Android 2.3.6 phone... bugged?

[VirtualLarry]

I'm noticing quite a bit of background data transfer on my phone. I think it's either bugged, or part of a botnet.

As I understand it, this version of Android is vulnerable to a stagefright exploit (well, according to something I read, something like 95%+ of all Android phones are).

I received a couple of odd text messages a few weeks ago. They could have just been spam, who knows. I didn't read them, but my understanding is that isn't required for the stagefright exploit to take place.

Anyways, I'm rather pissed at my carrier, for not updating my phone, or at the very least, indicating on my account control-panel that the current version of the ROM on my phone is: 1) Vulnerable to a serious remote exploit, and 2) That the carrier refuses to do anything about it, thus I should upgrade my phone.

My feeling is that, because they refuse to release updates, my phone (as they sold it to me) is no longer "fit for purpose", and that they should make me whole, by offering a discount towards a phone that doesn't have the exploit. (Android 5.0.1 or newer.)

 

[sweenish]

That seems presumptuous and arrogant.

And it shows a complete lack of understanding between the OEM/carrier relationship. And a complete lack of understanding of just how widespread Stagefright is. And how simple the fix actually is in lieu of a security update.

I mean, I almost feel like this should be considered a troll or satire post, but I know it isn't. Isn't Gingerbread something like 6 years old now? Did you buy a new phone with an OS half a decade old? Or are you just clinging to this hardware, shaking your fist at the wrong company? Is it still under contract?

 

[podspi]

I have to disagree, sweenish. I think today, where phones are no longer really bundled with service, you have a point. But people on old contracts purchased the phone bundled with service. I remember back in the day, regardless of where you were in your contract (within reason), if your phone broke VZW would make sure you got a new one.

That being said, it seems like Stagefright has been overblown for most modern handsets due to other security features present in Android. Gingerbread does not have these protections so it IS possible the phone is infected, but probably unlikely. I'd do a factory reset.

And good luck getting a mobile carrier to do anything for you these days...

 

[sweenish]

I guarantee that contract has expired. There's no guarantee of anything at that point. Not sure what point you're trying to make. And it glosses over all the other points I made.

Carriers don't MAKE updates. They push them. OP should be mad at the OEM. And only the carrier when they delay pushing the update.

The "within reason" you mention is just the warranty. There was never the good old days or carriers.

So I'm not really sure what you're trying to say. This thread is a joke. And the sad part is it wasn't intentional.

 

[VirtualLarry]

That seems presumptuous and arrogant.

That what I paid for, out of pocket, should work the way it's supposed to?

And it shows a complete lack of understanding between the OEM/carrier relationship.

Why should that matter to me, the end-user? I just want a phone that works right.

And a complete lack of understanding of just how widespread Stagefright is. And how simple the fix actually is in lieu of a security update.

I read on ARS that 95% of Android phones are vulnerable. And that the bug was fixed in Lollipop. And that it was a big snafu between the carriers, the mfgs, and Google and that hardly anyone was going to get an update patch, that wasn't on a Nexus phone.

So, what is this simple fix? Don't forget about the second stagefright exploit, there's actually two of them.

I mean, I almost feel like this should be considered a troll or satire post, but I know it isn't. Isn't Gingerbread something like 6 years old now? Did you buy a new phone with an OS half a decade old? Or are you just clinging to this hardware, shaking your fist at the wrong company? Is it still under contract?

No contract. I bought it maybe 4 years ago. Still working fine, except for suddenly starting to consume data, even though I haven't installed any new apps, well, pretty-much ever. I even went into settings, and disabled app background updates.

http://www.amazon.com/Samsung-Galaxy-Exhibit-T-Mobile-t679/dp/B00607JBNO
Says it was released Oct 2011.

Edit: Tmobile released an Android 4.4.4 stagefright patch for Samsung Galaxy S4.
http://www.android.gs/t-mobile-rele...t-security-patch-for-samsung-galaxy-s4-users/

 

[VirtualLarry]

Carriers don't MAKE updates. They push them. OP should be mad at the OEM. And only the carrier when they delay pushing the update.

Ok, so then, why hasn't Samsung issued a stagefright patch for the Galaxy Exhibit 4G? It's still being sold, or at least it was recently on ebay, new.

And given the branding and whatnot, I'm not certain that the carriers have no input on the software contained within the phone.

 

[Commodus]

Your phone is using an operating system that was new in 2010. Even if you were using an iPhone (the only phone that really gets long-term support), your device would be beyond the pale of reasonable software update schedules. Most Android vendors should support phones longer than they do, but they're not obliged to support you for the entire functional lifespan of the device.

