I bought my wife’s uncle a cheap Android phone after his old flip phone broke. At the time he needed to use Uber for his work commute, so a smartphone was in order. I helped him set up a google account, downloaded some important apps and showed him how to use them.
Fast forward 2 weeks and he’s complaining the battery only lasts a couple hours.
The Lock Screen was littered with gambling ads, there were all kinds of apps installed, and the phone was basically unusable.
He claimed to have no idea how it happened. I assumed he was just clicking on any/every pop up. Maybe he really downloaded 1 bad app which then self installed the rest of this crap?
Anyway, I went back to the store and bought him an iPhone SE. That was years ago now and haven’t heard a single complaint since.
I think android phones aren’t for the tech illiterate. It’s way too easy to screw them up.
Apps can't just install other apps. You need system level permissions for something like that to happen.
It's possible malware somehow found its way to the phone, but the more likely scenario is that the phone was infected out of the factory.
The bottom of the barrel Android phones (no name brands, often phones <$200) feature system level adware that downloads and installs more crap as time goes on. It's one of the reasons these phones can be sold for that cheap.
I have to wonder what brand phone you got him. I've never seen this happen on brand phones, it's always the AliExpress/Amazon crap that's full of ads in seconds. Spend the same amount of money you'd spend on an iPhone SE and I highly doubt you'll get the same result.
I've owned several OnePlus phones, all bought straight from the company except the most recent one, which is T-Mobile branded and bought from the T-Mobile store. Unlike the previous ones, this one has strange behavior around app alerting permissions: I block all alerts from Starbucks or Prime Video, for example, and they're quiet for several days/weeks, then start alerting again. I thought I was misremembering at first, so I started taking a screenshot every time I turned off all alerts for an app and confirmed it's real behavior. I'm sure it's just a bug or something, but the conspiracy nut in me wonders if companies like those can slip T-Mobile some money under the table and get them to "fix" people's alerting preferences.
Android will retract permissions automatically if you haven't used apps for a while. It's possible that this mechanism is implemented wrong (i.e. they just reset the permissions regardless of whether they've been denied before).
I personally stopped trusting Oneplus a while ago. They once were the champions of open source Android phones with affordable models and clean ROMs, but they seem to have changed lanes to become your average Chinese smartphone manufacturer a while back, with expensive phones, questionable business practices, lacking update guarantees and support, and so on.
I've never trusted a carrier branded phone, that basically adds a layer of crap and problematic customization that I don't need. Carriers and ISPs are notoriously shit at providing useful services, that's why Apple become popular for refusing customized phones, and their incompetent and malicious layers on top of already mediocre Android implementations are just a recipe for disaster.
I realize these types of phones are much more common over in the USA, but there's a reason they're cheaper than when you buy the phone from a normal store and it's not because your carrier sympathizes with your financial situation and decides you deserve to save some money.
I can't help but think that some sort of regulation here is overdue. You shouldn't need above average technical literacy just to avoid buying a product that actively and intentionally harms you.
The current status quo actually stifles competition, because the only way to reasonably avoid these products is to limit yourself to an oligopoly of established (and expensive) brands. Between the two extremes of reputable and adware-subsidized devices, no-name manufacturers that just want to compete on price with shitty hardware and limited support/updates have no real shot.
You either pay for the product or you are the product. No different than “free” software. Want a smart phone you’re going to pay for it one way or the other.
there are plenty of perfectly respectable phones available for less than 200 USD. At least they are in Norway, for instance, Moto, Nokia, Xiaomi. My Moto G30 (>6 inch display, 128 GB storage, 64 MP main camera) from Lenovo was only 120 USD a couple of years ago.
Can't imagine why anyone would buy a no name mobile at the same price.
Xiaomi makes it very easy to unlock the bootloader and install a custom ROM. Of course you should trust the ROM makers and learning how to flash every device takes a little bit of time but I think is worth it.
Actually thats a protection. Many frauds were found to custom unlock the phone and sell those phone with malware, so they decided to make unlocking process hard. Phone are unlocked by bad people, too, but I agree thats quite annoying.
> downloads and installs more crap as time goes on
That’s wild. Self replicating bloatware. How could this even be legislated against? I can’t figure out how to legally qualify something as “bloatware” vs something the user would want to automatically download/update.
With the amount of data this crapware collects, basic privacy regulations should do the job. Trojans and adware are already on the boundary between legal and illegal at best in many countries.
The problem is that nobody will go after the FWUWGFISA brand of phone on Amazon. They disappear next week and reappear as FUFWEIW. Either Amazon needs to get their crap together (I doubt that'll ever happen) or consumers need to make better purchasing decisions than "let's sort by price and pick the first one in the list".
Easy on that one too: make the seller partly responsible for the shit they sell. Amazon is profiting from the situation, so make them responsible as well.
That'd be ideal, but that would also end sites like eBay and other points of sale for second hand items for good. You could make an exception for second hand sales, but then every shady foreign reseller will just list their item as refurbished.
