The story of how I found malware on my ‘brand new’ OnePlus 2 from Kogan.
Like many others, I didn’t want to wait the next 6–8 months to receive a OnePlus 2 invite. So, when I read that my local Australian retailer Kogan was selling the OnePlus 2 on their website, I was definitely interested. Sure, the cost of the phone was about $100 more than ordering from OnePlus directly, but the immediate availability of the device made the decision a no-brainer for me.
The majority of products that re-sellers like Kogan stock are grey imports. There are a number of similar ‘reputable’ grey-import companies in Australia, notably, DWI, eGlobal, Expansys and Mobicity. So, when buying a product from one of these companies, you can be sure that the product will not be local stock. However, these companies have a decent enough track record for warranty claims and repairs. This makes purchases from these sites a bit more reliable than the likes of an eBay seller.
When I received my shiny new OnePlus 2, I ripped opened the packaging and inside I found a Chinese wall charger. Along with this though, Kogan had added in the box an Australian adapter. Fair enough. I knew the stock was not local, however, having the adapter within the box indicated that the original packaging had been opened previously. Regardless, I booted up the device and began the setup process.
The OnePlus 2 ships with Oxygen OS, which is a near-stock experience of Android with minor changes. However, scrolling through the pre-installed apps on the device, I found a surprising amount of bloatware. Apps like ‘Clean Master’, notorious for containing adware, and some others that I hadn’t previously heard of, such as ‘Magic Photo’, ‘DC Share’, ‘KK Browser’, and ‘Search’ (not Google Search, but a third party app) to name a few. I found this particularly odd, as Oxygen OS out of the box only contains the default Google Apps (Maps, Search, YouTube, Messenger, etc.) The number of third-party apps pre-installed on the device indicated something else. In addition to this, the “System Update” option usually in the “About” setting of the phone, was missing, so I could not even perform a software update.
So, I contacted Kogan about the issue on Twitter.
My OnePlus 2 arrived today. Looks great so far. But came with pre-installed bloatware I did not expect. Is this from you, @Kogan?
— Dev (@tuesdev) October 7, 2015
Their reply to me was a little ill-informed.
— Kogan.com (@Kogan) October 8, 2015
There are a number of things wrong about this tweet. Firstly, the ‘it’s normal for the telcos to preinstall apps’ statement is not true, as the phone itself was not locked to a carrier nor did it ever belong to a carrier. It was an unlocked device which did not have any carrier information, nor did it show a carrier logo at boot-up.
Secondly, the ‘They should easily be removed’ statement is completely and utterly untrue, as the pre-installed apps were installed as system apps, which meant that they could not be uninstalled, merely ‘disabled’. The only way to remove the applications would mean flashing a different firmware on the device manually, something which not everyone may have the expertise to do.
I contacted Kogan again to tell them that these apps are installed on a system level, and can’t be uninstalled. Unless of course I unlock my bootloader, root my device, and void my warranty with the company.
@Kogan They can't be uninstalled as they are installed as system apps. Just curious - who installs them? CleanMaster, KK Browser and whatnot
— Dev (@tuesdev) October 8, 2015
The company did not immediately reply.
I began to search on the internet to find others who faced similar issues and I posted this thread on Reddit. Unsurprisingly, I received a number of responses from folks who had the same bloatware pre-installed on their OnePlus 2 from Kogan. One such commenter stated how his device had adware out of the box.
Also attached to this comment were a couple of screenshots of the adware in full action.
Note that this is blatant adware on the overall Operating System level. Not an in-browser ad, but within the OS itself! Based on more replies, I found a number of other instances of nasties found on grey imports of this particular device. Another user purchased his device from Expert InfoTech, and actually found malware on the device.
He went on to attach screenshots of the malware, detected ironically by one of the pre-installed bloatware on the device, ‘Clean Master’.
Unsurprisingly, the ‘malware’ on the device was the pre-installed apps themselves. I ran a Malwarebytes Test myself and detected Malware on my own device, however, the app would force close immediately following a malware hit, thus, not allowing me to view the logs. I’m not entirely sure if this is a bug with the Malwarebytes application, or the malware on the device being sophisticated enough to prevent the scan from taking place. Nevertheless, I was able to grab a screenshot before the application force closed.
Ironically the “Clean Master” app they pre-install has an “Antivirus”, which when you run, tells you there is malware, which can let “hackers” take control of your phone.
These are just a few of the many examples I found of people receiving modified versions of the Oxygen OS on their supposed “brand new” device. There were other horror stories too, all following the same narrative.
The solution? Well, if you have a bit of experience with flashing firmware on an Android device, the process is very simple. It’s just factory resetting the device and flashing the official signed Oxygen OS firmware through stock recovery.
But that is not the point. The point is that no one should have to go through this hassle on a brand new device. The point is that I noticed, some others noticed, but there’s countless others who may not or will not ever notice that their new device contains adware or malware which should not be there. For all the fuss manufacturers and re-sellers make about voiding your warranty if your device firmware is modified in any way, there is no excuse for receiving a phone with a modified operating system from a reputable company, containing malware.
When I contacted Kogan one final time telling them that a new phone I bought from them contained malware, this was their response.
They asked me to lodge an enquiry through a form on their website. The onus should not be on the consumer, but the company itself. If anyone should be lodging an inquiry, it should be Kogan within their supply chain. The sad truth of the matter is, of the tens of thousands of OnePlus 2 devices shipped from Kogan’s warehouses over the past few months, no one knows how many of them contained a modified firmware. Many users will never know what apps ‘should’ ship with their device, what is safe, and what is unsafe.
It is the responsibility of the re-seller to ensure that the device they are selling is one which they are liable for.
This post is not meant to name and shame Kogan. As demonstrated in the entirety of the article, the problem affects many re-sellers of grey imports. I hope this post goes some way in ensuring consumers are aware of some of the dangers of purchasing grey-imports, while re-sellers step up their efforts in a bid to eliminate any form of malicious content present on the devices they sell. The point of the article is also not to put people off the OnePlus 2, (which, to be fair is a brilliant device), and purchasing directly from OnePlus would not result in the fiasco I had. However, there are a number of countries including Australia where it is not possible to get the OnePlus 2 from official channels, and so consumers like me pip their hopes in grey imports.
Editor's Note: Kogan have since replied with a comment on the story:
"We have been made aware of the issue and we take these things very seriously. We are investigating with the distributor and are asking the customer to return the phone to confirm the issue."
This post originally appeared on Medium. Republished with permission.