Blog

The story of how I found malware on my ‘brand new’ OnePlus 2 from Kogan

*UPDATE 13/10/2015: I’d like to thank everyone for sharing and viewing this post. In two days, this post amassed over 70,000 views, made the Frontpage of Reddit, and was covered by numerous Tech Blogs including Android Authority and Gizmodo. In light of this, Kogan have removed the sale of the OnePlus 2 from their website. However, as I alluded in the post, the problem lies with multiple devices they’ve sold and not just the OnePlus 2, so it will be interesting to hear their statement on the matte*r.

*UPDATE 14/10/2015: I have been contacted by Kogan and they have put the pre-installed malware down to a new supplier that they had began sourcing from. They have now ceased any dealings with this supplier, and are getting in touch with other consumers who have bought a OnePlus 2 from Kogan (and linked to this supplier) in order to offer them various options around refunds/returns, or guides on how to flash an official firmware on their devic*e.

Like many others, I didn’t want to wait the next 6–8 months to receive a OnePlus 2 invite. So, when I read that my local Australian retailer Kogan was selling the OnePlus 2 on their website, I was definitely interested. Sure, the cost of the phone was about $100 more than ordering from OnePlus directly, but the immediate availability of the device made the decision a no-brainer for me.

The majority of products that re-sellers like Kogan stock are grey imports. There are a number of similar ‘reputable’ grey-import companies in Australia, notably, DWI, eGlobal, Expansys and Mobicity. So, when buying a product from one of these companies, you can be sure that the product will not be local stock. However, these companies have a decent enough track record for warranty claims and repairs. This makes purchases from these sites a bit more reliable than the likes of an eBay seller.

When I received my shiny new OnePlus 2, I ripped opened the packaging and inside I found a Chinese wall charger. Along with this though, Kogan had added in the box an Australian adapter. Fair enough. I knew the stock was not local, however, having the adapter within the box indicated that the original packaging had been opened previously. Regardless, I booted up the device and began the setup process.

The OnePlus 2 ships with Oxygen OS, which is a near-stock experience of Android with minor changes. However, scrolling through the pre-installed apps on the device, I found a surprising amount of bloatware. Apps like ‘Clean Master’, notorious for containing adware, and some others that I hadn’t previously heard of, such as ‘Magic Photo’, ‘DC Share’, ‘KK Browser’, and ‘Search’ (not Google Search, but a third party app) to name a few. I found this particularly odd, as Oxygen OS out of the box only contains the default Google Apps (Maps, Search, YouTube, Messenger, etc.) The number of third-party apps pre-installed on the device indicated something else. In addition to this, the “System Update” option usually in the “About” setting of the phone, was missing, so I could not even perform a software update.

So, I contacted Kogan about the issue on Twitter.

My OnePlus 2 arrived today. Looks great so far. But came with pre-installed bloatware I did not expect. Is this from you, @Kogan?

— dev (@selfrefute) October 7, 2015

Their reply to me was a little ill-informed.

@tuesdev It’s normal of the telcos to preinstall Apps. They should be easily removed. Sorry for the inconvenience #WasntUs

— Kogan.com (@Kogan) October 8, 2015

There are a number of things wrong about this tweet. Firstly, the ‘it’s normal for the telcos to preinstall apps’ statement is not true, as the phone itself was not locked to a carrier nor did it ever belong to a carrier. It was an unlocked device which did not have any carrier information, nor did it show a carrier logo at boot-up.

Secondly, the ‘They should easily be removed’ statement is completely and utterly untrue, as the pre-installed apps were installed as system apps, which meant that they could not be uninstalled, merely ‘disabled’. The only way to remove the applications would mean flashing a different firmware on the device manually, something which not everyone may have the expertise to do.

I contacted Kogan again to tell them that these apps are installed on a system level, and can’t be uninstalled. Unless of course I unlock my bootloader, root my device, and void my warranty with the company.

@Kogan They can't be uninstalled as they are installed as system apps. Just curious - who installs them? CleanMaster, KK Browser and whatnot

— dev (@selfrefute) October 8, 2015

The company did not immediately reply.

