apps are limited by permissions granted to the main app itself. Sure there are plenty of ways to break out of the Android sandbox, but in general, that's why apps are sandboxed to begin with.

Ads in the main OS though can have full run of the OS, permissions be damned. It's why you can install apps without popping up the dialog (something in-app ads need to ask the user). From the looks of things, it looks like it ran with full system permissions, so the ads bascially had full root permissions to do whatever they wanted. Including maintaining a root session for themselves.

Re:Maybe BLU should open source the SoC drivers?

[hairyfeet]

BLU doesn't do anything other than rebrand Chinese phones so all they have to do is change their name and the address on their letterhead and away they go, not like BLU was a top shelf brand in the first place.

For those that want a cheap Android phone without all the bullshit? Get an Alcatel, they have an app on their phones that let you root it in under 3 minutes without using any third party malware like Kingoroot. I had mine rooted 4 minutes after booting, it was simple and easy and the phones are actually nice for the price.

Re:Maybe BLU should open source the SoC drivers?

[greenfruitsalad]

while they may be easy to root, there's almost no interest in them (on forum.xda-developers.com) and thus ZERO 3rd party rom support. it's sad because they're nicely priced and some of the hardware is really interesting.

Re:Maybe BLU should open source the SoC drivers?

[someoneOtherThanMe]

Had an Alcatel Poptouch C3. It kept getting slower and slower, to the point of needing ~1 minute from locked screen to dialing. Rebooting only helped temporarily.

Re:Maybe BLU should open source the SoC drivers?

[thejynxed]

Well, the interesting bit is that the two Trojans identified as being the culprits didn't use the ads and app installs for anything else but to rake in unearned cash. They themselves autoroot any device they find themselves on and then the show begins. The question is, did the Chinese firmware company intentionally use those trojans, or not. I would have to think that they did, considering their past behavior.

Re:Maybe BLU should open source the SoC drivers?

[hairyfeet]

I never bother with third party roms since I have not the time nor the prerequisite android coding exp to vet their code, whereas with first party roms as we have seen with BLU researchers will find out if they are doing anything nasty soon enough.

The hardware is good and affordable and easy to unlock, that is what matters to me. simply strip out anything you do not want, install the apps you do and voila! Your own custom phone that only does what YOU want.

Re:Android is a cesspool

So, then it is MORONS all the way down... good to know

Re: Android is a cesspool

[mSparks43]

android 3 4 and 5 were pretty terrible. 6 was all about security. 7 will overtake Apple in all meaningful ways.
But lets be honest, if you know what you are doing, even the open and broken walls of android 3 could be secured to a greater level than the black box that is apple devices will ever.

oh, and

Youâ(TM)re a moron.

Re: Android is a cesspool

Gingerbread rocked.
I loved being able to mount my SD card on my computer with the USB cable.
At least in Jelly Bean I could still copy files onto my SD card using KDE Connect.
The excuses for making SD cards less usable on Android have always been lame, when the companies involved have an obvious incentive to keep you from copying files from your computer.

The problem is ADUPS

[Zombie+Ryushu]

BLU Needs to stop locking their boot loaders, and start letting people LineageOS their devices. ADUPS is turning into a Meanace!

Best cheap phone option still is the no data

[deviated_prevert]

That way any crapware on the phone can be castrated. It comes down to carefully choosing the phone to make sure it is not hosed with either carrier crapware or manufacturer crAPPS.

Polaroid tried to break into the unlocked market and seems to be failing without having a secret revenue stream. Their 6 inch dual sim is a decent and super cheap phone and is as close to a stock android install as I have seen. I bought one for my wife and found it to be free from adware and garbage apps. Obviously some of the cheap unlocked phones are going to try the adware/spyware route. The only solution I see is if you just want a phone with no carrier lock then make dam sure that the android install is not polluted and you can remove garbage apps that try to go online without consent.

The phone plan that we have is setup so that the browser function and any other app including e-mail cannot use LTE, the voice search function of chrome is switched off. NO DATA PLAN PERIOD. It does mean that we cannot send text with pics but this is how you dig yourself into the cell phone 100 plus dollars a month rabbit hole and the carriers love it! SCREW THAT We only use the phone on the net if there is wifi available and keep the wifi turned off until we chose to enable it. For us it is a phone that can do the net but first and foremost it is a phone that we can chose to shut off when not in use and it does not keep us in the poor house!

Regardless not good enough

[Carrot007]

I tried a BLU device because of the price. But the quality control was horrible. The backlight was not even and often did not work. Decided to go to the next tier and got a Wiley Fox and could not be happier.

So where are the RED phones?

[Chris+Mattern]

Reliable Excavation Demolition wants to know!

Blu R1 Plus

[SeriousTube]

I got a Blu R1 Plus last spring on Amazon for $160. I am very happy with it. It doesn't have any unremovable crap on it or Amazon ads. It is a very nice piece of hardware imo. I mean obviously it isn't the same quality as Nexus 6P or something. I don't know of any other $160 phones that are as good though.