The hidden risks of cheap Android devices

Buying a cheap Android device can be an expensive mistake if it fails to perform its primary function or happens to be infected with viruses right out of the box.

Malware, fake specs, and other problems with cheap Android devices

The temptation to save money when buying expensive devices is, well, tempting — gadgets from little-known brands can offer the same spec at a fraction of the price of more popular makes, while having an Android set-top box or Android TV can cut costs on a range of subscriptions.

Unfortunately, cheap devices — much like a free lunch — often come with a catch, so it’s important to do your research before buying.

Malicious surprise

The most unwanted “gift” sometimes found in cheap, no-name Android devices is pre-installed malware. It’s not entirely clear whether bad actors install it directly at the factory, whether it happens on the way to the store, or whether manufacturers carelessly use trojanized third-party firmware, but as soon as you open the box and activate the new device, the malware springs into action. This type of infection is extremely dangerous.

  • The Trojan is difficult to detect and almost impossible to remove. It’s integrated right in the device’s firmware and has system privileges. Special know-how and software are needed to find and remove it, but even then there’s no guarantee that the malware will be gone for good and won’t reactivate.
  • Attackers have full access to the device and data. Without needing either permissions or requests, they can steal information, intercept authentication codes, install additional programs, and so on.

Cybercriminals make money from such pre-infected devices in various ways, all of which cause harm to the buyer.

  • Ad fraud. The device displays ads — often stealthily in an invisible window. As part of the fraud, additional software may be installed on the device, which simulates the actions of a user interested in a particular ad. For the device owner, this results in slow operation and clutters the memory of their new smartphone or set-top box.
  • Data theft and account hijacking. Cybercriminals have no problem intercepting passwords, messages, bank card numbers, authentication codes, geolocation data, or any other useful information passing through the infected device. Some of this is used for “marketing” (that is, targeted advertising), and some is used for other fraudulent schemes.
  • Running proxies. Cybercriminals can enable a proxy server on the infected device, through which outsiders can access the internet pretending to be the victim, and hiding their tracks and real IP addresses. As a result, the device owner can suffer serious internet slowdown, end up on various denylists, and even attract the attention of law enforcement agencies.
  • Creating online accounts, such as on WhatsApp or Gmail. These accounts are then used for spamming, and the device owner may face anti-spam restrictions and blocks imposed by these services on the device or the entire home network.

Alas, the above scenarios are in no way rare. In the most recent case this year, around 200 models of Android devices were found infected with the Badbox fraud scheme. These were mostly cheap TV set-top boxes under various brands sold online or in electronics hypermarkets, but there were also tablets and smartphones, including gadgets purchased for schools. Experts detected the Triada Trojan on all of them. This Android malware was first discovered by Kaspersky analysts back in 2016, and even then it was described as one of the most sophisticated on the Android platform. It goes without saying that its developers have not been sitting on their hands all these years. Badbox uses infected devices for ad fraud and running proxies.

Last year, the Lemon Group was found to be engaged in ad fraud — 50 different brands of Android devices were infected with the Guerrilla Trojan. In 2019, Google highlighted a similar case, but without mentioning specific manufacturers or the number of infected device models involved. Meanwhile, the largest incident of this kind occurred in 2016 and affected up to 700 million smartphones, which were used for data theft and ad fraud.

Interesting fact: Trojan functionality even managed to get inside dumb phones. Threat actors “trained” them to send texts on command from a central server (for example, to subscribe to paid services) and to forward incoming texts to their own servers, which made it possible to use the numbers of push-button phones to register for services that require confirmation by text.

Fake specs

The second problem with cheap Android devices from unknown manufacturers is the discrepancy between the stated specification and the actual “filling”. Sometimes this arises due to a hardware design error. For example, a high-speed Wi-Fi adapter may be connected to a slow USB 2.0 bus making the declared data transfer speed physically unattainable; or, due to a firmware bug, the promised HDR video mode doesn’t work.

And sometimes it’s a case of an obvious fake, such as when a device promising 4GB of RAM and 4K resolution in reality works with only 2GB and offers not even HD but 720p image quality.

Support issues and security threats

Even if a third-tier Android device is not infected with malware out of the box, the security risks are greater than for well-known brands. Android always needs updating, and Google fixes vulnerabilities and releases patches every month, but these apply only to pure Android (AOSP) and Google Pixel devices. For all other versions of the operating system, updates are the responsibility of the manufacturer of the specific device, and many are slow to update the firmware — if at all. Therefore, even on a new gadget you might find the outdated Android 10, and after just a couple of years of use all the software installed on it will belong in a museum.

How to combine economy and security

We’re not advising users to buy only expensive gadgets — not everyone wants or can do this. But when opting for a budget device, it pays to take extra precautions:

  • Choose brands that have been around for a while and are sold actively in many countries — even if they’re not so well-known.
  • If you’ve never heard of a particular manufacturer, don’t spend your time online reading about a specific model of set-top box, TV, or phone — but about the company itself.
  • Study the company’s website and check that the support section has contact details, service information, and — most importantly — firmware updates with download instructions.
  • Read buyer reviews on specialized forums — not on marketplaces or store websites. Pay special attention to the correlation between the stated and real specification, availability of updates, and odd or suspicious device behavior.
  • If you have an opportunity to see the device live in action in a store, do so. There, go to the settings and see if there’s an option to install updates. And also check how old the installed Android is. Anything below version 12 can be considered outdated.
  • Compare the price of the device you fancy with well-known Chinese brands such as Huawei or Xiaomi. Lesser-known but high-quality devices with similar specs might be as little as half the price of “renowned” Chinese brands — but a severalfold difference is suspicious.
  • As soon as you buy the device, familiarize yourself with its settings, update the firmware to the latest version, then uninstall or disable through the settings all apps that seem surplus to requirements.
  • For devices that allow app installs, install full Android protection immediately after purchase and activation.
Tips