How one TECNO phone is putting users' privacy and security at risk

Privacy International bought a TECNO smartphone, and we discovered serious concerns with the phone’s operating system and pre-installed apps.

Key findings
  • Privacy International bought a TECNO Y2 in Uganda for testing and discovered serious concerns with the phone’s operating system and pre-installed apps.
  • Our report shows that this TECNO phone in comes with an extremely outdated operating system. The phone’s operating system is Android 4.4.2, which was first released 8 years ago!
  • The phone puts users at risk with a number of security vulnerabilities that have been discovered in Android 4.4.2, more than 200, 19 of which received the highest possible score (10.0) on the Common Vulnerabilities and Exposures framework
Long Read
The TECNO Y2 on a desk

When you buy a brand-new low-cost phone, it’s likely to come pre-installed with insecure apps and an outdated operating system. What this means is that you or your loved ones could be left vulnerable to security risks or to having their data exploited. Privacy shouldn’t be a luxury. That’s why we advocate for companies to provide the latest security features and privacy protections for both low- and high-cost phones.

Long Read

Research by Privacy International shows that cheap smartphones come with a hidden cost: pre-installed apps that can't be deleted and that leak your data.

Privacy International has been researching and raising the alarm about manufacturers of low-cost phones which can leave users exposed and at risk. In 2019 we showed how the MyPhone Mya 2 was filled with pre-installed apps that put users at risk and couldn’t be uninstalled. This piece is another instalment of our research in this area.

Enter TECNO - a phone manufacturer who has a 47% market share in East Africa.

TECNO are based in Shenzhen, China. They are subsidiary of Transsion Holdings - who made $5.7bn in revenue in 2020 and also sell phones under the Itel and Infinix brands.

In 2019 Privacy International (PI) bought a TECNO Y2 in Uganda for testing and discovered serious concerns with the phone’s operating system and pre-installed apps. Concerningly, the TECNO Y2 we looked at was certified by Google, but more on that later.

Here’s what we found.

Outdated Operating System

The core issue with the TECNO Y2 is its operating system. The phone comes with Android 4.4.2 - a system that was released in December 2013.

At the time of release of the TECNO Y2, Android 5 and 6 were the only versions of Android receiving regularised security updates. When PI and our partners purchased this phone in 2019 and 2020 respectively, the 4.4.2 version of Android had not received a security update in over four years.

This version of Android currently has over 200 vulnerabilities. Nineteen of these vulnerabilities are scored the maximum 10 on the Common Vulnerabilities and Exposures framework. This means that phones that use this out-dated version of Android are easy to exploit. They are left vulnerable to hackers, spam, and other bad actors. And they aren’t going to get fixed - Android has stopped releasing security updates for 4.4.2.

The most prevalent of these vulnerabilities is related to Stagefright, which is a 2015 critical vulnerability. The vulnerability affects how Android processes multimedia messages over the Short Messaging Service (MMS over SMS). An attacker needs only send a specially crafted multimedia messages (like a picture) to fully compromise the device. The user doesn’t even have to open the message to have their device compromised.

There are also numerous further vulnerabilities relating to mediaserver, which is Android’s internal indexing service for videos and images. An indexing service keeps an index of the files on a device and allows them to be searched. This means a specially crafted video (generally) can be sent to the device via any method (Bluetooth, WhatsApp, HTTP Download), and be used to gain complete access to the device.

Advocacy

A coalition of 11 civil society organisations have called on TECNO to make serious changes to their practices protect users privacy and security.

The Y2 was discontinued by TECNO in November 2019 – which was after PI bought our Y2 and a year before our partners bought theirs. At the time TECNO stopped manufacturing the phone, it had been in production – with an increasingly outdated operating system – for four years.

PI have found examples of the TECNO Y2 phone being sold in stores with this extremely outdated operating system as recently as 2020. And we have found it and similar devices by TECNO using Android 4.4 available online in 2021. This means that even though a person would be buying the phone brand new, its operating system could be over 7 years out of date, and incredibly insecure.

Further, because of how it is designed, the phone’s operating system is difficult to update. The device firstly needs to be rooted, which is a process that allows a person to gain administrative access to the device. This requires a person to disable security apparatus put in place to protect the user.

Rooting the device, in of itself, potentially opens the device up to further compromise, possibly breaks warranty coverage, and may prohibit access to certain networks and apps. PI worked with our partners at The Centre for Intellectual Property and Information Technology Law (CIPIT) at Strathmore Law School in Nairobi, Kenya and found rooting the Y2 complex and difficult.

This means that the minute you buy a new TECNO Y2 phone and turn it on, any data you put on the device is at risk of being compromised, at no fault of your own. As smartphones have become an extension of almost every aspect of our lives, from capturing life events in photos, to online banking and social media, the trove of information a malicious actor could recover is nearly limitless. Furthermore, the attacker can use the initial compromise to maintain access, potentially allowing them to track the device’s location and intercept communications in real time.

