Can You Trust Cheap Chinese Phones with Your Privacy?

Should you trust a low-priced Android phone from a brand you've never heard of with your security and privacy? It might not be such a wise idea.

Illustration: Tom's Guide

Illustration: Tom's Guide

The fact is that many low-priced Android smartphones have had security and privacy problems. In late July, Russian antivirus firm Dr.Web reported that models sold under the Leagoo and Nomu names had a malicious program built right into the firmware.

Then, just last week, Amazon suspended sales of phones marketed by BLU after researchers reported that snooping adware was built into the devices. (By Friday, Amazon was selling the phones again.)

"If you buy a cheap Android phone, you're playing a dangerous game of Russian roulette with your privacy and security." — Graham Cluley, security threat researcher and blogger

The upshot is this: You should really think twice before buying an Android phone from an unfamiliar manufacturer. Be wary of any smartphone that costs less than $100 unlocked. If a smartphone doesn't cost much, and doesn't make you watch ads, then you have to wonder how else the company makes money.

MORE: Best Android Antivirus Software and Apps

"If you buy a cheap Android phone, you're playing a dangerous game of Russian roulette with your privacy and security," said Graham Cluley, an independent threat researcher and blogger. "Going cheap runs the risk of costing you big in the long run."

Do Your Research

That doesn't mean all cheap smartphones are dangerous. But if you're considering buying a budget device, treat the process as if you were buying a used car.

"Lenovo's Motorola brand and TCL's Alcatel sell inexpensive smartphones designed for the U.S. market which have not been implicated in these scandals, even though the parent companies are both based in China." — Avi Greengart, research director, GlobalData

Research the model, the brand, and the seller's reputation. See what kind of customer service each brand offers. Don't take anyone at their word — and don't trust that the customer reviews on every site are real.

"You're going to have a relationship with that device for two-plus years," said Ramon Llamas, research manager of wearables and mobile phones with market-intelligence firm IDC. "Find out what the manufacturer's history has been regarding privacy. Ask yourself whether you'd be comfortable with it."

Those are just some of the stories we've written in the past few years after yet another Android handset's security was found to be wanting: "Chinese Android Phones May Have Built-In Backdoor." "Chinese Smartphone May Come Preloaded with Spyware." "3 Million Cheap Chinese Phones Wide Open to Hackers." "Xiaomi Mi4 Smartphone May Have Malware Preinstalled."

The common thread is that the phones are all classified as "Chinese," which is a little unfair. Almost all smartphones are manufactured in China, including phones designed and sold by Apple, Google and Samsung. And some Chinese brands, such as Xiaomi, OnePlus and Huawei, have good reputations, despite Xiaomi's inclusion in the stories above.

"Not all inexpensive phones have had this problem," said Avi Greengart, research director of consumer platforms and devices with market-research firm GlobalData. "This is more about the original target market for the device than the price point."

"Until last December, BLU phones also sent truly personal information — users' text messages, contact lists and call logs — to Chinese servers. That problem has apparently been fixed."

But have you heard of Leagoo? Doogee? Oukitel? Homtom? Most people have not. These makers are among dozens of brands whose Android phones retail online for less than $100.

I wouldn't trust phones made by any of these companies — for all I know, they could be sending my personal information back to a server in China, or contain glaring security flaws that could let an attacker easily hijack the phone or add malware.

"Privacy and data-security expectations are clearly different in China than in the West," Greengart said. "Lenovo's Motorola brand and TCL's Alcatel brand sell inexpensive smartphones specifically designed for the U.S. market which have not been implicated in these scandals, even though the parent companies — Lenovo and TCL — are both based in China."

MORE: 8 Cheap Android Smartphones (Under $200) Ranked Best to Worst

BLU Brouhaha

You may have heard of BLU, which is an American firm based in Miami that sells nice-looking phones for prices ranging from $50 to $170. We've reviewed a couple of its phones and liked them. But most of BLU's phones are actually rebadged versions of phones made by Gionee, which is one of the bigger Chinese device makers you've never heard of.

BLU argued against Amazon suspending sales of its devices earlier this week, which was done due to spyware concerns. It's debatable whether collecting and transmitting your phone's location data and device information — such as phone number, serial number, SIM card ID and other uniquely identifying information — constitutes spying. After all, that's the same information that your cellular carrier collects as part of its business in order to keep your device running.

The only difference here is that all that information is going not just to AT&T or T-Mobile, but also to servers in China. Until last December, BLU phones also sent truly personal information — users' text messages, contact lists and call logs — to  Chinese servers. That problem has apparently been fixed.

We believe BLU when its representatives tell us that the company's phones are no longer collecting personal data and that BLU won't switch the feature back on in the future. Amazon clearly believes BLU too, because the retail giant is selling the phones again. And we like that BLU, unlike most of the direct-from-China retailers, has a toll-free support number you can call if anything goes wrong.

Whom Can You Trust?

Despite assurances from BLU and other companies that they can be trusted, you should still be skeptical of any brand you haven't heard of before, even when you're lured in by that cheap price.

"There have been too many cheap 'never-heard-of-them' brands online found to be harboring malware," Cluley said. "It may not be the manufacturers' fault — it might be that they were meddled with somewhere along the supply chain. But it makes little difference to the consumer."

But if you don't want to worry about your phone's security, or your privacy, then stick to the better-known brands. Amazon has dozens of phones selling for $150 made by Samsung, Motorola, HTC, Alcatel and LG. The specs on these devices may not be as good as what you'll get from the no-name brands, but at least you'll know what you're getting.

"You live your life through your phone these days," Cluley said. "It has to be worth paying a little bit more to have some degree of confidence that you're using a safe device."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.