I don't think there's a good way to solve this problem without massively impacting businesses that do deserve the benefit of the doubt. The driving force behind this crap is consumers preferring the slightly cheaper Amazon rates despite all the news about scams. Perhaps some public education campaign about the problems with resellers can help, and maybe some legislation forcing platforms to show the branding of the actual seller instead of their own, but I don't think placing the responsibility directly on the platform is a good solution to this problem.
On Android when installing from an unknown/unverified source, the installer can literally prompt you with a link to the correct settings page where you can enable installing from other sources, and once you click it opens the correct page, scrolls to the right toggle switch, and highlights it for you. So I totally believe OPs story.
If you enable that setting, your browser can install other apps. The app you're installing can't. There used to be a global toggle, but that's been removed for years. Sure, the app you've installed can prompt for installer permissions, but that's a second prompt you need to go through.
Even with this permission, you still need to manually verify every app you install. Background installation is reserved for apps part of the system image (i.e. Google Play, Samsung Store, Huawei Whatevertheycallit, etc.).
These apps don't just appear, they need to be confirmed every single time. For a dropper to get installed into the system and successfully install another app, you need to confirm four different security prompts. That also assumes Play Protect doesn't immediately get rid of the dropper; antivirus scanning, even for apps not part of the Play Store, has been built into Android system images for this reason.
I completely believe their story, I've seen these ad ridden crapdroids with my own eyes. But every single time they have come with malware preinstalled by some shady AliExpress/Amazon reseller.
I've never seen anything as aggressive as what the parent describes on either Samsung or Xiaomi.
Xiaomi is the worst, selling top spec phones for dirt cheap by subsidizing them with ads, but even they never ruin your battery life by spamming ads all over the place. Plus, you can turn them off during setup, but most people just hit next to get the annoying setup screens to disappear it seems.
I've bought used Samsung A50 few days ago as a spare phone. I had Windows Phones, iPhones previously but never got Android device for myself and I never saw anywhere (even in case of my mother's obscure low-end Android device) so many vendor apps being installed in such short time after enabling WiFi password.
The default choices for settings were terrible. Some components aren't even configurable at all - lots of Samsung's apps and default Android stuff can send notifications, sit in background all the time or report location if its enabled.
Seriously - this machine crashes several times a day, FF in W11 takes WAY more resources than needed - and when I am browsing simple websites on a premier gaming laptop it thinks it needs to drop into 'top gaming performance mode'
and TABS! actually crash on this machine.
I go through at least 3 reboots a day just browsing the web.
Windows 11 is absolute dogshit.
And not to mention they are putting news and ads on my fucking start menu?
Also trying to get me to use microsoft outlook 365/whatever as my primary login initially...
F that. W11 is hands down the worst microsoft product ever made, that I am aware of.
Weird. I'm running Windows 11, and I reboot every week or two, if that. I have no problems with performance whatsoever. Mind you, I'm not a big fan of 11, but I certainly haven't seen the issues you're describing.
Honestly, my Windows machine needs no more attention than my Mac OSX machine. Technically, more, but I do a lot more heavy lifting on my Mac (so I need to reboot more often to free up memory and such).
When something ubiquitously used breaks that often you should stop to consider if maybe your experience is not normal, and so seek to find what's wrong with it.
Hint, there's likely a problem with your hardware.
That's not normal at all. I have a healthy amount of hatred for Windows 11 myself, with its awful push to Microsoft accounts and the preinstalled crapware, but full system crashes are very rare in my experience. That sounds like a hardware issue (bad RAM?) or a broken driver to me. Gaming mode being triggered by browsing tabs does make it sound like some preinstalled tool by the laptop vendor is messing up.
Run the memory test that comes with windows. It takes like an hour or something, and will tell you if the memory is malfunctioning - that would explain all the mysterious crashes.
I've had this problem out of nowhere one day (computer would not stop crashing randomly) and it turned out to be a defective memory stick. All good after replacing it.
Sometimes bad quality ram chips, or set with the wrong timing in UEFI, or just not properly seated ram, can cause problems similar to what you've described. Anecdotally I have W11 installed on 5 different machines and none of them have the issues you're describing.
It's' been a few years since I used an Android phone daily. But one of the nice things about iOS is the granularity of permissions. For Android app permissions are asked once during install and you take it or leave it. iOS is constantly renewing requests for location permissions and other things. And it reinforces that you are in control of your device. If you don't want an app or site to have location data you don't have to give it.
The same is true on Android today. You are asked for permissions the first time the app needs them, not at installation time. And various things require various permissions, you don't get asked in bulk.
Android also reaps permissions that haven't been used recently. In the case of location, Android prompts for renewal even if it has been used recently.
This is an irrational comparison. You are comparing an expensive brand phone to a cheap no name Android phone. If anything, you should compare the iPhone SE to a device by Samsung or similar which costs as much as the iPhone SE. I highly doubt you would get any malware there.
