Black Friday Android: Bright-Tab 9'' from Runnings

[huckleberrypie]

Here's a 411 on Eken's modus operandi, as described by the lads behind Clean Master:
<!-- m --><a class="postlink" href="https://www.cmcm.com/blog/en/security/2015-11-09/838.html">https://www.cmcm.com/blog/en/security/2 ... 9/838.html</a><!-- m -->

And yes, both boot and recovery have references to CloudsOTA. Lines 223 to 230 of init.sun8i.rc call for checkota.sh and shell_cmd_service to be loaded on boot:

Code:

#clouds checkota service
service checkota /system/bin/checkota.sh
       class main
       oneshot
      
#clouds ota service
service shcmd /system/bin/shell_cmd_service
       class main

Checkota.sh then runs, calling for the system to copy and chmod CloudsService.apk to /system/app:

Code:

#!/system/bin/sh
OTA_APK="/system/app/CloudsService.apk"
OTA_MD5="00a46780cb123dff97eb98cd080f5a0e"
mount -o remount,rw /system
if [ ! -f "$OTA_APK" ]; then
        /system/bin/cp /cloudsota/CloudsService.apk /system/app/
        /system/bin/chmod 644 /system/app/CloudsService.apk
else
        echo "the same apk"
#      /system/bin/mkdir /data/CloudsService
#      TMP_MD5=`/system/bin/busybox md5sum /system/app/CloudsService.apk | /system/bin/busybox cut -d " " -f 1`
#      if [ $OTA_MD5 = $TMP_MD5 ]; then
#        echo "the same apk"
#        else
#        echo "not the same apk"
#        /system/bin/cp /cloudsota/CloudsService.apk /system/app/
#        /system/bin/chmod 644 /system/CloudsService.apk
#        fi
fi

[cpd2009]

Well, I sent off an email to Runnings corporate office, and they actually passed my concerns to the distributor of the tablets. A guy from said distributor emailed me, requesting I call him over the phone about the issue.

I responded, saying that due to the technical nature of the problem, I would prefer to have correspondence done via email, as we have all sorts of proof showing the tablet being tainted with malware from the factory. I also sent "Mike" a link to Cheetah Mobile's article on the malware along with a suggestion to run Malwarebytes on any tabs they may have in their warehouse.

[huckleberrypie]

Well, I sent off an email to Runnings corporate office, and they actually passed my concerns to the distributor of the tablets. A guy from said distributor emailed me, requesting I call him over the phone about the issue.

I responded, saying that due to the technical nature of the problem, I would prefer to have correspondence done via email, as we have all sorts of proof showing the tablet being tainted with malware from the factory. I also sent "Mike" a link to Cheetah Mobile's article on the malware along with a suggestion to run Malwarebytes on any tabs they may have in their warehouse.

Here's hoping they'd respond and come up with more stringent quality control measures, eh? The Federal Trade Commission, or as I said earlier, the DHS, could penalise them for this issue; I can see that it wasn't entirely their fault though - during the CIH epidemic several companies also had their software and hardware tainted as well. As for why, I am not sure.

[cpd2009]

After not receiving a reply from "Dale", I fired off an email to the Consumerist, a wonderful blog from the Consumers Union. They also publish the Consumer Reports magazine, which reviews all kinds of products from home appliances to electronics to cars. They are truly independent as they don't accept any advertising.

I should get some sort of reply from them. I outlined my findings, and sent a link to Cheetah Mobile's article, and I also sent off the email addresses for "Mike" and "Dale" as well. I should also report this to the Consumer Product Safety Commission, but I don't know if malware is their specialty. The tablet itself is functional and doesn't appear to harbor any potential dangers. The power adapter might be of interest. It doesn't get hot, but it feels very light for such an adapter.

[huckleberrypie]

After not receiving a reply from "Dale", I fired off an email to the Consumerist, a wonderful blog from the Consumers Union. They also publish the Consumer Reports magazine, which reviews all kinds of products from home appliances to electronics to cars. They are truly independent as they don't accept any advertising.

I should get some sort of reply from them. I outlined my findings, and sent a link to Cheetah Mobile's article, and I also sent off the email addresses for "Mike" and "Dale" as well. I should also report this to the Consumer Product Safety Commission, but I don't know if malware is their specialty. The tablet itself is functional and doesn't appear to harbor any potential dangers. The power adapter might be of interest. It doesn't get hot, but it feels very light for such an adapter.

