Malware found on smartphones bought direct from Doogee
Chinese phone manufacturer Doogee has received a lot of positive press about it’s range of inexpensive smart phones with impressive specifications. Even we were taken in by the Doogee X5 max pro we reviewed a few weeks ago. But it appears that this new comer has been using some shady tactics to bolster its revenue. It has been reported by several people on the Doogee forums that brand new phones are being shipped from the Doogee factory with malware installed. Doogee is not the first Chinese tech firm to be accused of having malware on their devices, but usually it is on the more nefarious knock off brands who produce clones of well known gadgets that are loaded with malware.
As far as we know Doogee hadn’t been a Chinese phone clone maker and had actually been pitched as a new upstart like Huawei and ZTE were a few years ago. This new revelation about malware could seriously damage any future aspirations to be a serious player in the mobile phone world as it is doubtful any phone network would offer Doogee phones if they are deemed as being riddled with Malware.
It appears that the malware problem on Doogee phones doesn’t manifest immediately, so the customer receives the phone and it performs well with no pop ups or redirects. But after a few weeks of use and once the malware kicks in.
Infected apps
The Doogee has several apps that appear to have a malware infection, some of which are system apps which cannot be disabled. So far the following have been identified as being malware infected.
- Com.android.snap
- Browser
- Xender
- Myapps
- SystemUI
- com.android.Pet.mediaserver
- Parallelspace
- Google Chrome
These are the preloaded versions that come already installed on the Doogee phones. We aren’t saying the same apps would not be safe if downloaded from the play store.
List of malware involved domains and IPs
The following domains and IP addresses have been recorded as being connected to the malware.
- server-54-192-1-245.lhr5.r.cloudfront.net
- server-54-192-8-113.lhr3.r.cloudfront.net
- server-54-192-198-230.lhr50.r.cloudfront.net
- 47.88.191.101
- ec2-52-220-165-93.ap-southeast-1.compute.amazonaws.com
- ec2-52-77-50-41.ap-southeast-1.compute.amazonaws.com
- ec2-52-77-19-131.ap-southeast-1.compute.amazonaws.com
- ec2-54-169-134-231.ap-southeast-1.compute.amazonaws.com
- ec2-52-76-119-201.ap-southeast-1.compute.amazonaws.com
- ec2-54-251-107-8.ap-southeast-1.compute.amazonaws.com
- 202-177-13-67.kddi.net.hk
- 210.48.139.85
- 211.151.164.164
- 42.96.141.35
- 52.222.231.74
- 221.228.197.189
- 47.90.91.157
- 104.131.112.36
- 138.197.94.0
- 45.55.224.154
- 45.55.71.35
- 138.197.86.217
- 138.197.90.91
- 104.236.215.110
- 104.236.106.240
- 192.96.201.15
- 45.55.164.132
- 42.120.226.92
- 138.197.43.251
- 180.149.136.219
- 140.205.140.33
Blow are the IP addresses that the Doogee gets its over the air updates from.
- 118.193.254.13
- 118.193.187.36
- 118.193.187.35
It is probably worth blocking these since it appears that the updates are where the Doogee phones download the over the air updates from, and the malware is present in the updates.
We have had our Doogee X5 max pro that we reviewed here for about a month and can confirm these apps are there, and they do periodically attempt to connect to these IP addresses and domains. We have contacted Doogee for a statement but have yet had no reply.
Solutions for Doogee phone owners
If you have bought a Doogee phone that is having problems with malware then I would report the problem to whoever you bought it from to make them aware of the issue. You could also try contacting Doogee to see if it can be sorted under their warranty as certainty the phone we received claim to come with 1 year warranty.
If you get no joy with that you can do some work around’s to stop the malware. Several users on the Doogee forums suggest installing the Noroot firewall from the play store and blocking the apps, IPs and domains listed in this article. This should stop the malware being able to connect to the ad servers and downloading any ads. You also need to download an alternative browser from the play store such as Firefox.
If you use the noroot firewall but still want to use Chrome as your browser then you need to disable the version that came with the phone by going into settings, apps and then force stop and disable Chrome. Then download Chrome Beta from the play store. The beta version of chrome maybe a little unstable at times but you won’t be bothered by the ads.
If your phoned is rooted then you can remove these malware apps or install a root based firewall. Instructions on how to root the Doogee X5 max pro are here
For those with more technical abilities you could flash a new malware free firmware ROM onto your phone. There are several firmware updates available for the Doogee X5 Max pro over at the Needrom website. Some are based on the factory version with just the malware removed while others are custom built, with even some Android 7 (nougat) based ROMs. This is more involved though and if you made a mistake you could end up making your phone unusable.
Hopefully Doogee will do the right thing and provide an update with no malware built in. But until then we have to advise against buying a Doogee phone unless your willing to flash a custom ROM it or install extra apps to keep the malware at bay.