The article also mentions that the problem is not with Android, but with some unknown phone brands.
The comment is talking about installation of adware, which you can install on any Android device, including the flagships.
The Apple App Store does have shady apps (see for example the recent ChatGPT clones) but the problem there is much less severe. Whether it stays that way with alternative app stores proposed in the EU is an interesting prospect, and a separate question though.
Adware can also be installed on any Mac or Windows device, no matter the price. Apple fans always gesture at a supposed threat of breaking the AppStore monopoly, yet they conveniently ignore that such a monopoly already doesn't exist on their beloved Macs.
Do you not remember how much of a problem malware was on windows just a few years ago? It's why the AV industry is a thing now It's gotten a bit better but still a valid concern
Evolution. Operating systems, and more specifically, security have been constantly evolving.
Bad actors have exploited vulnerabilities and because of that there has been a bigger emphasis on security, even down to the hardware level.
One could argue that the sandbox model used in iOS and other operating systems is a response to that era of malware. And we’re more secure because of it.
Ironically, the only device I ever had to fix adware was on an iphone. Don't know if it's still possible but all the calendar got infested with ads which notified the user in loops.
My mom has done this to every device she's owned. My Christmas visit starts by me asking her why she has four or five weather apps installed, every app for every local news station, apps for "coupons", and everything else I wouldn't touch with a ten foot pole. On her iPad, her lock screen has a CVS receipt of garbage notifications.
Frankly, the problem is the ubiquity of native apps. You don't need a native app to get the weather. It shouldn't have any permissions. This is the whole premise of the web. The web has its own problems, but it can't ruin a device like poorly-considered native apps can.
iOS penalizes apps that abuse background privileges (running too frequently, running too long, being too resource hungry), so their background tasks get run less and less frequently over time.
So at least on iOS, the impact of native junkware is limited to notification spam and can't run battery life into the ground as badly. It's not much worse than PWAs can do with webworkers and push notification permissions (and if someone has been granting every app push permissions, you can be sure they'll do the same for PWA push permissions).
This also exposes a strange design decision involving the entire app system. Why do they need to be installed? you don't go to the manufacturers web store then explicitly install a web page so that you can then use a web app.
Apps are a remininent of the personal computer experience of installing software. but for better or worse that ecosystem does not really exist on phones. apps exist in a sandbox environment with a fine grain permission for device access. really they should just transparently install and run and uninstall. It should behave like a web page with a saner execution environment. the main reason the app ecosystem exists the way it does is so the os manufacturer can seek rent on the device.
This is why I am so thankful the internet and the web were developed in an academic environment rather than a commercial environment. centralized rent seeking was not a design goal of the internet.
He wasn't making it up. I work with a nonprofit and we needed 40 cheap tablets to run some custom app that we wrote. I had tight control over what was installed and clicked on.
After 9 months of using the tablets, they all would have an ad pop-up on the lock screen. I'm guessing that they came with malware that activated after X months of use.
Anyway, we wiped the tablets and reinstalled our app from scratch. It wasn't too hard because the tablets were single-purpose, but if those tablets were personal tablets with all of my favorite things, it would suck.
Those things are the bane of my existence. I support / develop some tablet / phone business apps. Some customers cheap out up front on tablets and then I have listen to them complain that leopards ate their face (the tablets come with pre-installed garbage, one of them demands you log in to at least 3 different services on every reboot, strangely slow / unpredictable OS response times to simple API calls...).
It's horrible, I own a couple of the customer's tablets to provide better support and +90% of the time the issue is "you cheaped out and bought a crappy tablet".
These folks save sub $10K or even way less than that up front and then these crappy tablets and their crap-ware eats up their productivity endlessly. Sometimes they have compliance issues with their own people because they tried rebooting and it takes FOREVER for the cheap tablet to actually be usable so their employees don't do the thing with the app at all...
I just tell them all they should have bought iPads / we recommend buying an iPad.
At this point I'm quietly lobbying that we stop supporting Android "unofficially" and push anyone new to use iPads. Android support will be there for the sake of saying we support it... but only as an alternative / best effort just because the ecosystem is full of such bad products / eats up our time with "not the application" / "your people didn't do the thing because they hate their tablet / it didn't work" issues.
There are tolerable (minimal crapware) cheapish Android tablets out there, but you're looking at ~$200US minimum to get those and they're still going to have terrible performance and won't be able to even handle homescreen animations without dropping frames. At that point you might as well spend that extra ~$100 for an iPad for even less crapware and a SoC that won't struggle with trivial things.
For a single-purpose device running custom software you wrote, I would consider Linux which is not an Android. Couple years ago, I wanted something similar on a smartphone, and postmarketOS https://postmarketos.org/ worked rather well for me. The OS is based on Alpine Linux.
> I think android phones aren’t for the tech illiterate.
