Android tablets at Best Buy, Target, Amazon, Walmart found to include major security flaws, malware

Posted:
in iPad edited December 2014
Security firm Bluebox Labs tested a dozen Black Friday bargain Android tablets from major retailers including Amazon, Best Buy, Kmart, Kohl's, Staples, Target and Walmart and reported "shocking" security flaws, malware and active backdoors installed on the new devices.

Best Buy bad tablet


All of the dozen different "doorbuster" Android tablets Bluebox examined were found to include unpatched Android vulnerabilities including Masterkey, FakeID, Heartbleed and Futex, while more than a quarter were sold with security misconfigurations or active backdoors installed.

Bluebox discovered Android's Masterkey "zombie botnet" vulnerability last year and detailed FakeID super malware earlier this summer.

While Google has released patches for both flaws--in addition to Android's Heartbleed and Futex bugs--the fact is that major retailers are actively promoting new Android products that still harbor these unpatched vulnerabilities. Several devices also ship with remote exploits wide open, block access to Google Play and deactivate security features Google has added to Android.

Best Buy offers one of the worst


Among the worst devices being sold was a DigiLand Android tablet offered by Best Buy, which was running software signed by the Android Open Source Project test key. The security firm noted this key "is not supposed to be used for signing the firmware of commercial devices because it allows an attacker to easily create a Trojan system update!"

The Best Buy device also ships with the USB debugging connection to the device running with root privileges, "which means the device effectively comes rooted out of the box," Bluebox noted.

Best Buy markets the tablet as having a 1024 x 600 resolution (lower than Apple's first generation iPad from four years ago) that "showcases media in crisp detail," and is powered by MediaTek quad-core processor with basic ARM Mail 450 graphics "for lush images." Best Buy's web page says that "92 percent of customers would recommend this product to a friend."

Target, Kmart, Kohls, Staples, Walgreen marketing bad Android tablets for the holidays

RCA Mercury Android tablets sold by Target ship with "two known vulnerabilities out of the box," as does Kmart's Mach Speed Xtreme Android tablet. The latter device also "disables the security configuration setting that protects the tablet from installing apps from malicious third-party sources."

Target doorbuster bad Android tablet


A Zeki Android tablet sold by Kohl's "was the worst tablet encountered out of the entire lineup," the firm stated, detailing that it "is vulnerable to four major Android security vulnerabilities, has USB debugging turned on by default, comes with a security backdoor pre-installed, is signed by the AOSP test key, and doesn't include Google Play-thus it requires the use of third-party app markets, which do not benefit from Google's extra app security screening process."

Kohl's website presents the Zeki tablet portraying a waving Android mascot and indicates the device does support Google Play and pictures it as being bundled with other Google apps, despite being an AOSP device.

Kohl's bad Android tablet


A Mach Speed JLab Pro-7 tablet sold by Staple's ships with Android 4.4.2, but Bluebox notes that it includes customizations to remove security features Google added in 4.4.2, including a patch to prevent data theft via its USB port. The cheap device is also packaged with "developer mode and USB debugging enabled by default."

The firm noted that a Black Friday special Polaroid A7 Android tablet offered by Walgreen's appears to be the same model that Amazon sells, which it states "is vulnerable to four known Android security bugs, comes rooted out of the box, and disables by default the security configuration setting that protects the tablet from installing apps from malicious third-party sources. It had one of the lowest Trust Scores of all tested tablets."

The firm explained that the device is "pre-rooted," as "it includes 'su' installed by the factory meaning an attacker is given unfettered access to the system without having to run an exploit to gain this access" and that it "disables by default the security configuration setting that protects the tablet from installing apps from malicious third-party sources."

Walmart and Amazon may have the biggest selection of bad Androids

At Walmart, Bluebox purchased multiple tablets, including the store's "value of the day" Pioneer tablet that ships with two known but unpatched vulnerabilities as well as Ematic and RCA tablets that both had three vulnerabilities and a Nextbook tablet with two, which earned the designation of being "one of the 'best of the worst' tablets in the lineup."

A Worryfree Gadgets Zeepad Android tablet sold by Walmart comes with "two major Android security vulnerabilities, has USB debugging turned on by default, comes with a security backdoor pre-installed."

Walmart bad android tablet


Bluebox also found that a few tablets shipped with known "adware/riskware," including a pirate version of Angry Birds resigned by the device vendor.

"This means the vendor could have modified Angry Birds to collect more information than the authors originally intended to," the firm explained. "This also precludes the version of Angry Birds on the tablet from ever receiving updates from the original developer, as the signing keys are different."

Bluebox Labs offers security scanner for bad Androids

Bluebox offers its Trustable app on Google Play to evaluate known security flaws and settings on devices. The company also provides an Android User Security Guide checklist for Android 4.0 and later devices, which includes suggestions to disable insecure Android features such as NFC, DLNA file sharing and screen mirroring, particularly on Samsung devices.

The security firm noted that higher priced Android tablets are more likely to ship without known vulnerabilities or security misconfigurations, and cited both the Samsung Galaxy Tab3 and the Google-branded Nexus 9 by HTC as being "trustable."