If you're concerned about getting Android security fixes for as long as possible, grab a Nexus 5X... or or maybe a newer Motorola phone like the current Moto G. They're both relatively inexpensive and should get timely updates for roughly a couple of years. And if two years is too short, buy an iPhone.

 

[sweenish]

That what I paid for, out of pocket, should work the way it's supposed to?

4 YEARS AGO. You're beyond any warranty for electronics.

Why should that matter to me, the end-user? I just want a phone that works right.

Understandable.

Taking the whole situation into consideration, naive at best. However, being mad at the carrier is ignorant, and will get you nowhere. What's a good analogy, here? Yelling at the oil change place because you got a flat tire? Yelling at MS when your new printer doesn't work on Windows 98? Yelling at your wife when you stub your toe? Basically yelling at someone that's not responsible for whatever happened. So yeah, keep huffing and puffing at the wrong company. See if that ever gets you anything.

I read on ARS that 95% of Android phones are vulnerable. And that the bug was fixed in Lollipop. And that it was a big snafu between the carriers, the mfgs, and Google and that hardly anyone was going to get an update patch, that wasn't on a Nexus phone.

So, what is this simple fix? Don't forget about the second stagefright exploit, there's actually two of them.

Thanks, but I actually read up on Stagefright at the time. No need to tell me about it. The simple fix is to simply not auto-download MMS messages, as that's the most likely attack vector. I actually have a hard time believing Ars didn't mention that. But then again, it is Ars.

Security updates were released to the Nexus line, which was on Lollipop at the time. I can almost guarantee that your phone couldn't even run Lollipop.

No contract. I bought it maybe 4 years ago. Still working fine, except for suddenly starting to consume data, even though I haven't installed any new apps, well, pretty-much ever. I even went into settings, and disabled app background updates.

So, you're moaning and whining about a lack of security updates, and you disabled app updates? Hot dang.

And no contract. Just wow.

How did you manage to inflate your ego like that? Your sense of entitlement is strong. You're just paying for service, and that's what the carrier is providing you.

At this point, your only course of action is to factory reset the phone, as was said. Probably with the SIM card out. Until you turn off auto-download for MMS messages. And then give yourself a reality check.

There's an inherent hypocrisy in turning off app updates while demanding security updates. Naive is thinking that 4 year old hardware can run the latest OS. We only just got to "good enough" hardware two years ago or so. Anything older than that is complete garbage for running the latest mobile OS's. And after your latest reply, willfully ignorant most aptly describes why you think being mad at the carrier is justified.

EDIT: "new," on ebay (EBAY, not even the OEM), holding carrier responsible. How is this a serious thread? Just, how?

 

[VirtualLarry]

IMHO, mobile phones are as important as cars. I would be in support of legislation that required the end-user to be supported with security patches, because it's clear that the mobile phone industry is only after profits, and doesn't care about the end-user.

Though I wouldn't be in favor of manditory patches.

 

[VirtualLarry]

Most Android vendors should support phones longer than they do, but they're not obliged to support you for the entire functional lifespan of the device.

That may be true, but I believe that carriers also have an obligation to their customers, to inform them if their phone is: 1) No longer supported, and 2) Currently vulnerable to exploits.

Not only is this the responsible thing to do, it also provides for an upgrade revenue stream, if the carriers (and OEMs) don't offer update patches.

 

[ControlD]

There are plenty of 4.4.4 ROMs available at XDA. If you are really that worried about it take matters into your own hands. The carriers aren't going to help you.

 

[VirtualLarry]

4 YEARS AGO. You're beyond any warranty for electronics.

My warranty on that phone was 90 days, I think. Does that mean, that I, as a consumer, should expect to have to purchase a new phone every 90 days, to be able to stay "supported"? IOW, I don't believe that warranty length on the hardware, should have anything to do with the support lifecycle of the software contained within.

Taking the whole situation into consideration, naive at best. However, being mad at the carrier is ignorant, and will get you nowhere. What's a good analogy, here? Yelling at the oil change place because you got a flat tire? Yelling at MS when your new printer doesn't work on Windows 98? Yelling at your wife when you stub your toe? Basically yelling at someone that's not responsible for whatever happened. So yeah, keep huffing and puffing at the wrong company. See if that ever gets you anything.

I think that you took the gist of my post slightly out of context. The carrier SHOULD be aware of: 1) My device (they show it in my account control panel), 2) My firmware revision on that device, 3) whether that device is still supported from the OEM, and 4) whether there are any outstanding security vulns for that device.