As an Android user, I think I'm on-board with this sentiment. Anecdotally, most of the people I know with Android phones are in IT; specifically software engineers.
I once had to transfer files that were downloaded on my phone to a work laptop that couldn't access the external internet and no access to external storage. I installed Termux on my Android phone, dropped to the linux terminal, installed http-server and spun up a server on the local network. I was then able to download the files I needed off of my phone.
Quirky scenarios like the one I mentioned where I can "MacGyver" my Android phone is why I really like the platform. And then there's F-Droid so I don't have to deal with those pesky apps from the Google Play store.
> I once had to transfer files that were downloaded on my phone to a work laptop that couldn't access the external internet and no access to external storage. I installed Termux on my Android phone, dropped to the linux terminal, installed http-server and spun up a server on the local network. I was then able to download the files I needed off of my phone.
I don't get it, why didn't you plug in a USB cable?
It's so mondbogglibg what we still use it. With every phone becoming a camera phone, it's unusual NOT to have hungreds or even thousands of 2-3MB photos on your phone. But try to copy your Camera folder on a PC, - and Win Explorer acts like it has a heart attack! And it hasn't improved in entire freaking decade!
even remember a time when my galaxy s4 mini would ask me how it should represent itself when connected via usb; also drivedroid to emulate a cdrom drive with an downloaded .iso in order to boot older computers that don't know how to usb.
maybe i have been spoiled by the real computer in my pocket experience of custom rom's.
> I went back to the store and bought him an iPhone SE. That was years ago now and haven’t heard a single complaint since.
I would assert that the iPhone SE is the best smartphone bang for the buck, especially for users in your family with a tendency to shoot themselves in the foot and need your assistance.
The $399 iPhone SE from 2016 got six years of OS updates and just got another security update last month. That's about $57 per supported year.
I've moved away from the Android ecosystem long ago, so I don't know if this is still maintained, but there's the Addons Detector app[1] which can be used to locate adware applications.
There are loads of tools available to fix Android phones. The problem is that most people just use whatever is setup preinstalled. It would be a fun experiment for someone to document and post here: Buy the cheapest most bloated phone you can find and then:
1. Run the universal android debloater found on Github to disable all the crap.
2. Install some apps such as InviZible Pro to firewall the apps.
>that’s probably the problem with an unsafe OS by default.
Considering how absolutely dreadful iOS has been when it comes to CVEs allowing arbitrary code executions with kernel level privileges, I don't really think anyone gets to talk about iOS being "secure" by default. Secure for your grandfather maybe. There's a reason Zerodium values iOS zero days less than Android ones too [0], which is quite telling of the amount of them they already have in stock. See also Pegasus, which literally had multiple no-interaction RCEs for iPhones through iMessage (because Apple keeps parsing files through horribly vulnerable parsers). [1]
Apple gets to pretend that iOS is secure because they control the app store, which is the only official point of entry, and iOS is closed source.
> There's a reason Zerodium values iOS zero days less than Android ones too [0], which is quite telling of the amount of them they already have in stock.
You could be right, but I don't think it's a given that the latter follows the former. The reason that Zerodium values iOS zero-days less than Androids is more likely because the US and European governments that purchase these exploits from Zerodium value iOS less than Android, which itself could be attributed to there simply being more Android phones used by adversarial countries than iOS.
Nope. Case in point, Pegasus was used to attack the French Minister of Armies on her iPhone. Hard to attack someone more valuable than that. Zerodium doesn't blow zero days on showing ads to you, they are used for nation-state level attacks.
Ignoring under the hood OS and Subsystem. The Android UX started as a pocket pc, while iOS started as an Appliance. Even today that is more of less the same, although the both converge in the between as they look more and more alike.
I have a somewhat increasingly constrain opinion on HN. May be Steve Jobs's original model was right / better. Only First Party and extremely selected third party Native Apps. And everything else being Web / HTML 5 Apps.
I have in high regard more Nvidia Shield Pro, to this day still bring updates since the last model 2019 and gives supports almost as Apple, shame it is unknown a new release version of this device.
Haven't been following much (since I'm not interested in paying close to $1k for a phone) but from what I gather the Pixels are still excellent devices.
The brand-new Pixel 7A was priced $499 at launch with ~$125 freebies included in that price (free Pixel Buds or $100 off Pixel Buds Pro, basic case they priced at $25).
You absolutely get adware on iOS, I remember at least the calendar ad infestation as an example, and I had my fair share of broken icloud account to fix for my tech illiterate father as well. Don't know what they are doing on that aspect but even as a software developer, it was very hard to fix
I think it's ads in free apps. I kept telling my mom to stop installing free apps on Android. She really wanted this one card game. She swears she never clicked on an ad, but she constantly had malware.
I pretty much forced her to go to iOS and she's been happen ever since. She really resisted me, though, and complained for a few months, but now agrees it's better.
