This article originally appeared on VICE US.
Counterfeit smartphones probably aren’t worth the money you’ll save, and researchers say buying them will likely open you up to data breaches, identity theft, or worse.
Last year, Motherboard took a closer look at the counterfeit phone market with the help of Trail of Bits, a security research and consulting firm in New York City. We noted that while you can buy a counterfeit iPhone X for $100, you’re obviously getting a pretty janky (Android-based) facsimile filled with bugs, broken features, and empty promises.
Motherboard’s investigation also found the fake iPhone X was loaded with backdoors and malicious apps, meaning that owning such a device likely resulted in any number of dubious middlemen gaining access to your personal information.
Trail of Bits recently took an even deeper dive into the world of counterfeit smartphones, and found that the privacy and security issues with such phones are even worse than Motherboard’s initial investigation revealed.
This time, the researchers dug deeply into the workings of two bogus devices, a fake iPhone 6 and a fake Samsung S10. Both devices are routinely being sold for around a tenth of their retail price at a wide variety of sketchy online outlets, and both contain severe security vulnerabilities that will put your personal data—and potentially your personal safety—at risk.
The external fit and finish do a convincing job making the devices look legit, and even some functionality like haptic feedback and fingerprint sensors work fairly well. Internally, both devices use cheap Chinese hardware running community-built Android-based ROMs, with the S10 using the same native launcher, UI/Icon pack, and theming engine of the original device.
But while both devices pretend to be running the latest version of Android Pie 9.0, in reality they were running OS variants like Kitkat 4.4.0. that haven't seen security updates since 2014. The devices also both run outdated kernels, opening device users to threats patched years ago (like DirtyCow or Towelroot) in the legitimate versions of these devices.
“These counterfeits are undeniably insecure,” the researchers found. “Both lie about their Android versions. The ROM versions used were severely outdated and vulnerable to public exploits, as were their kernels. They include bloatware, like remote debugging services, that enable abuse. This is what you’d expect from a phone that’s built around a volunteer-maintained, outdated Android ROM.”
But in addition to running unsecured hardware and software, the devices also contained a variety of intentional backdoors and malware opening users to even broader threats.
For example the fake S10 included a modified SystemUI framework allowing the remote installation of unauthorized .dex files, as well as remote access to logs tracking location data, app installations, and more. The S10 even included a RAT (remote administration tool) disguised as a font extension system service.
More simply, when you use these devices you’re effectively opening yourself to a universe of attacks and data breaches from a wide variety of international misfits.
“If you’re using counterfeit phones, there’s a high likelihood that it will provide bad actors access to your data by design,” the researchers found. “It is trivial for a counterfeit manufacturer to implant and modify the ROM before distribution. Tracking or detecting either action is impossible for most users.”
Users may not even know they’ve got a counterfeit phone if they buy their devices via a third-party vendor on eBay. As such, the researchers suggest only buying your phones from trusted vendors, and being wary of any smartphones received as a gift.
“Counterfeit smartphones will continue to evolve in sophistication, performance, and threat to users,” the Trail of Bits researchers warned. “Using them puts your data at risk and may enable abuse of the applications and networks that you access and use.”