Thanks, but I actually read up on Stagefright at the time. No need to tell me about it. The simple fix is to simply not auto-download MMS messages, as that's the most likely attack vector. I actually have a hard time believing Ars didn't mention that. But then again, it is Ars.

I think that I read that too, but I went looking for that setting, and as far as I can tell, it isn't present on my phone.

So, you're moaning and whining about a lack of security updates, and you disabled app updates? Hot dang.

No, I disabled background data transfers, to see if it would stop the data indicator from lighting up. And I don't have any apps on the phone to update, other than what shipped on it.

And no contract. Just wow.

Why the he** should I be tied to an onerous post-paid cell contract?

How did you manage to inflate your ego like that? Your sense of entitlement is strong. You're just paying for service, and that's what the carrier is providing you.

I dunno man, I think your ego is bigger than mine.

I paid for a phone from T-mobile, out of pocket. I just want it to work properly, without serious remote exploits. If that's "ego" and "entitlement" to want what I paid for to work, then I can only suggest that you have been totally brainwashed by faceless greedy corporations.

At this point, your only course of action is to factory reset the phone, as was said. Probably with the SIM card out. Until you turn off auto-download for MMS messages. And then give yourself a reality check.

Reality check? You mean, not choosing to place a hefty donation in a corporate altar every year?

There's an inherent hypocrisy in turning off app updates while demanding security updates.

I didn't disable app updates. But I don't have any apps to update!
Btw, are you saying that an OTA firmware update would be delivered to the phone as an "app update", and not when I select "check for firmware updates"?

Naive is thinking that 4 year old hardware can run the latest OS.

Why do I need the latest OS? All I need is a re-compiled build of my current OS, with the stagefright patch applied. Surely that's not an impossible request.

 

[VirtualLarry]

I went looking at my applications' memory usage. There's an entry for "com.logmein.rescue". I've never put LogMeIn on my phone. Is that an indication that it's backdoored?

Also, there are two entries for "My Account", with slightly different icons.

Edit: An entry for "AudioTestApp", 0.0KB. Curious name to be found on a production phone release, don't you think?

Edit: Also "Terminal Emulator" and "wipeoutreceiver".

Edit: found this:
http://androidforums.com/threads/how-to-root.472523/
Seems to indicate that the logmein stuff is pre-installed?

 

[poofyhairguy]

I don't think any of us think that disagree that the system for Android updates is mostly broken. But stagefright really isn't a big deal for any phone with Jellybean or newer and that OS came out in 2012. There are currently no Android devices from 2012 that still get OS updates anyway, so the best thing to do is factory reset if you are scared (after backing up data) and then using an app like Textra going forward that provide some stagefright protection.

 

[Commodus]

That may be true, but I believe that carriers also have an obligation to their customers, to inform them if their phone is: 1) No longer supported, and 2) Currently vulnerable to exploits.

Not only is this the responsible thing to do, it also provides for an upgrade revenue stream, if the carriers (and OEMs) don't offer update patches.

This still puts the onus on OEMs more than it does carriers, though. Phone makers have to indicate that they've either dropped support or plan to do it, and either is rare. They tend to either have unstated policies or aren't completely sure which update will be their last. Google and HTC are some of the few that explicitly say when they'll stop rolling out updates. It'd be good if those that are up front about updates relayed that information to carriers, of course.

As for the LogMeIn thing, it's hard to say. Have you tried a factory reset on the phone (if you've got your stuff backed up) to see whether it's there on a clean phone? If it is, then it's probably carrier- or OEM-supplied stuff that you don't need to worry about. If not, it could be anything from malware to some app you've installed that speeds up your login.

 

[VirtualLarry]

I don't think any of us think that disagree that the system for Android updates is mostly broken. But stagefright really isn't a big deal for any phone with Jellybean or newer and that OS came out in 2012. There are currently no Android devices from 2012 that still get OS updates anyway, so the best thing to do is factory reset if you are scared (after backing up data) and then using an app like Textra going forward that provide some stagefright protection.

Well, I ordered a new phone this morning. Another Samsung (seems like OK build quality and longevity, Google-induced software issues aside), entry-level, Android 5.1 Lollipop. It was $150-ish. That's around the max that I can afford to drop on a phone, every 4 years.

Edit: It was $165 from the T-Mobile store. $100 for the phone, $40 for the pre-paid card, $15 for the SIM kit, and $10 for tax. Note that that is the only way that they sell the pre-paid phones, and you can't remove the pre-paid card nor the SIM kit from the cart, it's a bundle. Which is a PITA, since I don't need the SIM, and paying $15 for a SIM seems excessive, considering that you can get one for $0.99 from T-Mobile for BYOP.

