Trail Of Bits counterfeit smartphones teardown

In July 2018, Motherboard published details of a fake iPhone, investigated by Trail Of Bits, a New York-based software security group.

We published our own brief rundown of the various threats contained in a fake iPhone we bought online for $100. However, we thought we’d share the devices with Trail of Bits to highlight just how dangerous counterfeit smartphones can be, and the threats they can introduce to your network.

What they discovered was solid confirmation of the threat.


From The Depths Of Counterfeit Smartphones

The wonderfully-titled article from Trail of Bits gives an accurate nod to just how much bad things were found within the devices analyzed.

We sent them a counterfeit iPhone 6 and Samsung Galaxy S10. Both devices easily pass a visual check, even feeling like the genuine article, such is the quality of the production process. It’s hard not to be impressed with their efforts.

“Proper attention to peripheral layout, dimensions, and overall finish is almost identical to their retail counterparts.”



Once the phones are turned on, any positive sentiments disappeared.

We’ll break down the nastier elements discovered in subsequent articles, but here’s an overview of the threats:

Unpatched vulnerabilities

Both phones we provided to Trail of Bits claimed to be running Android Pie 9.0, which would be a fairly secure OS. However, on further inspection this was a lie, with the iPhone running Android 4.4 and the Samsung running Android 5.1. Both are old and contain many unpatched security risks.

Outdated kernels

Both phones also showed signs of outdated kernels which, similar to the OS itself, contain bugs that have been successfully exploited, such as DirtyCow and Towelroot.


Malware was present on both devices, with Umeng, an invasive analytics library, enabling drive-by downloads and multiple rooting exploits. We’ll discuss this in further posts on the topic.

Remote Access Trojans (RATs)

The Galaxy S10 included a RAT masquerading as a font extension system service – “LovelyFonts”. This allows for remomte code execution, file upload/download and the logging of system events.

“This RAT provides unlimited access to the person who planted it there, enabling total compromise of the phone and all its data.”

If you used one of these phones, you’d already be hacked

The investigation by Trail of Bits confirms just how dangerous counterfeit smartphones are. Should one sneak past your defences, whether personal or corporate, your data and the data of any network or device you connect with is at risk.

You can view the full report here (PDF).

An adequate, effective defence is the only way to prevent this, and DeviceAssure is the solution. Read more about how we can help here. You can view our Blackhat2019 presentation below.

Share on: