The market for Android phones and tablets (plus other devices) is huge, Android is dominating the market at almost 90%, followed by iOS around 10% and rest together less than 1%. Google claimed in May 2017 there are 2 billion active devices worldwide.
IT security for mobile devices is a huge topic and we face similar threats as in the desktop OS landscape with virus, trojan horses, backdoor apps and other malware. Some remarks about this at the end of the article.
The mobile phone manufacturer segment is still dominated by Samsung, followed by Huawei, LG, Motorola, to name a few. A medium range device with decent specs costs around $200 to $400.
Apart from the known brands there is wide range of china produced phones at a partially much lower price. Remark: The famous brands might produce as well in China but you pay a higher price for the brand in some sense.
Wouldn’t it be great to get a phone with good specs for less than $100,- ? Some of the brands are HOMTOM, Cubot, OUKITEL, Jesy, DOOGEE and other never-heard-of names.
The temptation is great to buy one of these phones, but it comes at a price. How do you value privacy and security ? Already end of 2016 these devices made it into the news because of sending user data over to servers in China.
Android Phone connections
Lets get some hands-on and investigate with a current phone. I bought a phone for the sole purpose of development testing, not to use for calls or storing sensitive data. I decided to get a BLACKVIEW A7 PRO, available at U$ 70,- from various online stores.
Blackview A7 Pro Android Phone
The phone casing and screen makes a good first impression, the specs do not need to hide behind other medium range phones:
- Android 7.0
- MTK6737 1.3GHz, Quad Core
- 2GB RAM
- 16GB ROM
- 4G/LTE with 2 sim card slots
- 5″ HD screen
Out-of-the-box it comes with the default Android apps, access to the Google Playstore and without any visible bloatware.
Before getting too much excited lets take a look at the communication this device tries to establish after connecting to the internet. I installed a connection and communication inspection tool, these tools are available on the Playstore too. I do not recommend any specific tools here as some of these tools have questionable permission requests.
It does not take too much time before the device starts communicating with a server based in China.
Both domains are registered with a hosting company, but you find plenty of news and forum entries if you google for them.
Most interesting is the pre-installed Beau _t_ ySnap application that is not only invisible as app to the user but permanently running in the background. You can find it with a package inspector. Looking at the permissions the application is not only hidden but also very generous with system access.
Needless to say you cant restrict the permissions because it is not visible as app but part of the firmware. It also seem to request for hardware specific permissions.
Lets look at the traffic and the data exchanged, seems the app tries to call home a few time per hour.
Quite obviously they transmit some basic data un-encrypted, like version, current internet connection (wifi), the phone (A7Pro), timezone, screensize and they created a user id to identify the device (aka its user). IMSI and IMEI are not used, though the fields exist. There are some extra fields with encrypted info, I suspect the soc, scc, noc,.. fields might store the celltower info, which serves the coarse geoloaction even if you have GPS disabled.
The least I could do with this phone without rooting it, is to disable the Be_a_utySnap application. Do this by going to Setttings – Apps, enable the display of system apps, select Be_a_utySnap and disable it.
Besides this app, there is still the A_dU_ps FO_TA app and the M_T_K_Logger which are worth looking at. They cant be disabled. I have not caught them yet transferring data out.
- Cheap comes at a price. If you are concerned about privacy and security do not buy or use such a phone as your main device to access sensitive personal data or sites like online banking, etc. If you dont want to be tracked and data sold or given to other unknown parties this phone is not for you either. Though there is no guarantee expensive branded devices are protected or cannot be affected too.
You can use the phone when you know how to disable the spyware elements (and still be careful) or root the phone and install another OS like LineageOS (which comes with separate risks).
- Do not download applications (apk files) from outside the Google Playstore as the minimum protection and be careful even you download apps from the Playstore by looking at the permissions of the app. You dont need to get a malware infection if you allow a regular app do retrieve your contacts, phone identity and location without knowing what the company behind the app does with the data. GDPR might be irrelevant and impossible to enforce if the app is provided by a company in some non-EU country and has no proper business entity.
Comments on the Android threats landscape
Unlike in the Windows world where we learned the hard way to deal with virus and malware, pretty much securing the OS after treats materialized. Though the first viruses made their first public appearance in the 1980’s, only in 1990/91 the first serious antivirus products were established.
When Android was born some safe concepts were integrated, and with the newer releases more and more security measures were taken (please refer to the below links). Some key elements:
- Apps run in a sandbox and cant access the OS.
- Apps are deployed through a central repository (Playstore)
- User can can control system access via permissions
- Controlled inter-app communication
Certainly some user still break this by downloading apk files from outside the store, rooting the device, allowing all permissions, etc.