 

[Tegeril]

Takes issue with Samsung phone not receiving updates, buys new Samsung phone.

 

[VirtualLarry]

Takes issue with Samsung phone not receiving updates, buys new Samsung phone.

I'm sure that you would make the same complaint about someone that complained about lack of XP support, then went on to buy a new Windows 10 PC.

Edit: It's not like I can get the newest Nexus for $100 new, right?

Edit: And I wanted a T-Mobile phone, so I could use WiFi calling.

Edit: I spoke to a relative tonight, he said that his phone (a Samsung from 3 years ago) just got an update, for the stagefright vuln. However, previously, that phone also got two other OS updates over the years. So, evidently, still supported, though 3 years old. (I don't know the exact model of phone.)

I wonder if I will ever see a patched Android 2.3.6 for this phone? Or if I should root and ROM this, with whatever newest Android that they have over at XDA.

 

[tsupersonic]

Well, I ordered a new phone this morning. Another Samsung (seems like OK build quality and longevity, Google-induced software issues aside), entry-level, Android 5.1 Lollipop. It was $150-ish. That's around the max that I can afford to drop on a phone, every 4 years.

Have you not learned your lesson? If you want an Android phone that gets updates, get a Nexus. Or, if you have a popular device, just root & install a custom ROM. Or, go the iPhone route.

 

[poofyhairguy]

Edit: It's not like I can get the newest Nexus for $100 new, right?

No, but you could get a Nexus 5 for $150 used:

https://swappa.com/listing/PYV244/view

That would have the newest OS today and another year guaranteed.

 

[midwestfisherman]

You've got an old phone. No company is going to support a 5+ year old phone.

$99 gets you a new up to date Moto E, and there are plenty more good phones to choose from in that price range
Put on your big boy pants and pony up for a new phone. Problem solved!

 

[VirtualLarry]

Have you not learned your lesson? If you want an Android phone that gets updates, get a Nexus.

Clue me in. I was under the understanding, that those phones were the first to get updates, and not the only ones to get updates. I thought all other (major-brand, not Chinese throwaway brands) Android phones got updates, within a reasonable time-frame (2-3 years). My Galaxy Exhibit 4G had an update released for it, bringing it to 2.3.6. However, when I bought it, the update was already applied.

Are you seriously suggesting that this new (brand-new, not even in stock right now) Samsung Android 5.1 phone, might NOT get 6.0 Marshmallow?

Or, if you have a popular device, just root & install a custom ROM. Or, go the iPhone route.

Speaking of popular, even though it was an entry-level phone, the Samsung Galaxy Exhibit II and 4G were fairly popular phones. Maybe not quite to the level of the Galaxy SIII, but still.

Edit: This is the phone I ordered. Looks kinda like a freaking iPhone, not that I desire that. Oh well. It checked all of the features for me.
http://prepaid-phones.t-mobile.com/prepaid-phone/Samsung-GALAXY-CORE-Prime-Prepaid

Edit: I'm hoping that this phone finally has enough power to run Skype. My current phone only has like 256MB or 512MB of RAM. My Android 4.4 tablet with 512MB of RAM didn't have enough RAM to Skype and web-browse at the same time. (But it had a quad-core, and CPU was no problem. RAM was.)

Edit: My current phone has 512MB. See here:
http://www.amazon.com/Samsung-Galaxy-Exhibit-T-Mobile-t679/dp/B00607JBNO

Edit: Sigh. I guess I got suckered by T-Mobile again. According to GSMArena, the Core Prime was released in Nov 2014. So it's a year old already. T-Mobile said it was a new item, with Android 5.1, which I thought had just come out.
http://www.gsmarena.com/samsung_galaxy_core_prime-6716.php

Hmm again. Now I'm legit pissed. GSMArena says the phone has optional dual-SIM, but uses micro-SIM. T-Mobile site said nothing about Micro-SIM, they just said "SIM". If I can't simply put my SIM from my Exhibit into the Core Prime, it's going back.

 

[tsupersonic]

Clue me in. I was under the understanding, that those phones were the first to get updates, and not the only ones to get updates. I thought all other (major-brand, not Chinese throwaway brands) Android phones got updates, within a reasonable time-frame (2-3 years). My Galaxy Exhibit 4G had an update released for it, bringing it to 2.3.6. However, when I bought it, the update was already applied.

Are you seriously suggesting that this new (brand-new, not even in stock right now) Samsung Android 5.1 phone, might NOT get 6.0 Marshmallow?