I switched in Jan 2020. I got so sick of having to upgrade phones every 2 years to get updates. I understand that's changed now (Pixel phones gets updates for 3 or 4 years?), but for more than a decade I bought a new phone every 2 years. I've had the same iPhone (11) since 1/20 and I will keep it for as long as it has updates and/or the battery lasts. So far, it feels like the day I got it.
Cheap android phones coming from some countries manufacturing them (you know which one-s) often have pre-installed shady apps disguised as regular bloat/admin process apps that can't be uninstalled, which deploys all kinds of attacks once the phone get configured and online. Same thing can be said of any smartphone (and pc os's), with the difference being you get spooked / polluted by knowned corps and so-called friendlies when you get Korean or US brands.
Nothing new, this has been going on since the early days of android / ios. Good hygiene: deactivate/uninstall any/all apps you can at first boot, reboot, then install anew all the apps you really use. Takes a few minutes/hours, worth it most of the time. YMMV.
It probably was the phone OS shipping with malware, but there is a different route that effects all phones, including iOS.
It's happens the authors loose interest in maintaining their apps. Malware authors then purchase their developer keys, issue an update (but change nothing else), and you find yourself being woken up at 2AM in the morning by some screeching Casino ad. Or at least that's what my wifes phone did to her, and of course it was immediately my problem.
I don't know if Android has an Update History for apps now, but back then it didn't. You don't know what app it is, because all the normal functional is untouched so it works as before. In my case there were two of them - which was worse because my technique was to uninstall one by one, then re-install if the problem continued. After a week or two of experimenting I found the right combination of apps to uninstall and my nights became peaceful again.
The Play store cleaned them out after a while of course, but it was painful at the time.
A bloated setup provided by the store or carrier might be an apt analogy, but a phone running AOSP or a fork of it such as Graphene is better compared to Linux.
I was speaking about handsets. You can install AOSP on an SBC connected to your TV which is what I would do rather than use whatever is built into a TV.
For the stuff the flip phone used to do. Soemtimes OEM androids can replace normal features with their own garbage. A better media player and safer browser is a good idea too.
It really doesn't matter to the point of the story though.
The Trend Micro report[1] (linked in TFA) and the paper on residential proxies[2] mentioning hijacked IoT devices makes me wonder whether the people shouting on HN and elsewhere about Cloudflare blocking their internet access are actually victims of a similarly malicious IoT device operating on their network.
I've worked as tech support and I was surprised how difficult it was for people to find the infected device on their network. Many people don't even seem to think of their phones or tablets as things that can be infected, let alone their IoT smart cameras/temperature hubs/solar panels.
That goes for iPhones too. At some point a customer had managed to get their iPhone infected but they absolutely refused to believe me. I was able to log into their router and verify the source of the malware on their WiFi through a packet dump, but they still refused to believe a device made by Apple could get infected with malware.
Often, we'd take the customer's word for it that they scanned all their devices, remove them from the quarantine list, only to get back into quarantine a week later. After a few back and forths they'd switch ISPs and no longer were our problem.
This is also why I take all of those "Cloudflare is blocking me for no reason at all!" posts with a grain of salt. For sure, those behind a CGNAT ISP will become false positives, but the mere idea that something on their network can be causing problems seems to be taken as a personal insult rather than a reason to start hunting down malware. I also have my suspicions a decent amount of people on here could've made the list by running scrapers at home (I certainly have) or installing shady browser extension VPNs (I have!) but those require action from people themselves so that's hard to prove.
I was supposed to help customers hook up modems and reboot their routers, I wasn't really supposed to dig into this stuff (and when I did I'd usually get an annoyed manager asking me to focus on my job). It would've been a great learning experience, but nobody really knew much other than that some device on the customer network was interacting with some known C&C servers.
The customer wasn't particularly interested in finding out either, they blamed us for false reports the moment their XP machine was scanned and found no viruses.
I want to note that they themselves don't need to be operating those malicious devices; with prevalence of dynamic IPs or NAT with ISPs just being assigned dynamic IP from same block is enough to trigger any filter by IP.
I think I might setup future networks to block all incoming AND outgoing connections by default, and then only open the ones I know or want (and perhaps even some of them “for a time” when clicked).
I've had that same thought, but fairly quickly been overrun by the number of things that need rules defined that I've gone back to 'just ban known badness'. (even my pihole setup needed an exception added recently for the one-off usage of a streaming service for the missus).
Note that, as written, the headline is wrong: No Android TVs were affected, they were only talking about "Android-based TV boxes sold through Amazon".
Moreover, Trend Micro refuses to disclose which phones or even just brands were found to be infected with malware. Which raises the suspicion they are deliberately trying to create FUD.
Because unlike cybercriminals operating out of their home who can't consider a lawsuit because it'd only serve to surface their presence to law enforcement, companies can and do sue others on libel and similar grounds, even when there is no merit to the lawsuit.
LTT did a video[1] on the same topic showing a few Chinese smart TV boxes with malware. There is no reason to believe the report is illegitimate.