I hope our efforts at bringing this issue to the authorities' attention does bear at least some fruit, as it can set a risky precedent aimed at unwitting consumers who buy bargain bin devices for their children especially this Christmas season.

[cpd2009]

Well, I did get a reply from a guy named Matt, and he says that their tech didn't find problems on their other tablets. This sets up the possibility that I got a bad apple, but I don't know for sure.

If I can find that Runnings receipt, I can simply exchange for a new tablet. My local store had a ton of them remaining, and I can simply do an exchange and do a video unboxing. If no malware is found, all is calm and all is bright. If malware is found, then I will have actual video evidence of my suspicions and I can fire that off to the CPSC or Matt.

[huckleberrypie]

Well, I did get a reply from a guy named Matt, and he says that their tech didn't find problems on their other tablets. This sets up the possibility that I got a bad apple, but I don't know for sure.

If I can find that Runnings receipt, I can simply exchange for a new tablet. My local store had a ton of them remaining, and I can simply do an exchange and do a video unboxing. If no malware is found, all is calm and all is bright. If malware is found, then I will have actual video evidence of my suspicions and I can fire that off to the CPSC or Matt.

You'll swap it for another tab of the same model, yes? I do agree that there might be bad apples amongst the bunch, but I'll see if fsebentley will be doing the clean ROM in time, as he had a run-in with his pet dog lately hence why he wasn't able to cobble the firmware up last week.

[cpd2009]

Exchange has been completed. This time, I plan to document all my steps on camera, using an HD camcorder and Adobe Premiere. I will unbox the device, let it charge up, and then proceed through first time setup and installation of Sophos AV and Malwarebytes.

If the tablet comes up clean, all is well. If not, then I will have video evidence that perhaps more than one Bright-Tab is infected. I could also just return it for good and get my $60 USD back and use it for something else, but I have yet to decide. It would make that clean sanitized firmware useless though. That's the bad part.

[huckleberrypie]

Exchange has been completed. This time, I plan to document all my steps on camera, using an HD camcorder and Adobe Premiere. I will unbox the device, let it charge up, and then proceed through first time setup and installation of Sophos AV and Malwarebytes.

If the tablet comes up clean, all is well. If not, then I will have video evidence that perhaps more than one Bright-Tab is infected. I could also just return it for good and get my $60 USD back and use it for something else, but I have yet to decide. It would make that clean sanitized firmware useless though. That's the bad part.

So all this trouble I had with you and fsebentley pretty much led to nothing? Not unless if the replacement in question is just as infected.

[cpd2009]

Exchange has been completed. This time, I plan to document all my steps on camera, using an HD camcorder and Adobe Premiere. I will unbox the device, let it charge up, and then proceed through first time setup and installation of Sophos AV and Malwarebytes.

If the tablet comes up clean, all is well. If not, then I will have video evidence that perhaps more than one Bright-Tab is infected. I could also just return it for good and get my $60 USD back and use it for something else, but I have yet to decide. It would make that clean sanitized firmware useless though. That's the bad part.

So all this trouble I had with you and fsebentley pretty much led to nothing? Not unless if the replacement in question is just as infected.

Well, I have not received any response from either Consumerist or those two guys from KMS or their IT support company they contract with. Honestly, it feels like they are ignoring me or they probably think I'm a lunatic who is making a mountain from a molehill. I'm sort of running out of viable options here. I have to either film myself unboxing the tablet and running the AV scans, or contact the CPSC.

So, I have decided to film myself unboxing the BrightTab and running the scans. The unboxing and charging parts are complete. I have to film everything else from Google Setup (with my password screens and whatnot censored out) to running the AV scans and the results.

If the tablet comes clean, then yes, the firmware santization was all for nought. I will say, if the ROM hasn't been sanitized yet, put it on hold. I'm still debating whether or not to keep the Bright-Tab if it does turn up with malware again. I can use the $59.99 I can get back for something else entirely, or I can keep the tablet and flash the sanitized ROM. I also brought old Hazel (Samsung Galaxy Tab 2 7-inch) out from storage, and I'm thinking of just using her instead of the Bright-Tab.

Perhaps some forward thinking could have gone into this. If you can send my deepest apologies to fsbentley, point him here. I didn't intend on putting you through all this trouble, but this was a spur-of-the-moment thing. The local Runnings still had BrightTabs and I'm running out of options. If there is no malware on my new BrightTab, all is well. If there is malware, then I will have bona-fide proof that malware is present out of box.

The resulting video will be uploaded to my DailyMotion account after editing.