I began to search on the internet to find others who faced similar issues and I posted this thread on Reddit. Unsurprisingly, I received a number of responses from folks who had the same bloatware pre-installed on their OnePlus 2 from Kogan. One such commentor stated how his device had **adware **out of the box.

Also attached to this comment were a couple of screenshots of the adware in full action.

Note that this is blatant adware on the overall Operating System level. Not an in-browser ad, but within the OS itself! Based on more replies, I found a number of other instances of nasties found on grey imports of this particular device.

Another user purchased his device from Expert InfoTech, and actually found **malware **on the device.

He went on to attach screenshots of the malware, detected ironically by one of the pre-installed bloatware on the device, ‘Clean Master’.

Unsurprisingly, the ‘malware’ on the device was the pre-installed apps themselves. I ran a Malwarebytes Test myself and detected Malware on my own device, however, the app would force close immediately following a malware hit, thus, not allowing me to view the logs. I’m not entirely sure if this is a bug with the Malwarebytes application, or the malware on the device being sophisticated enough to prevent the scan from taking place. Nevertheless, I was able to grab a screenshot before the application force closed.

Ironically the “Clean Master” app they pre-install has an “Antivirus”, which when you run, tells you there is malware, which can let “hackers” take control of your phone.

These are just a few of the many examples I found of people receiving modified versions of the Oxygen OS on their supposed “brand new” device. There were other horror stories too, all following the same narrative.

The solution? Well, if you have a bit of experience with flashing firmware on an Android device, the process is very simple. It’s just factory resetting the device and flashing the official signed Oxygen OS firmware through stock recovery.

But that is not the point. The point is that no one should have to go through this hassle on a brand new device. The point is that I noticed, some others noticed, but there’s countless others who may not or will not ever notice that their new device contains adware or malware which should not be there. For all the fuss manufacturers and re-sellers make about voiding your warranty if your device firmware is modified in any way, there is no excuse for receiving a phone with a modified operating system from a reputable company, containing malware.

When I contacted Kogan one final time telling them that a new phone I bought from them contained malware, this was their response.

@tuesdev Hi Dev. Intersting. Could you please lodge an enquiry through our help centre so this can be looked into: http://t.co/qJconyFemC

— Kogan.com (@Kogan) October 9, 2015

They asked me to lodge an enquiry through a form on their website. The onus should not be on the consumer, but the company itself. If anyone should be lodging an inquiry, it should be Kogan within their supply chain.

The sad truth of the matter is, of the tens of thousands of OnePlus 2 devices shipped from Kogan’s warehouses over the past few months, no one knows how many of them contained a modified firmware. Many users will never know what apps ‘should’ ship with their device, what is safe, and what is unsafe. It is the responsibility of the re-seller to ensure that the device they are selling is one which they are liable for.

This post is not meant to name and shame Kogan. As demonstrated in the entirety of the article, the problem affects many re-sellers of grey imports. I hope this post goes some way in ensuring consumers are aware of some of the dangers of purchasing grey-imports, while re-sellers step up their efforts in a bid to eliminate any form of malicious content present on the devices they sell. The point of the article is also not to put people off the OnePlus 2, (which, to be fair is a brilliant device), and purchasing directly from OnePlus would not result in the fiasco I had. However, there are a number of countries including Australia where it is not possible to get the OnePlus 2 from official channels, and so consumers like me pip their hopes in grey imports.

Edit 13/10/2015: I’m almost certain that any pre-installed malware is not placed there by OnePlus OR Kogan, but somewhere in between. As the majority of these phones originate from China, it is also most likely that these grey imports are the OnePlus 2 devices **designed **for China (which do not require an Invite to buy, can be bought outright and run a different Operating System), which would be running the Chinese ‘Hydrogen’ Operating System. When organisations like Kogan buy these in bulk for the international market, these suppliers flash the ‘international variant’ Oxygen OS on the device. Which would go in some way to explain the pre-opened packaging, in order for them to install a firmware compatible for the international market. However, as it turns out, it is not always the official firmware provided by OnePlus, but a custom image in some cases containing malicious content.