Legal typically never approves of any article or statement that has the slightest possibility of resulting in a lawsuit, unless there is a payoff, which in this case simply happens to be satisfying the needs of no-name commenters on HN. But let's walk through the cost-benefit analysis, just in case:
The rates for lawyers at well known legal firms is about ~$300, and assume it takes 5 hours (which is a conservative estimate) for them to review the lawsuit and draft a motion to dismiss. A favorable outcome is not guaranteed, given that countries like the UK consider statements as libel even when the statements are true.
Still, assuming it takes only ~$1500 and the suit is dismissed afterward, they haven't had any additional income to offset the loss, and the $1500 can easily buy IDA licenses for a team member, which would be a far more productive use of the money.
As for LTT, they engage in many behaviors that legal wouldn't approve of. If I interrupted my colleague by saying "that's what she said" every two sentences, I would be fired the next day. LTT does it all the time, and there's nary a complaint (of course, I'm not privy to their internal operations).
Yes, or Trend Micro just wanted to get in the news with a spectacular sounding report. It would be a lot less interesting if all the affected brands were unknown ones.
Xiao Mi doesn't even try to hide it. They'll send your entire gallery up, make you accept their borderline insane T&C's just to use mundane apps (file explorer comes to mind), etc. They will reset your default app associations with every update and don't even let you unlock the bootloader unless you wait up to three months in some cases - and you have to register with your personal information and IMEI in order to do it.
It's nonsense. I'm really close to getting a "dumb phone" and calling it quits for mobile.
"Uploading the entire gallery" is exactly what Google Photos and iCloud do. Samsung tried its hardest to get me to agree with it too. Even OneDrive tried to pull a fast one on me at some point. It's par for the course for modern operating systems.
I bought Xiaomi with the hope of it becoming popular enough to get LineageOS support, but a month after I bought my phone they released a slightly different version that actually became a hit so I was stuck with MIUI. The hardware in my phone was about equivalent with phones twice the price at the time and even features an IR blaster, which no other brands seem to do anymore, so it was worth a try.
If you read the T&C and deny the prompts, it's not that bad. You need to go through every Mi app's settings and disable ads, but after that you can use them just fine. They're great phones for the money if you're willing to deal with denying the stupid prompts. I very much knew what I was getting into, I just lost the LineageOS gamble. They come with Google Play so you can just download Google Drive/Photos/Files/Dialer/whatever and use the phone like any other.
I wouldn't recommend them to the average user, though they're often still a better deal than most of their competitors in terms of value per dollar.
Luckily, another custom ROM project picked up my phone and I'm pretty happy with it now. They're great phones for tech savvy people looking to save hundreds of dollars if you've got an hour or two to clean up the crap.
I'm no fan of the stock MIUI experience either, especially china-only variants, but with that said...
The bootloader unlock is 7 days and has been for every xiaomi phone I've owned.
You can turn off "Sync" which is xiaomi's backup/sync service if you don't want to sync stuff up to the cloud...
Providing your IMEI / phone number aka "personal info" is standard even across Apple with registering AC+ etc.
There's community roms that remove all the chinese bloatware that comes preinstalled (https://xiaomi.eu/community/) plus add a bunch of new features that make it a pretty awesome experience.
Can anyone recommend a hackable/open Android TV device which doesn't phone home and supports running Jellyfin, Tailscale? If possible, I'd like to get rid of any bloatware and only install the aforementioned apps plus Netflix and Amazon Prime.
The problem is that most of the cheap Chinese (minus all the adware) don't have Widevine support, so you won't be able to use Netflix in HD.
Also, if you are sideloading apps, you'll need to do a lot of fiddling to get stuff working.
The Nvidia Shield is probably your best bet on the least amount of crap on there that still gets regular updates. You can change the luancher to hide the ads and lock down as much of the phone home with Adguard.
Also when you look at majority of Android TV devices, none of them get any update. The only ones that seem to do are the Chromecast TV and Nvidia Shields. If you're in Murica, you can pickup the new Onn box for $20 but being that cheap it will probably be phoning home more.
End of the day you just want your TV to just work. If you start having to sideload Netflix/Prime/Hulu, you're gonna encounter sooner or later spending hours just to fix it.
They also asked for Jellyfin, which is one way to overcome to DRM requirements. No need to bother with DRM if you just rip the media you watch.
My phone and computer don't get high res Amazon prime content either and I'm not going to bother with workarounds if downloading torrents is just as easy.
Have you managed to replace the launcher? When I do, after a few weeks it seems to get replaced back to the default Amazon launcher so the can show me ads.
My Sony Android TV got an OS update 2-3 weeks ago, which (afaik) included some security fixes. Granted this is a fairly recent model.
It's also trivial to sideload on it any app you want, just by changing permissions and allowing installations not from the Google store. It's also fairly simple to hide suggestions from bundled apps like Netflix etc from the homescreen - we don't use any streaming services.
