Skip to comments.Android tablets at Best Buy, Target, Amazon, Walmart found to with security flaws, malware
Posted on 11/26/2014 12:42:15 AM PST by Swordmaker
All of the dozen different "doorbuster" Android tablets Bluebox examined were found to include unpatched Android vulnerabilities including Masterkey, FakeID, Heartbleed and Futex, while more than a quarter were sold with security misconfigurations or active backdoors installed.
Bluebox discovered Android's Masterkey "zombie botnet" vulnerability last year and detailed FakeID super malware earlier this summer.
While Google has released patches for both flawsin addition to Android's Heartbleed and Futex bugsthe fact is that major retailers are actively promoting new Android products that still harbor these unpatched vulnerabilities. Several devices also ship with remote exploits wide open, block access to Google Play and deactivate security features Google has added to Android.
Best Buy offers one of the worst
Among the worst devices being sold was a DigiLand Android tablet offered by Best Buy, which was running software signed by the Android Open Source Project test key. The security firm noted this key "is not supposed to be used for signing the firmware of commercial devices because it allows an attacker to easily create a Trojan system update!"
The Best Buy device also ships with the USB debugging connection to the device running with root privileges, "which means the device effectively comes rooted out of the box," Bluebox noted.
Best Buy markets the tablet as having a 1024 x 600 resolution (lower than Apple's first generation iPad from four years ago) that "showcases media in crisp detail," and is powered by MediaTek quad-core processor with basic ARM Mail 450 graphics "for lush images." Best Buy's web page says that "92 percent of customers would recommend this product to a friend."
Target, Kmart, Kohls, Staples, Walgreen marketing bad Android tablets for the holidays
RCA Mercury Android tablets sold by Target ship with "two known vulnerabilities out of the box," as does Kmart's Mach Speed Xtreme Android tablet. The latter device also "disables the security configuration setting that protects the tablet from installing apps from malicious third-party sources."
Target doorbuster bad Android tablet
A Zeki Android tablet sold by Kohl's "was the worst tablet encountered out of the entire lineup," the firm stated, detailing that it "is vulnerable to four major Android security vulnerabilities, has USB debugging turned on by default, comes with a security backdoor pre-installed, is signed by the AOSP test key, and doesn't include Google Play-thus it requires the use of third-party app markets, which do not benefit from Google's extra app security screening process."
Kohl's website presents the Zeki tablet portraying a waving Android mascot and indicates the device does support Google Play and pictures it as being bundled with other Google apps, despite being an AOSP device.
Kohl's bad Android tablet
A Mach Speed JLab Pro-7 tablet sold by Staple's ships with Android 4.4.2, but Bluebox notes that it includes customizations to remove security features Google added in 4.4.2, including a patch to prevent data theft via its USB port. The cheap device is also packaged with "developer mode and USB debugging enabled by default."
The firm noted that a Black Friday special Polaroid A7 Android tablet offered by Walgreen's appears to be the same model that Amazon sells, which it states "is vulnerable to four known Android security bugs, comes rooted out of the box, and disables by default the security configuration setting that protects the tablet from installing apps from malicious third-party sources. It had one of the lowest Trust Scores of all tested tablets."
The firm explained that the device is "pre-rooted," as "it includes 'su' installed by the factory meaning an attacker is given unfettered access to the system without having to run an exploit to gain this access" and that it "disables by default the security configuration setting that protects the tablet from installing apps from malicious third-party sources."
Walmart and Amazon may have the biggest selection of bad Androids
At Walmart, Bluebox purchased multiple tablets, including the store's "value of the day" Pioneer tablet that ships with two known but unpatched vulnerabilities as well as Ematic and RCA tablets that both had three vulnerabilities and a Nextbook tablet with two, which earned the designation of being "one of the 'best of the worst' tablets in the lineup."
A Worryfree Gadgets Zeepad Android tablet sold by Walmart comes with "two major Android security vulnerabilities, has USB debugging turned on by default, comes with a security backdoor pre-installed."
Walmart bad android tablet
Bluebox also found that a few tablets shipped with known "adware/riskware," including a pirate version of Angry Birds resigned by the device vendor.
