Yesterday, Ebay reported it would no longer be selling the popular Chinese-made Star N9500 smartphone after German security firm, G Data, discovered dangerous pre-installed spyware on the device. Amazon initially refused to comment on the story but, this morning, when I tried to access the page featuring the device, I found that it had been removed. (We’re sorry. The Web address you entered is not a functioning page on our site). Only the Chinese site, Alibaba, the world’s largest online store, was still selling it. On the Alibaba site, the phone is listed as 5.0 inch QHD IPS MT6582M Qual Core 3G Andriod 4.2 RAM 1GB 4GB ROM star n9500 galaxy s4 android 4.2 smart phone. The use of the term “galaxy s4” is no accident. The phone is designed to be exactly like the Samsung Galaxy S4 but sells at one-third the price, which is why it has proved to be so popular. Take a look at this video and you will see the similarities. I have tried to contact the company, Happo Technology Limited, for their side of the story and, though I doubt I will receive an answer, if I do, I will post it. For now, I can only quote their website in their defense; “Happo takes precautions — including administrative, technical, and physical measures — to safeguard your personal information against loss, theft, and misuse, as well as against unauthorized access, disclosure, alteration, and destruction.”
According to G Data, the spyware found on the device “runs in the background and cannot be detected by users. Unbeknownst to the user, the smartphone sends personal data to a server located in China and is able to covertly install additional applications. This makes it possible to retrieve personal data, intercept calls and online banking data, read emails and text messages or control the camera and microphone remotely.” The real bad news (and evidence of the sophistication of the malware) is that “it is not possible to remove the manipulated app and the spyware since they are integrated into the firmware.” In other words, it was intentionally built in at the factory level with the sole purpose of spying or gathering information. G Data calls the spyware, Trojan Android.Trojan.Uupay.D. It is disguised as the Google Play Store app, which comes with the phone. Logs that may give away the presence of the malware are immediately deleted and all security updates are blocked. The only giveaway is that the Google Play Store is always running. Information gleaned from the phone is sent to a location in China, but the specific location is unknown.
Factory or distribution chain malware insertion is not unknown in China and will be the focus of my next regular post. It is, however, interesting that, with a few modifications, such as using a Samsung case, it would be difficult, at first glance, to tell the difference between this spyphone and the real thing…and this could be more than just a little problem. As Samsung smartphones and tablets were only approved last month by the U.S. Department of Defense for use on their networks, one can only assume that safeguards are in place to keep such clones off the network and away from sensitive government information. The good news for the government is that the clone does not contain Knox security so it would easily be detected by IT administrators as a fake. This story is at the discovery stage and we can expect more details in the coming days as other security firms look into the problem. In the meantime, be smart about buying a Chinese smartphone.