However, the majority of Android tablet shipments are bargain devices; Google's Nexus 9 is purportedly not actually intended to sell but rather to provide a model for Android vendors to follow. For many vendors, following Google's lead is not in their own self interest, particularly among AOSP devices that are intended to sell apps from third party stores or harvest data from unsuspecting buyers.

Comparing Apples to Androids

The security firm concluded, "be aware that not all devices are security equals. Bluebox Labs routinely sees a lot of below-average security for bargain Android devices. We recommend avoiding these if you can; otherwise, only use them for low-risk activities like simple gaming, media entertainment, and public web browsing. We recommend that you avoid conducting online banking, making purchases or storing sensitive data on these devices - if you do, you will be putting your data at risk."

Bluebox also offers a much shorter iOS User Security Guide; Apple's implementation of NFC, AirDrop file sharing and AirPlay screen mirroring are all secure enough for Bluebox to not recommend that users turn them off in its security guide.

Bluebox does not maintain a vulnerability scanner app for iOS, which is unaffected by Masterkey, FakeID, Heartbleed and Futex. Apple also does not allow third party vendors to sell modified versions of iOS with security features removed or disabled, and regularly issues security patches for its iOS users.
«13456789

Comments

  • Reply 1 of 177
    relicrelic Posts: 4,735member
    Yeah sorry but anyone who buys these things are just plain ignorant and deserve the discomforts. Especially when Amazon now has Kindled starting at 100 bucks. This story is nothing but click bait.
  • Reply 2 of 177
    apple ][apple ][ Posts: 9,233member

    How does that saying go again? You get what you pay for!

     

    I don't feel sorry for anybody who is ignorant and buys one of these cheap Android tablets.

  • Reply 3 of 177
    apple ][apple ][ Posts: 9,233member
    Quote:

    Originally Posted by Relic View Post



    Yeah sorry but anyone who buys these things are just plain ignorant and deserve the discomforts. 

     

    You basically just described the average Android user right there.

  • Reply 4 of 177
    Originally Posted by AppleInsider View Post

    A Worryfree Gadgets Zeepad Android tablet...

     

    G44

  • Reply 5 of 177
    rogifanrogifan Posts: 10,669member
    relic wrote: »
    Yeah sorry but anyone who buys these things are just plain ignorant and deserve the discomforts. Especially when Amazon now has Kindled starting at 100 bucks. This story is nothing but click bait.

    Shame on retailers for selling this garbage.
  • Reply 6 of 177
    Quote:

    Originally Posted by Relic View Post



    Yeah sorry but anyone who buys these things are just plain ignorant and deserve the discomforts. Especially when Amazon now has Kindled starting at 100 bucks. This story is nothing but click bait.



    The reality is that these tablets are exactly what Google's Android created. They make up the vast majority of the tablet "shipments" that IDC has been advertising incessantly as "Android domination."

     

    Apple has consistently outsold the rest of the top five tablet vendors, which includes Samsung, Asus (Nexus) and other makers of fairly decent options. This is that huge amount of "Other" Android tablets: MediaTek and RockChip powered knockoff counterfeits that are used take advantage of people. 

     

    That's the Android legacy.

     

    The fact that you blame the victims of Google's Android garbage output only says something bad about what kind of person you are. 

  • Reply 7 of 177
    relic wrote: »
    Yeah sorry but anyone who buys these things are just plain ignorant and deserve the discomforts. Especially when Amazon now has Kindled starting at 100 bucks. This story is nothing but click bait.
    I'm sorry this article makes you think it's click bait, makes me wonder about you...

    This actually highlights a serious, or should I say, several serious issues, with Android as a whole. I have a friend that works at a Best Buy subsidiary chain in Canada, and she pushes these like no tomorrow, and guess what, the cheap skates buy these up. In fact, she's admitted she often lies to consumers under direction from her department manager to tell customers it's "every bit as good as iPad". I've already scolded her for this, but she doesn't care, because it gives her the paycheque...

    Every time I'm at one of these stores and I see people attempting to buy one of these, I stop them, and expose the lying little snot nosed sales rep for the BS he's spewing just to get a sale.
  • Reply 8 of 177
    apple ][apple ][ Posts: 9,233member
    Quote:

    Originally Posted by Rogifan View Post



    Shame on retailers for selling this garbage.



    I disagree.

     

    Shame on Android users for being cheap bums and demanding cheap, useless junk. And shame on Android users for actually buying said junk, contributing to massive amounts of waste and pollution, since most of the junk products will probably soon end up in a landfill somewhere. Shame on Android users for dragging the whole tech industry down into the gutter.

     

    The retailers are merely in it to sell products and to make a buck. That there is demand for such garbage says more about the people who purchase such junk, rather than those who sell such junk.

  • Reply 9 of 177
    sockrolidsockrolid Posts: 2,789member

    Originally Posted by AppleInsider View Post

    ... "shocking" security flaws, malware and active backdoors installed on the new devices.

     

    Yay open!

     

    Oh.  Wait.

  • Reply 10 of 177
    Quote:

    Originally Posted by Apple ][ View Post

     

    Shame on Android users for dragging the whole tech industry down into the gutter.