"This means the vendor could have modified Angry Birds to collect more information than the authors originally intended to," the firm explained. "This also precludes the version of Angry Birds on the tablet from ever receiving updates from the original developer, as the signing keys are different."
Bluebox Labs offers security scanner for bad Androids
Bluebox offers its Trustable app on Google Play to evaluate known security flaws and settings on devices. The company also provides an Android User Security Guide checklist for Android 4.0 and later devices, which includes suggestions to disable insecure Android features such as NFC, DLNA file sharing and screen mirroring, particularly on Samsung devices.
The security firm noted that higher priced Android tablets are more likely to ship without known vulnerabilities or security misconfigurations, and cited both the Samsung Galaxy Tab3 and the Google-branded Nexus 9 by HTC as being "trustable."
However, the majority of Android tablet shipments are bargain devices; Google's Nexus 9 is purportedly not actually intended to sell but rather to provide a model for Android vendors to follow. For many vendors, following Google's lead is not in their own self interest, particularly among AOSP devices that are intended to sell apps from third party stores or harvest data from unsuspecting buyers.
Comparing Apples to Androids
The security firm concluded, "be aware that not all devices are security equals. Bluebox Labs routinely sees a lot of below-average security for bargain Android devices. We recommend avoiding these if you can; otherwise, only use them for low-risk activities like simple gaming, media entertainment, and public web browsing. We recommend that you avoid conducting online banking, making purchases or storing sensitive data on these devices - if you do, you will be putting your data at risk."
Bluebox also offers a much shorter iOS User Security Guide; Apple's implementation of NFC, AirDrop file sharing and AirPlay screen mirroring are all secure enough for Bluebox to not recommend that users turn them off in its security guide.
Bluebox does not maintain a vulnerability scanner app for iOS, which is unaffected by Masterkey, FakeID, Heartbleed and Futex. Apple also does not allow third party vendors to sell modified versions of iOS with security features removed or disabled, and regularly issues security patches for its iOS users.
If you want on or off the Mac Ping List, Freepmail me.
Every windows PC on earth ships with security vunerabilities. It is what updates are for.
This article says everyone sells the worst droid, who was it written by, Apple Sales Department?
Absolutely true. Many of these low end Android Tablets are non-updatable. When you buy a $49 tablet, it isn't going to be a very good maker who provides access to updates. Most people who buy them aren't going to have a clue about how to Root them and install something better than the pre-installed junk.
Look again. This article is basically talking about bargain bin Android tablets, not the higher end tablets, and even recommends some.
My son installed the latest Mac Mini for me. I’m still learning.
Very cool so far.
There must be trouble in Appleland if the fanboys are floating this hit piece.
Aren’t these the same people that scream about “Apple haters” all the time?
And yet here is the chief troll. When he isn’t posting slobbering adulation about Apple, he scrapes around for negative articles about their competition.
Are you insinuating that the tablets mentioned in the article run a Windows operating system while the article clearly states they're Android devices?
If you read carefully, you can see Swordmaker was quoting another Freeper that said that. He wasn’t insinuating anything.
I always find it amusing when people get absolutely incensed at some perceived slight to their choice of operating system.
I have found the anger is far greater, and people go out of their way to inject vitriol far more often on one side than another.
I wonder why that is so?
YES - a competitive article of “don’t buy the Android - buy the Apple instead”...
Apple does do a better job screening the app’s to where they are clean before they arrive on the iStore so to speak...
My house hold - we have both Android and iPads...but setting up security and downloading a reputable anti-virus for either should allows b priority #1 for any computer system - be it desktop, laptop, or mobile device.
My Windows phone has a 1080 x 1920 screen.
So, my son’s tablet could infect all devices through the WiFi?
Does anyone know anything about this “Trustable” app? I’ve an android that I’ve not bothered to root yet because it’s mainly a book reader/web browser. I’d really like to see something like chkrootkit that could look for common things. Unfortunately, in order to install something like chkrootkit, you’d probably have to root the device :-(
I have read that e-cigs and vaporizers that plug into computer USB ports for recharging have been found to be infecting the machines with malware. Take care and do due diligence when purchasing/using those devices, or charge only with the 110v power adapter...
Possible, but doubtful. More likely they will be seeking ID data.
These guys look trustable, but who knows. So did Dr. Web out of Russia.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.