A good reason to avoid cheap Android smartphones

June 11, 2018
Threats

Having decided to buy an Android smartphone, one faces a crazy variety of choices. The number of manufacturers is growing, and there are thousands of opinions about which particular device to choose.

Customers are so overwhelmed with all these choices that for most of them, price becomes the main — and sometimes the only — deciding factor. And that’s where smartphones from less-known manufacturers come in: They promise the same features and quality for half the price of what well-known brands offer. Understandably, it’s hard not to be attracted by these generous offerings.

You know what, though? It’s not that simple. Quite often, when you buy a smartphone like that, you also get some hidden extras — for example, some preinstalled malware. Here’s what’s going on.

Trojan in a poke

Android’s big advantage is that it’s a very flexible mobile platform, which makes it popular among developers. Google develops the core software, but any manufacturer can customize it and fill a smartphone with its own native apps to make its products stand out.

Some of that native software is system apps — apps installed by the manufacturer in the /system/app or even the /system/priv-app (priv for “privileged”) folder in an Android device, that cannot be uninstalled by the user. All well and good, but when you add a profit motive, the picture gets a bit murky.

In theory, a manufacturer can fill the system/app (or /priv-app) folder with whatever it thinks customers might find useful. In practice, manufacturers use the opportunity to earn an extra buck, for example, by charging app developers to preinstall their apps. And sometimes, willingly or not, smartphone manufacturers fill the folder with malware.

Preloaded malware can show you ads you can’t avoid, or collect your personal data to sell to third parties — or combine the two intrusions, showing you ads based on that data. It all helps decrease the final price of the device. Nice business model!

A preloaded Trojan that allowed criminals to overlay ads over the OS was found on devices made by relatively big developers such as ZTE, Archos, Prestigio and myPhone. Another investigation found that OnePlus and BLU smartphones were preloaded with spying software that was collecting sensitive personal data and sending it to the manufacturers’ servers.

Funnily enough, most of the manufacturers we mentioned are listed as certified partners on the Android official website. That means that preinstalling malware is becoming something of a common practice, and you can’t simply rely on a well-known manufacturer’s honor.

Buy — but verify

To minimize the risk of purchasing an infected device, or at least to identify a device that will show you advertising in practically every app and collect your personal data without your permission after the purchase, we highly recommend the following:

  • Do your research: Chances are, the phone you’re looking at has already been discussed on the Web — especially if owners are complaining about preinstalled malware.
  • As is often the case, if something looks too good to be true, perhaps it is too good to be true. It may be wise to avoid smartphones that are radically less expensive than comparable models — it’s not unlikely that their manufacturers are using some shady practices to recoup the money that isn’t on the price tag.
  • Check the certification status of your Android device to be sure that its firmware has been tested by Google. Certification doesn’t guarantee that there’s no malware preinstalled, but certified devices are significantly less likely to be infected before sale.
  • Install a reliable antivirus utility that will inform and protect you the moment it encounters a malicious program. With malware sometimes installed before a buyer unboxes a new purchase, your smartphone can be infected no matter how safe your behavior.