Once you do that, there are zero ads on it. As opposed to other models, even flagship TVs from LG.
I actually bought this Sony model specifically due to the reviews that said this was the case. Kudos to Sony for making this. It is a tad more expensive than LG models, but it's worth it.
My TVs are Sony for the same reason. The Android/Google TV install is very minimal, won't nag you about not being connected to the internet, and can be updated via a thumb drive. It's perfectly happy to be used as a dumb TV.
I've never bought one personally, but have read that Sony Xperia phones also come with a pretty vanilla version of Android. If I were in the market for an Android flagship, they'd be in the running. They're pricier but I don't mind that if it gets me an OS with as little manufacturer meddling as possible.
There are official LineageOS ROMs for a couple tv boxes, namely the Nvidia Shield, Google ADT-3 and Dynalink Tv-box. The latter is not only cheap, but it seems to keep its DRM working after installing LineageOS, at least that was mentioned some time ago in the corresponding subreddit.
There are also some unofficial ROMs in XDA for other devices, and some dev also offers ROMs for Raspberry Pis in his website.
I tried LineageOS on the shield recently and ran into issues like gboard not working (not showing up on textbox selection), voice typing not working, and other jank. I regrettably switched back to the Nvidia stock image. I curiously still don't have the horrible Android TV home screen with ads but I did immediately change the system DNS to my own with AdGuard.
Follow-up comment, since one of the comments mentioned Nvidia Shield: I just realized LineageOS can be installed on various Nvidia Jetson devices: https://wiki.lineageos.org/devices/#nvidia
This seems to match my requirement of "hackable" quite well, though Nvidia Jetsons are obviously not "fully open" or anything and a quick search yields various threads of people struggling a bit to get LineageOS runnning. But it does seem possible! (Not sure whether Netflix or Prime would run, though.)
Thanks, hadn't heard of OSMC before but it looks like a Kodi "distribution"?
Does OSMC support Netflix, Prime? And do you happen to know how well Kodi<>Jellyfin integration works? A quick search brought up either crickets (Jellyfin) or long-winded discussions such as this one: https://discourse.osmc.tv/t/how-to-all-platforms-can-i-use-n...
Can't speak to the Netflix/Prime integrations but Jellyfin is perfect. Also the YouTube extension(after some FAFF setting it up) is a far nicer, ad free YouTube experience.
There are some custom ROMs that'll work for the cheap Amazon crap. These boxes often come rooted out of the box (useful for the malware they ship with) so if you find a good ROM and buy a box for that, you should be golden. DRM support will probably be broken, though. 480p will be all you get, so you'll need to expand your Jellyfin library.
The easiest method I can think of is to just get one of those Android TV Chromecasts. They're not much more expensive than the Amazon TV boxes and the software actually works and gets updated.
Do Netflix & Prime work on Roku? I also can't find any information about running Tailscale on Roku, beyond putting it on a different network and routing all traffic through a RaspberryPi or something.
Yes, Roku boxes are probably the most popular streaming boxes (besidess fire TVs and Chromecasts), so they work with all the major streaming services.
Tailscale does not run on Roku, unless you find a way to jailbreak it and side load a custom ROM, which I'm unaware of any. You would have to route all your stuff through a separate network device like a pi. But a Roku will connect to your local network, so you should be able to access anything that way.
I run Plex and Jellyfin on my home server and can connect either by local IP or through my reverse proxy domain.
It was perfect timing since I am trying to find some simple solution to my old Roku I use to bypass my "smart" TV. But Roku is probably just as invasive privacy-wise.
FireTV stick or box is a good alternative. You can sideload apps like XBMC in addition to native support for streaming services. There are even hacks to replace the launcher.
This is actually a great argument for rooting (and unlocked devices in general), because there's no reason you shouldn't be able to just obtain a dump of the /system directory and upload it to Virustotal to see what's in there.
But to answer your question, no, there's no easy way for even moderately technical people to find out what's in their system image, except when we get a report such as this one.
This is why the storage shouldn't be soldered. Then you could remove the drive and plug it into a known-clean system to inspect it.
Technically the drive itself could have malicious firmware (and this is another reason open source device firmware is important; it allows researchers to poke around). But if the storage was removable then you could also replace the drive entirely and copy the original drive's contents to it. Then if the original drive was giving a clean copy if you attempt to dump its contents, the clean copy is what ends up on the new drive.
Technically, yes, but it is quite difficult to perform a realistic emulation of an OS with shell facilities, as evidenced by all the system emulation issues on SSH honeypots e.g. cowrie[1].
A cheap Android phone or a cheap Android phone from a questionable brand/source? The root of the blame here isn't with the fact that it's Android, but more likely what was purchased for him. Probably a big batch of user error too as this was his first non flip phone.
"People in the market for an Android phone should steer toward known brands like Samsung, Asus, or OnePlus, which generally have much more reliable quality assurance controls on their inventory."
