Unboxing a new smartphone is supposed to one of tech's new joys. Removing the cellophane, slipping the top off the box, and powering on your pristine device. The boot logo spins in all its colorful glory while the phone prepares its fresh operating system.

But what if it isn't quite so squeaky clean? Under that bright exterior might lurk something more sinister. As it turns out, there's mounting evidence you may not be able to trust your brand new Android phone after all.

The Consumer Electronics Supply Chain

Modern manufacturing supply chains are complicated. As a result of globalization, there is a worldwide market for everything from raw materials to finished products, and consumer electronics are no different. One of the largest producers of electronics is China, where many Western businesses have been outsourcing production to since its economy began to grow around in the 1980s.

The Chinese are also the largest producer of silicon, a vital material in modern electronics. The country is responsible for the manufacture of the majority of consumer electronics in use around the world. Chinese imports to the US totaled $189 billion in 2017 alone. This phenomenal growth and market dominance resulted in the recent trade war between the US and China, with both countries imposing heavy tariffs on each other's products throughout 2018.

Electronics Production Line In Chinese Factory
Image Credit: omur12/DepositPhotos

Although China controls a large proportion of the manufacturing supply chain, materials and assembled components are sourced worldwide. It's for this reason that your Apple iDevice has "Designed in California. Assembled in China" engraved on the back. In his 1958 essay "I, Pencil," economist Leonard Read detailed the elaborate process required to produce a single pencil, a seemingly-simple throwaway product.

The sprawling and complex electronics supply chain means that accurate traceability is an almost impossible task.

Manufacturing Android Smartphones

Apple's wall-garden approach means they keep tight control over their manufacturing process. The company has been accused in the past of poor and unsafe conditions for their factory staff, but they do rigidly control the process.

The same can't be said for Android devices.

Google takes a hands-off approach to their mobile operating system. Because Android is open-source, manufacturers can pretty much do whatever they want with it, without paying a dime. This business model is credited with propelling Android into the mainstream and its current market dominance.

Smartphone Operating System Market Share Chart. Latest Data Puts Android At Almost 90%.

However, this approach has some downsides. Fragmentation, slow or sometimes non-existent updates, and unresponsive or spam-riddled launchers to name a few. Each manufacturer and carrier is able to custom design the hardware and software of each device. As a result, there are now many different Android devices on the market.

As the majority of the manufacturing process is done in China (which is why buying phones direct from China is becoming so popular), factories will often assemble smartphones for multiple manufacturers. They may even run on the same production line with only the branding altered. This has led to many devices sharing software, components, and sometimes even the entire finished product.

You Can't Trust Your New Smartphone

Android's open nature lends itself to malware in a way that Apple's carefully curated devices don't. Although Google has taken steps over the past few years to improve the platform's security, the poor practices and convoluted supply chains of manufacturers present an opportunity for malicious attackers.

RottenSys Malware

In early 2018, a Wi-Fi service on the Xiaomi Redmi caught the eye of researchers at Check Point Research (CPR). After some investigation, they found that it didn't provide Wi-Fi services at all. Instead, it requested a long list of sensitive Android permissions, none of which were related to Wi-Fi services.

One of the most significations permissions was DOWNLOAD_WITHOUT_NOTIFICATION. The app appeared to use this permission to download malicious software from a Command & Control (C&C) server after a slight delay when the phone was initially powered up. The malware, known as RottenSys, was able to hide from the operating system by utilizing an open-source framework called MarsDaemon to keep its processes alive.

The C&C server provided the files for a malicious ad network, which was silently installed on the phone by the false Wi-Fi service. CPR estimated that the attackers could earn up to $115,000 for every ten days of operation. The researchers also found evidence that the attackers were gearing up to recruit infected devices to their botnet (what is a botnet?).

CPR's investigation found that electronics wholesaler Tian Pai handled almost half of the infected devices. Although they didn't go so far as to suggest Tian Pai was complicit, they did conclude that the malware was probably installed at some point in the supply chain.

Table Listing Apps Affected By RottenSys

The malware began spreading in September 2016, and by March 2018, had infected almost five million devices worldwide. Fortunately, removing RottenSys takes just a few seconds---once you know where to find it. If your new Android device seems to be riddled with adware, head to your settings and remove any of the apps listed in the CPR report. Once you uninstall the app, RottenSys should disappear along with it.

Shanghai AdUps Technology

Our smartphones generate and store a lot of personal and sensitive information. The last thing you'd expect from your brand new smartphone would be for it to collect all that data and send it to a Chinese server every 72 hours.

However, that's what researchers at security firm Kryptowire found in 2016. The affected firmware was seen on multiple Android devices sold in the US, including the popular BLU R1 HD. As a result of bypassing the Android permissions, it was granted unfettered access to all your data. According to the report, this included:

"...user and device information including the full-body of text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI)."

It was also able to remotely reprogram devices, install apps, and collect Fine Location data. Kryptowire traced the suspicious activity back to the Chinese firm Shanghai AdUps Technology. The company said that the data collection was a mistake, and the firmware was used to provide updates only. However, they worked with the US government, Amazon, BLU, and Google to remove the spyware.

One year later, the researchers found that Shanghai AdUps was still using spyware on Android devices. Most of the data-siphoning had been hidden rather than removed. A few features had been turned off for US devices, but they still sent data back to the Chinese firm. Kryptowire noted that AdUps continued to collect a list of installed applications, phone number, device identifiers, and cell tower information.

Given the state of relations between the US and China, it may be worth noting that Kryptowire receives funding from the United States Defense Advanced Research Projects Agency (DARPA) and the Department of Homeland Security (DHS).

Make of that what you will.

Who Can You Really Trust?

A lot of the blame for pre-installed malware and in-built security flaws falls at China's feet. It's true that the politics of running the world's largest surveillance state may sometimes bleed into their manufacturing industries. However, attribution is hard and even the reports which name and shame responsible parties are usually just making an educated guess.

That's not to say that China should be let off the hook entirely. The recent accusations leveled at Huawei mean that you probably shouldn't buy their phones if you value privacy. It's not the first time Huawei have found themselves embroiled in a security scandal either.

Although the current stream of malware has so far been limited to Android devices, that's not to say it'll stay that way forever. Even under Apple's watchful eye, the risk of malware is improbable rather than impossible. If all this uncertainty makes you want to throw your hands up in defeat, then it may be time to consider ditching your smartphone and buying a dumb phone instead.