We asked TECNO if they release information or a list of devices that they have stopped supporting, but as of time of writing they have not responded to this question.

As a market leader and as one of the top three mobile phone brands in Africa, TECNO should better protect their customers by not releasing devices with out-of-date operating systems, significantly extending the timeframe of their security support for their phones, and by making sure consumers are aware of the ‘expiration’ date of their phone’s security.

Google’s Role – Android Play Partner

Google’s role in this is also important to highlight. Despite these vulnerabilities, TECNO is an Android certified partner company - and the TECNO Y2 phone is ‘Play Protect Certified’. When a device is Play Protect Certified, it means that it has been “tested for security and performance” by Android. Android is a brand owned by Alphabet.

Android currently works with a range of partner phone manufacturers to ‘certify’ specific devices.

This should mean that the outdated version of Android being shipped on this device was signed off by Android’s engineers at some point. What tests Google does, what standards they use, or when or how often these tests are carried out are not clear, as the paragraph below taken from a page about Play Protect shows:

We provide hundreds of tests to ensure Play Protect certified devices adhere to the Android security and permissions model and have software builds with recent security updates. Play Protect certified devices are also required to ship without pre-installed malware and include Google Play Protect, a suite of security features such as automatic virus scanning and Find My Device. This provides baseline protection against malware, privacy hacks and more.

These devices are then able to be sold with the Play store and some other Google apps, such as YouTube, pre-installed. The phones often carry Google’s ‘Play Protect’ branding, suggesting that this relationship with Google is a selling point.

We asked Google for they response to this research and they said that they don’t disclose security tests, to avoid giving bad actors information about how to work around them. However, what is of primary concern to PI is not the specific checks, but how phones like the TECNO Y2 slip through, leading to the question of how much faith can consumers put in a device branded ‘play protect.’

It is unacceptable that Google don’t mandate that companies ship phones with the latest version of Android - or at the very least a version of Android that is still receiving support and updates.

And it raises the question (again) of what Google considers an adequate standard to pass their security tests.

Google told PI that the security review is done at a specific moment in time, and that it can’t include vulnerabilities that haven’t been discovered yet. But to reiterate – PI’s concern is not that this phone has vulnerabilities, it’s that Android apparently looked at this phone and decided that the fact it would not receive security updates was not an issue. Our concern is this lack of security updates, and the fact that – from the moment of purchase – this phone, and the people using it, were made vulnerable.

When asked, Google told PI that in 2019 they added expiration dates for their approval of devices that come with Google’s apps preloaded. Specifically, after a set period of time, Google’s approval of the software that interacts with the hardware of the phone (firmware) will expire and should no longer be used on newly launched devices. In rare cases, Google allow original equipment manufacturers to sell through existing stock, but it’s the intent to discontinue the use of the previously approved, but outdated, firmware to enhance user security and safety.

This is in some ways a great step forward, but it’s not clear to PI how a consumer is supposed to know when those expiration dates are. For example, if the expiration date was to be printed on the boxes play protected phones, consumers could have a better idea of the security of their devices.

Lack of meaningful consent with pre-installed apps

In addition to concerns around poor security on low-cost devices, we are also concerned about the ways in which phone manufacturers or their vendors might potentially use the phone as a trojan horse to make additional profit. That is, there are numerous tactics that malicious actors have used in other cases, for example for data harvesting, cryptomining or other nefarious monetary schemes.

This has reportedly been a problem for TECNO in the past.

In 2020 Buzzfeed reported on software that came pre-installed on the TECNO W2. The software used the internet data that people had purchased to use for their own browsing, to sign them up to paid subscription services.

In that case, TECNO blamed a “vendor in the supply chain process” for the software and cited Google Play Protect as one of a serious of “rigorous security checks” pre-installed software goes through.

Once the issue was discovered, TECNO told the BBC they had released a fix that users can go download.

In the TECNO Y2’s case, the phone contains a number of football-related pre-installed apps and themes for the phone. These wallpapers include multiple trackers – including a third party tracker called ‘Umeng’.

Below is the structured metadata from the app, which lists the permissions it has and the trackers it uses. The file name – strangely – is ‘Flick_shoot.apk’. Flick shoot is a football game available on Google Play, but the application is actually a wallpaper called ‘Fingersoccer’.