Speaking of popular, even though it was an entry-level phone, the Samsung Galaxy Exhibit II and 4G were fairly popular phones. Maybe not quite to the level of the Galaxy SIII, but still.

Edit: This is the phone I ordered. Looks kinda like a freaking iPhone, not that I desire that. Oh well. It checked all of the features for me.
http://prepaid-phones.t-mobile.com/prepaid-phone/Samsung-GALAXY-CORE-Prime-Prepaid

Edit: I'm hoping that this phone finally has enough power to run Skype. My current phone only has like 256MB or 512MB of RAM. My Android 4.4 tablet with 512MB of RAM didn't have enough RAM to Skype and web-browse at the same time. (But it had a quad-core, and CPU was no problem. RAM was.)

Edit: My current phone has 512MB. See here:
http://www.amazon.com/Samsung-Galaxy-Exhibit-T-Mobile-t679/dp/B00607JBNO

Edit: Sigh. I guess I got suckered by T-Mobile again. According to GSMArena, the Core Prime was released in Nov 2014. So it's a year old already. T-Mobile said it was a new item, with Android 5.1, which I thought had just come out.
http://www.gsmarena.com/samsung_galaxy_core_prime-6716.php

Hmm again. Now I'm legit pissed. GSMArena says the phone has optional dual-SIM, but uses micro-SIM. T-Mobile site said nothing about Micro-SIM, they just said "SIM". If I can't simply put my SIM from my Exhibit into the Core Prime, it's going back.

Yes, the Nexus are typically the first to get updates, and seem like they get updated for a longer period of time.

Android updates are a mess. Every manufacturer is different. Let's take Motorola for instance. They released their 2015 version of the Moto E (Moto's super-budget Android phone). This phone is NOT getting upgraded to Android 6/Marshmallow even though it has very similar specs to the 2015 Moto G, which is getting upgraded to Marshmallow.

Your "new" phone probably won't get Marshmallow. You really need to do more research before you buy a phone...You just found GSMArena, which is an excellent site. Read tons of reviews. Know what you're getting into, since you keep your phones for a long time.

BTW, SIM size isn't a big deal. You can cut them to size, or get adapters if you need. Worst case scenario, go to a T-mobile store, and they'll help you out.

 

[VirtualLarry]

BTW, SIM size isn't a big deal. You can cut them to size, or get adapters if you need. Worst case scenario, go to a T-mobile store, and they'll help you out.

I knew that you can cut them, but I don't really trust myself to do it correctly, and not even sure I trust a T-Mobile store to cut them. What happens, if I want to move it to a phone that takes a full-size SIM again? Am I screwed?

Can a corporate T-Mobile store transfer subscriber info between a standard SIM and a newer micro-SIM, rather than cut it? (Assuming that's what's included in the SIM kit for this new phone.)

I mean, if worst comes to worst, I could have them cut it, but I'm worried that I might have issues with the new phone, that would result in me wanted to go back to my current phone, and sell off the new one.

Some people were complaining about Lollipop running out a RAM, and being a pig in general. Is that true? Should I not want a Lollipop 5.1 or 5.1.1. phone? Is Marshmallow going to be "so much better", that I should cancel the order for this phone, and wait for native Android 6.0 phones to appear?

Edit: Another thing about cutting - how long do SIMs last, electrically and electronically speaking? Mine is pretty old, it's from a flip-phone that I had previously.

 

[jhu]

Well, I ordered a new phone this morning. Another Samsung (seems like OK build quality and longevity, Google-induced software issues aside), entry-level, Android 5.1 Lollipop. It was $150-ish. That's around the max that I can afford to drop on a phone, every 4 years.

Edit: It was $165 from the T-Mobile store. $100 for the phone, $40 for the pre-paid card, $15 for the SIM kit, and $10 for tax. Note that that is the only way that they sell the pre-paid phones, and you can't remove the pre-paid card nor the SIM kit from the cart, it's a bundle. Which is a PITA, since I don't need the SIM, and paying $15 for a SIM seems excessive, considering that you can get one for $0.99 from T-Mobile for BYOP.

I'm sceptical of this considering you keep posting about all the cheap $100-$200 computing devices you keep buying.

With regard to phones that get updates, just get a Nexus (Nexus 4 < $100, Nexus 5 <$200). You can get them cheap used. Other option is to buy phones that are easily bootloader unlocked and has third party ROMs so you can update it yourself (ie HTC phones, some Motorola phones, some Samsung phones but usually not USA versions, all the Nexus phones, some LG phones especially the G2).