FBI Pixel 4a honeypot detailed in new report
Last month, authorities revealed that the FBI and Australian Federal Police were secretly operating a “crypto device company” called “Anom.” The company has sold 12,000 smartphones to criminal syndicates around the world. These were billed as secure devices, but were in fact honeypot devices that routed all messages to an FBI-owned server. The disclosure was light, but now that it’s public, Anom phones are dumped in the aftermarket. That means we normal people are finally watching them, starting with this article from Vice detailing one of the devices.
The FBI has essentially militarized what the Android modding community has been doing for years. Some Android phones have unlockable bootloaders, which allow you to erase the original operating system and replace it with your own version of an operating system, called a custom ROM. The Anom device that Vice got was a Google Pixel 4a, one of the more developer-friendly devices. The FBI Custom ROM displays an “ArcaneOS” splash screen and has replaced the normal Google Android distribution with the FBI skin of Android 10.
The FBI’s selling point to suspected criminals was that these were security-oriented devices (so please use them to document your illegal activities!) A “pin scrambling” feature would swap the order of the lock screen numbers so that no one can guess your code from the screen spots.
Two different interfaces would launch depending on the PIN you entered on the lock screen. PIN one would show a bunch of popular but non-working apps, like Tinder, Instagram, Facebook, Netflix, and Candy Crush. Presumably, this was intended to trick third parties checking your phone.
A second PIN would enter what was supposed to be the secure section of the phone, displaying three apps: a clock, calculator, and settings. From there, the “calculator” app actually opened up a login screen for Anom, which targets were told was a secure, encrypted way to chat. It was essentially the smartphone equivalent of a fake book triggering a slide off a shelf, revealing a secret passage. It’s so secret, it must be secure!
Knowing that FBI phones advertised themselves as “ArcaneOS” to users, Vice was able to find several other confused users on the internet who apparently ended up with second-hand FBI devices. Here is a message board post from XDA Developers user “mayday175” asking how to repair their recently purchased used Pixel 4a with a barely working version of “ArcaneOS” locked in place. Because no one had ever heard of this bizarre operating system, the user posted a treasure trove of screenshots in an attempt to get help. Mayday writes: “The installed operating system is ArcaneOS 10. The system updater says ArcaneOS 11 is available for download (but I don’t want to do that in case it makes this thing even harder to download). to fix).” I wonder how capable is the FBI of delivering timely Android operating system updates?
Compromised FBI phones certainly show red flags that a tech-savvy user should be able to spot. When you start an Android phone, the first check you perform is Verified Boot, which ensures that the operating system is cryptographically signed by your device’s manufacturer, ensuring that it has not been tampered with. If a device fails at verified boot, either because of an unlocked bootloader or a re-locked bootloader with spoofed software, a message will be displayed on startup. In this case, the FBI devices display a message saying, “Your device is loading a different operating system,” with a yellow exclamation mark icon and a link to a Google support page at g.co/ABH. This message is very important.
As the support page says, if you did it yourself to install a custom ROM or root your device, that’s okay, but if you do not knowing why this message appears on your device is a huge problem and you absolutely should not use the phone. I cannot stress enough the importance of this message. Verify that booting is “step one” for safe phone, and this message indicates it is compromised. While displaying this message, Android will add a 10 second delay to the boot process, and there is even a “Press the power button to pause” message on this screen, because you are supposed to cancel the sequence of. startup if you suddenly see this message.
Normally, the correct way to fix a compromised device like this is to download a clean, official Google system image, erase the unknown operating system, and install standard Google Android. Several users report that it would not work in this case. ArcaneOS does not allow users to access developer options to unlock the bootloader, so once the FBI unlocks the bootloader, flashes Arcane OS, and locks the bootloader, you’re pretty much stuck with ArcaneOS. This is a malicious operating system.
The FBI has altered the core Android operating system a lot, removing useful Android settings that might reveal the device’s true nature. System settings for apps, storage, and accounts have been removed. There is now no way to see a list of all installed system apps, where users might spot something suspicious like “FBI_Spyware.APK”. What is installed on the phone is a black box. The FBI also wiped out “location” settings, possibly in an attempt to prevent users from turning off GPS tracking.
If you’re not interested in a group chat with the FBI and some targeted criminals, the phones don’t seem very helpful. They don’t have the Play Store or any other Google apps, and other than a clock and the calculator app that leads to this compromised chat app, it doesn’t appear that any other app has worked.
I’m sure it won’t be the last time we hear about Anom and Arcane OS. Now that the word is out, and with something like 12,000 devices out there, it’s probably only a matter of time before the Android modding community has a full FBI Android skin dump. Who wants to install it?
Ad image by Vice