 

{
  "application": {
    "handle": "com.idddx.lwp.fingersoccer",
    "version_name": "1.0.14",
    "version_code": "15",
    "uaid": "21607BE8D20B8992C0D6621B48F6667D433E258C",
    "name": "Flick shoot",
    "permissions": [
      "android.permission.WRITE_EXTERNAL_STORAGE",
      "android.permission.ACCESS_NETWORK_STATE",
      "android.permission.ACCESS_WIFI_STATE",
      "android.permission.INTERNET",
      "android.permission.READ_PHONE_STATE",
      "android.permission.READ_LOGS",
      "android.permission.SYSTEM_ALERT_WINDOW"
    ],
    "libraries": []
  },
  "apk": {
    "path": "/media/smartphones/TECKNO_Y2_2018/system/app/Flick_shoot.apk",
    "checksum": "d5f6943b906b3be607cd4e14f35c78dd418275b50d9d5115210a8dc899ee8fb6"
  },
  "trackers": [
    {
      "name": "Google Analytics",
      "id": 48
    },
    {
      "name": "Google Tag Manager",
      "id": 105
    }
  ]
}

In the above example, it is unclear why the wallpaper needs the ability to access the phone’s internet or read the phone’s logs.

The ‘Read Logs’ permission is particularly pernicious. This is because the phone’s log is essentially a record of events in the phone’s history, for example, recording information from the Android Covid-19 contract tracing app. What gets included in the log varies app to app, but it may also include personal data. Android has recommended the permission isn’t used by third party apps, meaning if this was an app that was being offered in the Play Store, it would not be a permission the app would be allowed to include.

Due to complex access control reasons, what and who can read which logs varies by app, phone and version of Android. On the Y2, we don’t believe that the app can access information outside its own logs, but this isn’t true for all apps.

Whilst the ‘Read logs’ issue is particularly alarming, some of the other permissions are also concerning. If someone downloaded an app that included the permission ‘Read Phone State’ as is the case in the above Flick Shoot example, they would be prompted by their phone to confirm that they want to consent to such broad access. However, because this TECNO phone has the app pre-installed, the app comes pre-approved, and users are not given the opportunity to deny such access.

Low-cost phones tend to come with a suite of pre-installed apps. This means that users of such phones don’t always have the chance to agree or disagree to the sometimes-broad permissions that these apps require. The company that installed the app, in this case TECNO, instead can decide for the user what they do or consent to, and what information they are okay sharing.

Irremovable Bloatware

Another problem with pre-installed apps - frequently called bloatware - is that they can take up valuable space on a device. This space cannot be recovered on the phone because the apps can’t be easily deleted.

For instance, some of the pre-installed apps and wallpapers on the TECNO Y2 are on the system partition.

This is part of the phone where the operating system is normally installed – the user doesn’t have permission to change things in the system partition without ‘root’ or ‘admin’ permissions. This means that data in the system partition can’t be easily deleted by a user - they would again need to root the phone.

Examples of many of the pre-installed apps on the phone.

We asked TECNO about their use of pre-installed apps. They told us that:

We think it is very productive for users to have the pre-installed apps, especially considering the availability of inexpensive data in sub-Saharan Africa, we wouldn’t want a user to have to download these over the metered cellular. All the pre-installed apps were unique to local preference, and they were the most popular and most frequently used apps for end users. Moreover, in low-RAM Android devices like TECNO Y2, the number of preloaded apps was strictly limited according to different memory sizes to afford users more space.”

While this position is not unreasonable, it fails to mitigate any of our concerns around pre-installed apps not being capable to be uninstalled or broad permissions being pre-selected or third party trackers being included.

We followed up with them and asked: how do you know which apps are so popular with users so that they should be pre-installed?

They said: “There are many factors to consider. However, in general, it’s a data-driven decision-making process based on big data acquired through the Google Play store ranking, as well as small data such as local consumer insights. Of course, we will also consider the preference of apps among different consumer groups.”

Google play store ranking is public information, but not all of the apps that come pre-installed on the Y2 are available on the play store – for example, it comes with a series of interactive wallpapers such as the fingersoccer wallpaper mentioned above.

Those wallpapers are in the system partition and are therefore uninstallable. According to TECNO, which pre-installed apps to include in this partition is a decision based on “user's normal use and the original intention of purchasing TECNO-branded android mobile phones”.

This is an argument that, to some extent we’ve heard before (from Google) – there are some apps the usefulness of which may not be clear to the user but are required for the phone to work. These apps – which provide the genuinely basic functions of the phone make sense to include in the system partition and can include things such as the SIM card services (to allow the phone to communicate with your cell provider) the devices (virtual) keyboard or Bluetooth functionality, to name but a few.  These apps should not include trackers or any extraneous features.

However, interactive wallpapers don’t seem to fall into this category. Apps that are ‘nice to have’ rather than necessary such as those related to ‘differentiated user experiences’ should absolutely be capable to be uninstalled.

