Counterfeit mobile phones are everywhere
A growing problem, worldwide
Fake handbags, fake watches, fake news—these are all so familiar to us now that we don’t give them a
thought and accept them as a matter of course. So it should come as no surprise to us that counterfeit
widespread also. How widespread? The EU’s Intellectual Property Office (EU IPO) was curious about this also
commissioned a study in 2017 to find out.
The key findings are as follows:
- 180m counterfeit mobile phones are sold globally per annum
- This represents a potential loss of €45bn to device manufacturers
- Counterfeit devices represent about 13% of mobile phones sold globally, or 8% in the EU.
This report is freely available from
the EU IPO website
So, whether you realise it or not, your users are already using these devices. As the report suggests,
this isn’t a problem confined to faraway places—it’s a global problem that manifests everywhere.
The International Telecommunications Union (ITU) has a study group
dedicated to the threat and mobile device manufacturers have grouped together under the
Mobile and Wireless Forum to counter fake devices.
So what are these devices like? What are their characteristics? Let’s find out.
Anatomy of a counterfeit phone
Counterfeiters need to make sure that their products pass as authentic until the sale has taken place. The
first step in ensuring this is to make packaging indistinguishable from the genuine article, and sure
enough, the counterfeit phone packages are identical to the real ones.
Once you open the box, all expected accessories such as headphones, chargers and cables will be present and
functional. Finally, the counterfeit phones themselves are physically perfect—the dimensions, screen, fit
and finish are usually indistinguishable from a genuine item, even when compared side by side.
The best way to get a sense of what these devices are like is to watch a presentation we did at Mobile World Congress 2019.
The full presentation can be viewed here.
Costs and margins
Counterfeit phones normally retail at one tenth the price of their authentic counterparts. How can they
manage this while still selling at a profit? There are two main reasons:
- While the phones are physically perfect on the outside they are severely deficient internally. In summary, while externally a device will typically look like the latest flagship, internally it will be equipped with components dating back several years. So instead of getting a 2019 8-core Snapdragon CPU, you will typically get a 2015-era 4-core CPU running at a lower frequency coupled with a very feeble GPU.
- While on the hardware side you get less than you expected, the opposite is often the case with the software package: pre-installed unremovable malware is often found.
It's already established that some authentic smartphones come with pre-installed malware
so it shouldn't surprise the reader to learn that counterfeit devices take this to the next level.
We have experienced several cases of pre-installed malware
on counterfeit devices that we’ve acquired. Motherboard had a similar experience when
they tore down a fake iPhone X
In some cases the device will sit quietly for a couple of weeks before reaching out to a command-and-control network to retrieve instructions.
We have experienced keyloggers, DDoS hosts and ransomware in addition to invasive ads. You really don’t want these devices on your
network unless you enjoy paying ransoms to regain access your family photos.
Malware appears to be a part of the business model of counterfeiters i.e. paid placement to improve margins.
The EU IPO's March 2019 report
confirms this danger to consumers.
Compromised operating systems
Counterfeit phones invariably run very old Android distributions, typically versions of Android 4. They
employ numerous tricks to pass muster with users, however.
First, the operating system will deliberately misreport many details such as the make and model of the
device, RAM, storage, CPU cores and so on.
Secondly, the OSes are skinned to look correct for the phone they purport to be. This even extends to to
making Android look exactly like iOS, complete with ersatz app store, a complete suite of Apple apps, the
Control Center and Notifications panel.
Counterfeit phones usually have faked security implementations, both hardware and software. As an example,
the fingerprint sensors go through the motions of registering user fingerprints but in fact will unlock with
any human touch. Users don’t realise that they are unprotected.
Why you should care
If you are a web or app developer there is a strong reason to care about these devices: security. User data
in an app or web page running on these devices cannot be considered secure thanks to untrusted OS
distributions, malware and keyloggers. Not only are your users’ data and credentials at risk, so too are
your back end platforms since anything that happens on these devices must be considered compromised. Do you
really want a mobile banking app running on a compromised phone? Good apps don’t run on bad platforms.
App developers have something else to worry about too. Counterfeit phones are invariably severely
underpowered and lack important hardware features compared with their real counterparts. This can lead
unwitting users that have a poor experience to give a poor review in the app store.
Finally, the problem is getting worse due to two parallel trends:
- The devices are getting easier to obtain thanks to widespread ecommerce marketplaces;
- The counterfeits are getting so good that some users might not even realise that they have been duped.
What is an app or web developer to do? We launched DeviceAssure, a sister product of DeviceAtlas, at Mobile
World Congress in February 2019 to solve this problem. Packaged as a native app or web library, it allows
app or web developers to determine if the device they’re running on is authentic or fake, and then decide
what to do. As an example, if running on a counterfeit device, a mobile banking app or second-factor
authentication app might choose to display a warning and then shut down rather than endangering the user by
continuing to function. The authenticity check process is very quick and does not impact existing app
functionality. The result of the authenticity check can be surfaced to the user or not, depending on the use
You can find out more at deviceassure.com.