What is the author thinking? E.g. Samsung TVs comes with malware preinstalled from factory.
I don't know about the phones, but it has been nagging me to approve some "Bixby" and "Samsung Pay" spyware.
The big difference being that Android is an Open Source project, so you can build an Android phone with all of the OEM spyware removed. The same cannot be said for, say, iOS. You just have to be happy with it, backdoors and all.
There are Android SOCs that have complete functionality without proprietary firmware or external drivers. Many that do "require" proprietary drivers can be booted without them anyways.
Do you have any examples of spyware drivers that inherently prevent you from booting AOSP on compatible hardware?
You're right. China only reports ~70 requests[0] for account access biannually, the United States is truly in another class with our 6,646 some-odd requests[1] for account access. Don't even get me started on the 4,500+ requests for device access, on top of the undocumented bruteforce entries with Greykey and suspect manipulation.
If you're convinced that Apple would bend the knee in China but not the US, you should take another look at FIVE-EYES and PRISM. Transparency is the only sane security model in a post-Snowden world. Insinuating otherwise without presenting accountable proof is what we call security theater.
When Apple publicly holds double standards for multiple countries, what makes you so certain they're not doing the same where you live?
The flip side is that the cheap/unbranded stuff is almost always not locked down and easily rootable, so you can clean them out.
If we use the "does not act in the interests of the user" to define "malware", then many laptops also come with malware preinstalled. The last few that I set up, I did not even attempt to boot what was on the drive. It just got wiped and I started from a clean install.
People in the market for an Android phone should steer toward known brands like Samsung, Asus, or OnePlus, which generally have much more reliable quality assurance controls on their inventory.
I agree with the other comment here that this feels like a FUD attempt by the big brands due to the smaller competitors eroding their hegemony.
This is why I put devices I do not trust (like these kinds of boxes) on a separate VLAN. My access points advertise a WiFi network with client isolation that can only access this VLAN. There is one hole in the firewall from it's subnet to my Jellyfin server. The DNS server for that subnet has a whitelist for some of the streaming services on my TV and internet radio, and nothing else.
Always assume all these cheap, obscure brands of electronics, from TV sets, to keyboards and security cameras are plagued with malware. I'm shocked to see how many people I know who are highly educated and tech savvy bring these junk into their homes, add them to their network and download apps to set them up and manage them.
It depends also on how you define malware. If it includes surveillance software that monitors what an how you watch, then pretty much all of them include malware. My Sony Bravia certainly does (something called Samba).
The reality is I don’t have all day to mess around rooting my TV. I could theoretically do it, but I don’t want to. I just want to watch a show on Netflix and relax.
Now if there was a service that did it for me I would consider paying for it. Sort of like a real life Curse Purge Plus [1].
>The TV boxes, reported to be T95 models with an h616, report to a command-and-control server that, just like the Guerrilla servers, can install any application the malware creators want. The default malware preinstalled on the boxes is known as a clickbot. It generates advertising revenue by surreptitiously tapping on ads in the background.
This is a non-issue at this point. The truth is that people don't only tolerate, but deliberately purchase malware if it's more convenient. It's a tradeoff people are willing to make. How many of you run a backdoored CPU with IME? How many of you are fine with telemetry? You have been asking to be spied on for over a decade now and that's just what I can remember.
The article could be describing the standard android or and alphabet. I'm not saying they do all of the activities described, but i certainly believe them capable of it.
...to the shock and surprise of absolutely no one on HN.
Every single "smart device" is controlled by the manufacturer, who can install anything anytime on it.
The cheapest smart devices have a low sticker price only because they are meant to make money in other ways.
Alas, the pricier ones are also meant to make money in other ways. The more reputable manufacturers mainly want to avoid seeing their names dragged through the mud on the news. Otherwise, they are about as naughty as the disreputable manufacturers.
Your choices are (a) malware or (b) spyware and adware.
Did you just say that companies that don’t ship malware are just as bad as those who do, because you speculate they have impure motives for not shipping malware?
That seems excessively cynical and faux omniscient.
I've always been amazed at how people will put all their credentials into an Android phone. You can pretty much guarantee all your private data is being scraped and sold.
Er, no; there exist Android phones that are insecure, or even malicious, but generalizing that to guaranteed compromise of all Android phones is nonsense.
I put my credentials in, hoping that LineageOS is enough protection software-wise, but I don't have the means to defend myself if the hardware is also working against me.
Fast forward 2 weeks and he’s complaining the battery only lasts a couple hours.
The Lock Screen was littered with gambling ads, there were all kinds of apps installed, and the phone was basically unusable.
He claimed to have no idea how it happened. I assumed he was just clicking on any/every pop up. Maybe he really downloaded 1 bad app which then self installed the rest of this crap?
Anyway, I went back to the store and bought him an iPhone SE. That was years ago now and haven’t heard a single complaint since.
I think android phones aren’t for the tech illiterate. It’s way too easy to screw them up.