Outdated and Insecure Apps

Moreover, some of the pre-installed apps’ versions on the TECNO Y2, are from around 2016 - the year that the device was first released. Some of these apps are not on the Google Play Store, such as the ‘fingersoccer’ wallpaper above, and there is no third-party update mechanism on the device. This means that there is no way for users of the TECNO Y2 phone to receive updates to these apps, should a critical vulnerability arise.

Unlike other phones that PI has tested, many of the pre-installed apps on the TECNO Y2 (although not all) are in the user partition, rather than the system partition, meaning they are accessible to the user. This means that they are both removable and can be updated via the Play Store, should the user have a valid Google account.

While ideal best-practice would be shipping phones without excessive pre-installed bloatware that users never asked for and don’t want, the next best thing is this: for phone companies to allow users to choose which apps they want taking up space on their devices, and to make sure that those apps are updatable - meaning they can be patched if significant security flaws are uncovered.

Overall, the TECNO Y2 has 8gb of space, but comes with 4.8gb of actual free space. Some of that is possible to recover by uninstalling the apps that come in the user partition. This would account for 411mb of extra space. However, a portion of the 8gb of space is taken up by Android itself. The bottom-line is that the amount of space the phone is advertised with does not seem to be the amount of space that people actually get.

Conclusion

When a person can’t afford a high-cost phone, PI’s research shows that frequently your only option might be a phone with compromised privacy and security protections.

Being in an economically vulnerable position should not mean losing your privacy. Companies have a responsibility to protect their consumers. For these reasons, Privacy International makes the following recommendations to TECNO and Google:

Recommendations for TECNO

  • TECNO should ship phones with a supported version of the Android operating system.
  • TECNO should do their best to support the longevity of their devices and therefore combat e-waste. They must tell consumers, at the point of sale, how long their device will be supported, provide regular updates to the device, and notify users when continuing to use a device poses a risk to their privacy or security.
  • TECNO should minimise the amount of bloatware, superfluous apps and other extras that come pre-installed on their phones. Whenever bloatware is included, it should exist in the user partition and therefore be visible to and removable by the user.

Recommendations for Google

  • Google should only certify phones with versions of Android which still receive security updates - this may mean revisiting their phone certifications regularly.
  • Google should improve the transparency of the Play Protect certification for the consumer
Advocacy

A coalition of 11 civil society organisations have called on TECNO to make serious changes to their practices protect users privacy and security.

Correction

TECNO emailed us after we released the report to clarify - when they told us they "maintain a 90-day security patches freshness for all devices at any price point", they did not mean that devices only recieve 90-days of updates, instead they meant devices recieve updates every 90-days for 2 years from launch.

Google and TECNO both provided us with statements which we have included below.

TECNO

The Y2 phone referenced by Privacy International is a historic handset launched in 2015, which is no longer produced nor sold by TECNO. When it was launched, it ran on a widely used Google Android software that met the standards of the time and all our current TECNO handsets are sold with the latest operating systems, regular security updates and are in line with Google’s policies. The Y2 phone has not been distributed by TECNO since 2019 and, like all mobile companies based on Google Android, we would always recommend that users upgrade to the latest software available for their device. If a handset’s software is no longer regularly updated, or the device is too old to support a system upgrade, we encourage users to purchase newer devices to ensure they are using the latest, most secure Google Android operating system. We take the privacy and security of our customers incredible seriously and we do not accept that owning an affordable phone means compromising on either.

Google

“Everyone should be able to use a phone that keeps their information secure. Android is committed to working with our ecosystem partners to help them provide better and faster updates. As of Q1 2021, nearly 1,000 device models had received a security update in the last 90 days, accounting for 87% of all devices launched in the last 24 months with more than 100,000 monthly active users. During the same period, the vast majority (95%) of devices running Android 11 had received a security update in the last 90 days.

Over the last several years, we’ve focused on making it less burdensome for our ecosystem partners to publish — and both easy and affordable for users to receive — security updates for their devices. In Android 8 we introduced Project Treble, which enabled partners to update their devices faster. With Android 10 we launched Project Mainline, which allowed additional critical components such as media and connectivity to be updated through Google Play instead of as part of a larger platform software update. These technological improvements in recent years have enabled partners to publish security updates, and upgrade devices to newly released OS versions, faster than ever before. We report these statistics publicly through our blog posts as well as within our Android ecosystem security Transparency Report, and we're always looking for ways to work with our OEM and carrier partners to continue to raise the bar.

As part of our ongoing efforts to improve the security of Android devices, in 2019 we also added expiration dates for our approval of devices that come with Google’s apps preloaded.  After a set period of time, approval for a specific version of a device’s firmware image will expire, and those images may no longer be used on new devices. In rare cases, OEMs are allowed to sell through existing stock; to enhance user security and safety, the intent is to discontinue the use of previously approved, but outdated, images.”
- Stephan Somogyi, Product Management Lead, Android Platform Security