Security firm Bluebox Labs tested a dozen Black Friday bargain Android tablets from major retailers including Amazon, Best Buy, Kmart, Kohl's, Staples, Target and Walmart and reported "shocking" security flaws, malware and active backdoors installed on the new devices.
All of the dozen different "doorbuster" Android tablets Bluebox examined were found to include unpatched Android vulnerabilities including Masterkey, FakeID, Heartbleed and Futex, while more than a quarter were sold with security misconfigurations or active backdoors installed.
While Google has released patches for both flaws— in addition to Android's Heartbleed and Futex bugs— the fact is that major retailers are actively promoting new Android products that still harbor these unpatched vulnerabilities. Several devices also ship with remote exploits wide open, block access to Google Play and deactivate security features Google has added to Android.
Best Buy offers one of the worst
Among the worst devices being sold was a DigiLand Android tablet offered by Best Buy, which was running software signed by the Android Open Source Project test key. The security firm noted this key "is not supposed to be used for signing the firmware of commercial devices because it allows an attacker to easily create a Trojan system update!"
The Best Buy device also ships with the USB debugging connection to the device running with root privileges, "which means the device effectively comes rooted out of the box," Bluebox noted.
Best Buy markets the tablet as having a 1024 x 600 resolution (lower than Apple's first generation iPad from four years ago) that "showcases media in crisp detail," and is powered by MediaTek quad-core processor with basic ARM Mail 450 graphics "for lush images." Best Buy's web page says that "92 percent of customers would recommend this product to a friend."
Target, Kmart, Kohls, Staples, Walgreen marketing bad Android tablets for the holidays
RCA Mercury Android tablets sold by Target ship with "two known vulnerabilities out of the box," as does Kmart's Mach Speed Xtreme Android tablet. The latter device also "disables the security configuration setting that protects the tablet from installing apps from malicious third-party sources."
A Zeki Android tablet sold by Kohl's "was the worst tablet encountered out of the entire lineup," the firm stated, detailing that it "is vulnerable to four major Android security vulnerabilities, has USB debugging turned on by default, comes with a security backdoor pre-installed, is signed by the AOSP test key, and doesn't include Google Play-thus it requires the use of third-party app markets, which do not benefit from Google's extra app security screening process."
Kohl's website presents the Zeki tablet portraying a waving Android mascot and indicates the device does support Google Play and pictures it as being bundled with other Google apps, despite being an AOSP device.
A Mach Speed JLab Pro-7 tablet sold by Staple's ships with Android 4.4.2, but Bluebox notes that it includes customizations to remove security features Google added in 4.4.2, including a patch to prevent data theft via its USB port. The cheap device is also packaged with "developer mode and USB debugging enabled by default."
The firm noted that a Black Friday special Polaroid A7 Android tablet offered by Walgreen's appears to be the same model that Amazon sells, which it states "is vulnerable to four known Android security bugs, comes rooted out of the box, and disables by default the security configuration setting that protects the tablet from installing apps from malicious third-party sources. It had one of the lowest Trust Scores of all tested tablets."
The firm explained that the device is "pre-rooted," as "it includes 'su' installed by the factory meaning an attacker is given unfettered access to the system without having to run an exploit to gain this access" and that it "disables by default the security configuration setting that protects the tablet from installing apps from malicious third-party sources."
Walmart and Amazon may have the biggest selection of bad Androids
At Walmart, Bluebox purchased multiple tablets, including the store's "value of the day" Pioneer tablet that ships with two known but unpatched vulnerabilities as well as Ematic and RCA tablets that both had three vulnerabilities and a Nextbook tablet with two, which earned the designation of being "one of the 'best of the worst' tablets in the lineup."
A Worryfree Gadgets Zeepad Android tablet sold by Walmart comes with "two major Android security vulnerabilities, has USB debugging turned on by default, comes with a security backdoor pre-installed."
Bluebox also found that a few tablets shipped with known "adware/riskware," including a pirate version of Angry Birds resigned by the device vendor.
"This means the vendor could have modified Angry Birds to collect more information than the authors originally intended to," the firm explained. "This also precludes the version of Angry Birds on the tablet from ever receiving updates from the original developer, as the signing keys are different."
Bluebox Labs offers security scanner for bad Androids
Bluebox offers its Trustable app on Google Play to evaluate known security flaws and settings on devices. The company also provides an Android User Security Guide checklist for Android 4.0 and later devices, which includes suggestions to disable insecure Android features such as NFC, DLNA file sharing and screen mirroring, particularly on Samsung devices.
The security firm noted that higher priced Android tablets are more likely to ship without known vulnerabilities or security misconfigurations, and cited both the Samsung Galaxy Tab3 and the Google-branded Nexus 9 by HTC as being "trustable."
However, the majority of Android tablet shipments are bargain devices; Google's Nexus 9 is purportedly not actually intended to sell but rather to provide a model for Android vendors to follow. For many vendors, following Google's lead is not in their own self interest, particularly among AOSP devices that are intended to sell apps from third party stores or harvest data from unsuspecting buyers.
Comparing Apples to Androids
The security firm concluded, "be aware that not all devices are security equals. Bluebox Labs routinely sees a lot of below-average security for bargain Android devices. We recommend avoiding these if you can; otherwise, only use them for low-risk activities like simple gaming, media entertainment, and public web browsing. We recommend that you avoid conducting online banking, making purchases or storing sensitive data on these devices - if you do, you will be putting your data at risk."
Bluebox also offers a much shorter iOS User Security Guide; Apple's implementation of NFC, AirDrop file sharing and AirPlay screen mirroring are all secure enough for Bluebox to not recommend that users turn them off in its security guide.
Bluebox does not maintain a vulnerability scanner app for iOS, which is unaffected by Masterkey, FakeID, Heartbleed and Futex. Apple also does not allow third party vendors to sell modified versions of iOS with security features removed or disabled, and regularly issues security patches for its iOS users.