A growing problem, worldwide
Fake handbags, fake watches, fake news—these are all so familiar to us now that we don’t give them a moment’s thought and accept them as a matter of course. So it should come as no surpise to us that counterfeit phones are widespread also. How widespread? The EU’s Intellectual Property Office (EU IPO) was curious about this also and commissioned a study in 2017 to find out.
The key findings are as follows:
- 180m counterfeit mobile phones are sold globally per annum
- This represents a potential loss of €45bn to device manufacturers
- Counterfeit devices represent about 13% of mobile phones sold globally, or 8% in the EU.
This report is freely available from the EU IPO website.
So, whether you realise it or not, your users are already using these devices. As the report suggests, this isn’t a problem confined to faraway places—it’s a global problem that manifests everywhere. The International Telecommunications Union (ITU) has a study group dedicated to the threat and mobile device manufacturers have grouped together under the Mobile and Wireless Forum to counter fake devices.
So what are these devices like? What are their characteristics? Let’s find out.
Anatomy of a counterfeit phone
Counterfeiters need to make sure that their products pass as authentic until the sale has taken place. The first step in ensuring this is to make packaging indistinguishable from the genuine article, and sure enough, the counterfeit phone packages are identical to the real ones.
Once you open the box, all expected accessories such as headphones, chargers and cables will be present and functional. Finally, the counterfeit phones themselves are physically perfect—the dimensions, screen, fit and finish are usually indistinguishable from a genuine item, even when compared side by side.
The best way to get a sense of what these devices are like is to watch a presentation we did at Mobile World Congress 2019. The full presentation can be viewed here.
Costs and margins
Counterfeit phones normally retail at one tenth the price of their authentic counterparts. How can they manage this while still selling at a profit? There are two main reasons:
- While the phones are physically perfect on the outside they are severely deficient internally. In summary, while externally a device will typically look like the latest flagship, internally it will be equipped with components dating back several years. So instead of getting a 2019 8-core Snapdragon CPU, you will typically get a 2015-era 4-core CPU running at a lower frequency coupled with a very feeble GPU.
- While on the hardware side you get less than you expected, the opposite is often the case with the software package: pre-installed unremovable malware is often found.
It’s already established that some authentic smartphones come with pre-installed malware so it shouldn’t surprise the reader to learn that counterfeit devices take this to the next level. We have experienced several cases of pre-installed malware on counterfeit devices that we’ve acquired. Motherboard had a similar experience when they tore down a fake iPhone X. In some cases the device will sit quietly for a couple of weeks before reaching out to a command-and-control network to retrieve instructions. We have experienced keyloggers, DDoS hosts and ransomware in addition to invasive ads. You really don’t want these devices on your network unless you enjoy paying ransoms to regain access your family photos.
Malware appears to be a part of the business model of counterfeiters i.e. paid placement to improve margins. The EU IPO’s March 2019 report confirms this danger to consumers.
Compromised operating systems
Counterfeit phones invariably run very old Android distributions, typically versions of Android 4. They employ numerous tricks to pass muster with users, however.
First, the operating system will deliberately misreport many details such as the make and model of the device, RAM, storage, CPU cores and so on.
Secondly, the OSes are skinned to look correct for the phone they purport to be. This even extends to to making Android look exactly like iOS, complete with ersatz app store, a complete suite of Apple apps, the Control Center and Notifications panel.
A parallel app ecosystem
Counterfeit phones often come with pre-provisioned versions of some popular apps, such as Facebook and Whatsapp. Are they authentic versions of these apps? It’s hard to tell, but it’s safe to assume that they’re compromised in some way, even if they appear to work correctly. Yet unwitting users will blindly type in their authentication details, oblivious to the dangers.
With iPhone counterfeits, given that these phones actually run a skinned version of Android, the counterfeiters have had to build an entire separate Android app store that looks like the iOS app store, but stocked with Android apps. The same security concerns apply here: the provenence of these apps is completely unknown, and thus they represent a big security risk. Most users won’t realise the threat and will go ahead and install apps without wondering where they are coming from.
Counterfeit phones usually have faked security implementations, both hardware and software. As an example, the fingerprint sensors go through the motions of registering user fingerprints but in fact will unlock with any human touch. Users don’t realise that they are unprotected.
Why you should care
If you are a web or app developer there is a strong reason to care about these devices: security. User data in an app or web page running on these devices cannot be considered secure thanks to untrusted OS distributions, malware and keyloggers. Not only are your users’ data and credentials at risk, so too are your back end platforms since anything that happens on these devices must be considered compromised. Do you really want a mobile banking app running on a compromised phone? Good apps don’t run on bad platforms.
App developers have something else to worry about too. Counterfeit phones are invariably severely underpowered and lack important hardware features compared with their real counterparts. This can lead unwitting users that have a poor experience to give a poor review in the app store.
Finally, the problem is getting worse due to two parallel trends:
- The devices are getting easier to obtain thanks to widespread ecommerce marketplaces;
- The counterfeits are getting so good that some users might not even realise that they have been duped.
What is an app or web developer to do? We launched DeviceAssure, a sister product of DeviceAtlas, at Mobile World Congress in February 2019 to solve this problem. Packaged as a native app or web library, it allows app or web developers to determine if the device they’re running on is authentic or fake, and then decide what to do. As an example, if running on a counterfeit device, a mobile banking app or second-factor authentication app might choose to display a warning and then shut down rather than endangering the user by continuing to function. The authenticity check process is very quick and does not impact existing app functionality. The result of the authenticity check can be surfaced to the user or not, depending on the use case.