Beware of cheap Android phones.

[zbigi]

There have been reports in the news that millions of cheaps Android phones have been infected with spyware in factories (they come with malware pre-installed, and the phone maker (e.g. Motorola, Sony etc.) is not aware of this) during the production process. The onwer of the factory sells access to the malware to whichever state or criminal group will pay. The spyware allows to read text messages or just take full control of the phone etc. So, if your using a banking app, or your bank/broker send you one-time passwords via text messages, it's safer to buy a used iPhone, instead of a new cheap Android for similar price.

Link: https://www.techradar.com/news/millions ... -installed

[Scott 2]

The article says 9 million devices, mostly in southeast Asia. Assuming a billion Android devices shipped per year, that's a little under 1%. So a 1/100 chance.

I don't understand why Apple would be immune to this attack vector. Don't they use cheap international labor as well?

[zbigi]

The report said the hacks were in the firmware, which the cheap Android phone makers outsource to third-parties. Presumably Apple doesn't do that (as they like to have control of the entire stack), but that's just me guessing.

[steelerfan]

This kind of got me worried. I purchased a pair of AR glasses from a Chinese manufacturer (Rokid). The glasses interface with your phone/computer but really mirror your device display (so it is not true AR). Am I paranoid? I could see something lurking in them but maybe it is just an i/o peripheral. Not planning on installing their companion app which is not required. Planning on using them with Samsung Dex. Any thoughts.

[zbigi]

If the glasses are just essentially an external display device in this case, they shouldn't have access to the phone's internals, right?

[steelerfan]

I wouldn't think so. However I would assume it is theoretically possible for a plug and play device to be able to inject code to the connected device. Not very likely. I do not think there is on board data storage or power with these glasses. It just connect with an OTG display port usb c and draws power from the host device or it's optional proprietary stand alone device the Rokid Station. Most likely I am paranoid - caused by your story .
See the specs from their web site: See anything?

Specifications
Display
Resolution: FHD 1920x1080 pixel RGB per eye
Contrast Ratio: 100000:1
FOV: 50° (16:10)
2D/3D: Yes
Brightness: Up to 600 nits perceived brightness
Brightness control: 6 levels
Refresh Rate: 120Hz
Color gamut: sRGB 106%(area ratio)

Audio
HD Directional Speaker*2
Noise-canceling Microphone*2
AI voice control

Myopia
Diopter Adjustment: 0.00D to -6.00D

Sensors
Enhanced 9-axis (IMU)
3DoF head tracking
Wearing detection

Basic Parameters
Color: Space Blue
Weight: 75g
Folded Dimensions: 174.37mm(L)*158.71mm(W)*44.94mm(H)
Physical Buttons: Brightness control & 2D/3D*1; Volume control*2

Connectivity
Devices with USB-C Display Port and OTG (Android 10 or later)

[steelerfan]

A lot of work obviously went into these - not likely anything nefarious...

[steelerfan]

Would you trust a device like this? They put a lot of R&D into a product that people would maybe like. I would think there is processing done in the glasses when you see terms like AI voice control and tracking/detection sensors in the specs. But it may be low level processing that maybe is confined to the glasses. I dunno. I am not an engineer. A hardware guy would have an idea. Hopefully it has been vetted for security.

[zbigi]

If it's connected via USB-C then you should be safe. There's no way to hack your phone via it, unless the phone itself is compromised (has outdated OS with known security holes etc.). At least that's my understanding, I don't know much about Android. However, perhaps there's also a driver component that the OS automatically downloads, and then that driver could own you? If you're really worried about it, ask on some Android programmer forum where people know about OS internals.