Concerned about security on T2e Android 11 with no more security updates

Hey all, and more specifically, Teracube engineering:

Let me pick your brains on this. Recently, I got my T2e replaced with what was supposed to be a brand new replacement. In the past, I would always have done a wipe and firmware change out of an abundance of caution on any new device. However, I was busy and the phone seemed new/sealed and booted-up and went through fresh OOBE and showed no prior uptime. So I popped my sim card in and started using it.

Two days ago, I get a couple of SMS verification codes from Google Voice’s official SMS shortcode, which I ignored, aside from a quick visit to Google to make sure my account was secure and no logins had occurred from unknown devices. All looked good with no unauthorized activity, so I went about my business. A few hours later, I got an email from Google Voice that my cellular # had been removed from Google Voice as a forwarding number and attached to someone else’s GV account, meaning they were able to read my text messages. I re-added the number as a forward to my GV account, and verified using the SMS codes sent to me. I also sent an alert to GV support, but sending anything serious to Google expecting action is like sending a letter to the White House and expecting someone to actually do anything with it. At least in my experience haha!!

Fast forward a few days, I woke up this morning and a well-known social media app that I use had been hijacked. This app was NOT on the T2e, however this app uses a phone number (and SMS verification), with email as optional backup). Someone would have gone through SMS verification in order to gain access on another device. The email was changed by them but the phone number left alone. Meaning, they were able to sign into the service and get an SMS verification code, then change my email on the service to something else.

Given the fact that this seems to be an SMS intercept, it seems that one of the following is true:

A) on-network SMS intercept on T-Mobile’s system

B) the new T2e came with some malware installed

or

C) the new T2e became the victim of an attack, likely due to out-of-date security fixes exposing some vulnerability.

As a precaution, I wiped and re-flashed firmware on both the T2e and my other device (I don’t suspect the latter because it has no SMS capability), and re-built everything from scratch, passwords, yadda yadda yadda.

Pertinent facts:
1- I use a separate device with the bulk of my apps (wifi only, no cellular) for daily use

2- the new T2e was mostly factory-vanilla with only minor customization done to it (icons, look, etc) and had a lock code active

3- very few apps were installed on the new T2e phone and it was only being used for calls and SMS for the most part. No web sites had been pulled up on it yet, and although email was setup, the app has always been configured to not load anything outside of plaintext content from any messages.

4- No other device besides the new T2e had access to send/receive SMS on that cellular service

5- Wifi calling has always been turned-on, and that carries SMS also, I believe.

6- The new T2e was updated with all available security updates/patches, however, being on Android 11.x, those updates stopped a very long time ago.

Any ideas guys? Something I could be missing here? I’m doubtful that it was a hack on T-Mobile’s network. Before I wiped and re-flashed the T2e, I did look at all the running processes and didn’t see anything out of the ordinary. Like I said, it had very little of anything installed on it yet, as I had just started using it.

As Forbes noted 2.5 years ago, SMS verification is going to fail a quarter of the time, and it’s well known that the networks are often hijacked with MitM attacks which can stay dormant for extended periods of time.
If you’ve used SPflash with the known-good firmware from here, have only installed ‘safe’ apps, and are still getting compromised, it’s likely the infrastructure at fault rather than your phone.

Hi @sgray500 - sorry to hear about this situation. The issue is most likely caused by something outside the phone (carrier level maybe) as getting something on the phone would be a very-2 highly sophisticated attack and would have been public by now.

Regarding the malware part, all our units should have the bootloader locked. You can verify this by running this app.

Thanks guys, for the input on this. Yeah, all reasonable precautions have been taken to keep the device clean, and yes I used the firmware from here and did the wipe/flash/wipe.

It just amazes me how widespread these attacks are getting now. I have a port-lock on my number with the carrier, so i’ll cross my fingers and keep playin the drums!!

I had nearly the exact same thing happen to me recently, also with a warranty-replacement phone that appeared to be brand new. In my case, a Venmo code was received just prior to the Google Voice takeover. Then new PayPal, Microsoft, and many other accounts were opened using my phone number as a verification method. Although the Lookout security app didn’t detect anything, I concluded the phone itself was hacked after getting a new SIM card from AT&T did nothing to stop the SMS interceptions, and then getting a 2nd new SIM card from AT&T but putting it into my older Teracube (still running Android 10) immediately stopped the problem.

Based on my experience, I’m not totally satisfied with the responses from this thread, and believe that scenario A did not occur, and that it is more likely scenario B or C.

How confident is Teracube that the factory making its phones right now is not installing malware on them?
How confident is Teracube that the Teracube 2e with the latest Android v11 cannot be hacked when it connects to a public Wi-Fi (or spoofed Wi-Fi) at an international airport, or when a prepaid SIM card bought on Amazon is inserted and used in SIM slot 2, alongside a SIM card from a major American carrier such as AT&T?

Same situation has only gotten worse for me since that post. Every week, I am dealing with purely-SMS-based attacks. Last week, they gained access to my Facebook account (which I thankfully don’t actively use anymore), but did so through SMS verification. Accounts are being created with my phone number all over the place. Like, I could believe an isolated incident, but I just can’t sit here and believe that the carriers’ networks have been taken over by hackers and they are just letting it happen. I am desperately looking for a replacement for Teracube that I can believe in and count on. The mere fact that this same phone from 2020 is still advertised as for-sale on the website with Android 11 (with no security updates in two years), tells me this is the end of the road for the project.

Unless something is embedded in the individual components’ firmware, whatever is causing this has to be in the main OS image. Along with that initial post, I did the “wipe-flash-wipe” using Teracube’s official firmware, so I wouldn’t think anything could survive that, unless it’s embedded deeper in the device itself.

Again, there is just no way that the carriers networks are to blame on this… American companies are lazy, but come on. Something that widespread would be on the national news by now.

Two days ago, I had to say enough is enough! I’m done with Teracube. DONE. DONE. DONE!

Whatever this underlying malware problem is, they’re obviously aware of it yet they have not asked to inspect the device or ask any questions. “Must be the carrier.” Yeah right…give me a break…widespread hacking of a national carrier’s network over and over like that??? That leads me to conclude that Teracube has no clue or control whatsoever what is coming from the factories where they are having these things made, and they are just passing along the devices without good quality control. The engineers at Teracube should have access to all code running on the hardware, even on embedded portions.

There is NO EXCUSE whatsoever for this to be happening on shipped hardware. NO EXCUSE!

Hi @sgray500 - we have newer security updates available on our Android 13 build.

We have been asking for security patches for a while now, but it seems like Teracube doesn’t care for users to have a stable and secure device. They instead focus their efforts in releasing buggy alpha and beta versions of the newer Android versions.

This SMS hijacking situation should be addressed by them with the utmost highest priority, but instead they brush it off as being the fault of the network provider.

Why do we need to force upgrade to an unstable beta Android 13 build to get the latest security patches? It’s ridiculous. With each new Android release comes a long list of bugs, performance issues and features that no longer work. Not to mention that you need to be tech savvy in order to upgrade. There’s also the risk of losing your data with every upgrade.

I have completely lost all trust in Teracube

A stable certified (Android 13) update is live, here

Any update on this? Was the problem with malware being installed on the refurbished devices before being sent to customers?
I never heard about a vulnerability in Android, so while it’s great that Android 13 is available, that doesn’t help if you vendor in China is hacking the phones while refurbishing them.
Do you guys have your chain of custody under lockdown now?