     

    So, are these the first garbage electronics to ever be offered at a deep discount? It's brave new world out there.

  • Reply 11 of 177
    The thing is...these are targeted at low income people.

    They don't have money or data worth stealing. :rolleyes:
  • Reply 12 of 177
    fallenjtfallenjt Posts: 4,053member
    Since when garbage is expected to be clean? Nothing else to say.
  • Reply 13 of 177
    Quote:
    Originally Posted by Apple ][ View Post

     

    I disagree.

     

    Shame on Android users for being cheap bums and demanding cheap, useless junk. And shame on Android users for actually buying said junk, contributing to massive amounts of waste and pollution, since most of the junk products will probably soon end up in a landfill somewhere. Shame on Android users for dragging the whole tech industry down into the gutter.

     

    The retailers are merely in it to sell products and to make a buck. That there is demand for such garbage says more about the people who purchase such junk, rather than those who sell such junk.


     

    I agree [with you].

     

    The saying, "You get what you pay for", has been around for as long as products have been available for sale. Cheap shit products have also been around for as long as products have been available for sale.

     

    If people are willing to buy cheap crap to save a few bucks then that's up to them. It's not like they haven't been warned.  jmho

  • Reply 14 of 177
    apple ][apple ][ Posts: 9,233member
    Quote:



    Originally Posted by TheWhiteFalcon View Post



    The thing is...these are targeted at low income people.



    They don't have money or data worth stealing. image

     

    I've mentioned that before, and I believe that partially explains why many Android users don't care much about security at all.

     

    They have nothing much worth stealing! I wonder what percentage of Android users even have a bank account to their name? The percentage of them that have a credit card to their name is obviously even lower than that.

     

    If I were a hacker, I wouldn't even bother to hack into any Android devices. Surely, I have better and more profitable things to do with my time, if I were a criminal hacker.

     

    With the exception of a few higher priced Android devices (which do not make up the majority of Android devices), when I think of Android, a combination of these words immediately enter my mind: welfare, unemployed, cheapskates, third world, mud huts, polluters, bottom feeders, not tech savvy, self entitled and ignorant.

  • Reply 15 of 177
    relicrelic Posts: 4,735member
    Quote:
    Originally Posted by Apple ][ View Post

     

     

    You basically just described the average Android user right there.


     

    I wasn't talking about Android users or even Android Tablets in general. There are some pretty decent Android based tablets on the market, the Amazon Kindle 7 or 8.9 HDX, Sony's Z2, especially their new Z3 Compact, Nvidia's Shield, even the new Nokia N1 for only $250 is stacking up to be a really decent machine, especially for the price. I'm referring to these under $100 monstrosities that serve no purpose other than to give people headaches. Anyone who purchases them are simply ignorant to the technology that their getting into, this is still no excuse. You really shouldn't say that most Android users are ignorant, in my experience I've actually found more people less knowledgeable to computers that own iPads than I did with those who use Android, but at least they had the common sense to still buy an iPad over this garbage. Owning an iPad doesn't make you smarter, just means you had to money to do so. Those who can't afford an iPad can still find a decent tablet for $200, anything less than that and they really shouldn't bother.

  • Reply 16 of 177
    irnchrizirnchriz Posts: 1,616member
    Lots of non productive comments on here but lets try this angle. In general consumers trust that when they purchase a device, it has been vetted by the retailer and is safe to buy and use. Consumers purchasing these tablets, do so because they are cheap and most will have little experience of, or exposure to these devices previously. They won't expect these devices to be full of security holes or malware, if they even know what malware is. Basically, I'm saying that the retailer has a duty of care to their customers. None of the mocking statements by posters here will help the consumers but pressure on the retailers to actually test and inspect the devices they sell will. There should be some serious naming and shaming going on.
  • Reply 17 of 177
    Quote:

    Originally Posted by Rogifan View Post





    Shame on retailers for selling this garbage.



    If this article was about Apple, lawyers across the United States would be racing to court rooms to file class action lawsuits.

     

    Bloggers would be witch hunting Apple in article after article after article.

     

    Blackberry, HTC, Lenovo, Microsoft, Samsung and others would be having commercials made to mock Apple.

     

    On the Apple front, silence and laser focus to strengthen iCloud's ability to deliver security patches when necessary.

  • Reply 18 of 177
    And analysts wonder that tablet demand seems to be plateauing. Poisoning the well is all these loss-leaders accomplish.
  • Reply 19 of 177
    relicrelic Posts: 4,735member
    Quote:

    Originally Posted by island hermit View Post

     

     

    I agree [with you].

     

    The saying, "You get what you pay for", has been around for as long as products have been available for sale. Cheap shit products have also been around for as long as products have been available for sale.

     

    If people are willing to buy cheap crap to save a few bucks then that's up to them. It's not like they haven't been warned.  jmho


    Exactly, especially when an extra 150 could have gotten them something that would have lasted much longer, faster, just a better machine all around.

  • Reply 20 of 177

    ROFLAMO ....



    DED, you da' man!

     

    Share it folks, share! :smokey:

Sign In or Register to comment.