Unplugged

Some months ago, I was watching Mental Outlaw’s video talking about the UP Phone. Overall it definitely sparked some interest in me as it seemed to be very similar to the infamous Freedom Phone and Anom phone honeypot made by the feds.

The only difference being that I actually had the opportunity to investigate it before it inevitably crumbled back into dust.

TL:DR

• Overpriced phone
• Proprietary software and App Suite
• Reselling FOSS app’s under a monthly subscription ($13 a month)
• Removing all credit and software licenses from the stolen app’s
• Hostile user base & technologically incompetent owners
• Previously hosting CSAM channels on their Matrix homeserver

Reconnaissance

As with all jobs, casing the joint is a pretty good place to start. For this one I decided to check out their website and examine their offerings. Here’s the rough overview:

- Their flagship “UP Phone”

- Their custom app suite & store

- Their Matrix Homeserver

- Last, and probably least, the website itself.

The phone itself is mostly mediocre and likely overpriced so I won’t go into too much detail about it, but here are the specifications that we know of so far.

It’s worth mentioning that this does not appear to be a rebranded phone from china like the Freedom Phone or other notorious scams. The Phone is manufactured in the United States which partially explains the ridiculous price for a phone of these specs.

Price: $949 (USD)

The Matrix Homeserver

They say a picture is worth a thousand words, I think this one is worth several.

And there were some unspeakable channels with a significant number of members which I would sooner kill myself than join.

UPDATE: After initially being uncooperative, they removed the offending channel ~48 hours after I contacted their hosting provider directly (and tipped off the relevant authorities)

The Website

Unplugged Systems love to flaunt their incredible commitment to security by showing off their audit from a $50 Billion+ security company who found no issues. This audit however, only extended to one of their apps, and their websites.

Although I found several within a couple hours of poking around. So either I’m the best hacker in the world, or something is amiss.

https://www.unplugged.com/documents/Unplugged_Security_Report_%20PT.pdf

If you were wondering what one of those security vulnerabilities was, they exposed the internal WordPress logs publicly which exposes some semi-sensitive information such as the internal webserver path and SQL server IPs.

P.S. At the time of writing this endpoint/file is still exposed.

The App Suite

Now for the cream of the crop, their “custom” propriety application suite. Because nothing says privacy like proprietary applications.

There is a set of apps we have access too, and the ones that are only available on the UP Phone itself.

Publicly available apps:

• UP Store
• UP Antivirus
• UP Messenger
• UP VPN

Exclusive to the UP Phone:

• UP Mail
• UP Privacy
• UP Sync

Up Store

This store is where they distribute the rest of their propriety app suite. To bolster the app store’s popularity by making it seem more populated than it really is, they scrape and re-upload APK’s from 3rd party sites. Many of which are known to distribute malware or ad-ware along side their app’s.

UP Store app list: https://gist.github.com/aemmitt-ns/ad3f1d3ff34c36c0206fe6216fd56e19

Notice the filenames in some of the app URLs?

Here is a non-comprehensive list of the sites they scrape apk’s from:

https://apkcombo.com/

https://apkpure.com

https://www.apk4now.com

https://everexstore.com

Up Antivirus

Their Antivirus app is actually just a fork of the open source Divested-Mobile/Hypatia, albeit:

• Without crediting the original developers (required by the GPLv3 License)
• Without providing source code on request (required by the GPLv3 License)
• Without including the GPLv3 License with the app, or it’s non-existent source code.
• Including a charge of $13 a month to perform more than one scan per month

The creator of the original app, Hypatia has said they have been aware of this for a bit over a year now but had taken no action. Presumably due to lack of resources or energy needed to fight an off-shore company.

References to the original app contained within the UP Store code:

Commonalities between Hypatia’s source code and decompiled source code of UP Antivirus:

Commonalities between malware sample URL’s

Up Messenger

This is a fork of the popular Matrix client Element, albeit with similar quirks to the Antivirus mentioned above. Including but not limited to removal of all references to Element and it’s associated copyright notice.

I also noted that they lock some of Element’s features behind their subscription paywall.

Technically they could be allowed to have a custom themed android app with permission from Element, although it would require them forking up a substantial amount of money.

Given their track record, I somehow doubt they bothered with that.

Up VPN

Their VPN is the least egregious of the bunch, not to say that is doesn’t have its fair share of issues though.

The core app is based of Wireguard, although judging from the rest of the source code they made a lot of changes compared to the prior app’s. So I guess Ill give them that. 🤷

As for the server they run it on, they boast a no logs policy! Wow, this is cool.

Oh, never mind. It’s just Linode, Linode and more Linode.

Now, I want you to keep the following things in mind.

• They have no security audit to support their claim of “No Logs”
• Linode could easily be sent a gag order along with requests to honeypot those super-duper-secure VPN servers from the funny three-letter agencies
• Linode’s own privacy policy supports the prior.

Not so sweet now huh? Please just use Mullvad instead :)

The App’s I couldn’t cover

Out of the apps I investigated previously, there are a few exceptions which you cannot acquire from the UP Store.

• UP Mail
• UP Privacy
• UP Sync

In order to investigate thoroughly I decided to hop into the main support chatroom to ask for a copy (APK Export) from someone who owned the phone firsthand. Unfortunately I was met with significant hostility, likely because I probably sounded like a fed. Oops, my bad.

I also had a brief conversion with the creators of Unplugged who ignored the accusations entirely and displayed their technological incompetence by stating I would need to travel to their HQ to do a white-room investigation of the source code, when I asked for a copy of the APKs installed on the UP phones.

Due to this I am unable to dig into those specific app’s, but if you manage to stumble across a copy feel free to email it my way.

Supporting the original creators (of the FOSS app’s)

If you feel bad about the developers who have had their hard work stolen and resold for a quick buck, you can shout them a beer/coffee using the following donation links.

Hypatia:

• https://liberapay.com/Tad
• https://divested.dev/pages/donate

Element/Matrix:

• https://element.io/pricing
• https://donorbox.org/keep-matrix-exciting

Alternatives to the UP Phone + UP Suite

UP Phone → Google Pixel 8 Pro

• $949 → $800
• 8Gb RAM → 12Gb RAM
• 2.9k Geekbench score → 4.4k Geekbench score

LibertOS → GrapheneOS

UP Store → F-Droid, Aurora Store

UP Antivirus → Hypatia

• $13 Monthly → $0

UP Messenger → Signal, Element

• $13 Monthly (for all features) → $0 (for all features)

UP VPN → Mullvad

• $13 Monthly → $5 Monthly

UP Mail → FairEmail/K-9 Mail

UP Privacy → NextDNS

UP Sync → Syncthing

Final price:

Unplugged:

• $949 One off
• $13 Monthly
• Pedophiles in your homeserver
• Federal agents at your doorstep

FOSS Alternatives:

• $800 One off
• $5 Monthly
• Mild paranoia