Interesting that you should mention this, since there was a recent publication looking at just this (thanks to Fernando Lanero for highlighting it). There’s a time limited link to the full paper on one of the author’s LinkedIn feeds:
This is a little off-the-topic of malware though (still relevant in the broader context of security, so I hope you’ll forgive me).
Numeric pins are brute-forced on GPU in a matter of minutes/hours.
So if you phone gets stolen/imaged, current state encryption on SFOS is useless.
And even worse, it gives people a false sense of security.
Unfortunately, no access here. Could you summarise or send me a copy?
You can’t.
Also SFOS only runs as a slave OS on top of the closed baseband.
RAM is shared with the basebaand. It has full access and full rights on your GSM device. Your SIM provider can install code without anyone taking notice. Since everything is integrated in the SoC nowerdays, it could log your WiFi, BT, RAM… Everything. And it does.
Do never use a GSM device for critical things. Not that we have alternatives though.
If this is true, the default encryption of Sailfish leaves a lot to be desired.
Under the term “malware”, I personally also understand apps that lead to an undesired data leak without informing the user. It is correct that an app is checked in the Google Store, but trackers are allowed. Almost every app these days sends to any server, regardless of whether it is paid software or not. There is no obligation to state that an app contains trackers from Google, Facebook, Amazon (only the largest listed), etc., or that frameworks from data analysts are integrated. A look at the manifest file of an APK shows what is also included. You might think that apps are only offered to collect data. You no longer need a particularly secure operating system if you give away your data to someone in this way.
At F-Droid, apps are also checked to see whether they comply with the rules (FOSS) and whether they are doing something undesirable. Apps that are FOSS but connect to other networks to offer a service are marked. So everyone can decide. There is at least a bit of transparency and the source code is available.
You can never be sure at all. I think F-Droid is the lesser evil and the better choice. Incidentally, I find the notes on encryption above from SFOS very interesting.
What you say about trackers in Play store apps is of course true. But if you access the Play store via Aurora, the apps are labeled if they contain trackers, ads, and if they need GSF.
Does anybody know if this is reliable?
Sure, but people ignore warnings when they really want a popular app 
Aurora uses parts from “ClassyShark3xodus” for the analysis, also downloadable from F-Droid.
Sometimes the standalone ClassyShark will find 1 or 2 more trackers than Aurora in one app. The version seems to be slightly different.
How it work:
ClassyShark analyzes the manifest file in the APK, compares the embedded foreign module list with a tracker list and shows the result. Hint: With the names and servers of the modules found, anyone can do their own research on the Internet and find out what exactly the module is doing.
New trackers are added or changed every day, so you can never really be sure that the result is always correct.
One method to verify what’s going on on a device is
rpm -Va
or
rpm -V <<packagename>>
which will use the RPM database to verify files on the system vs. what was contained in the original RPM package. It can be in certain cases used to detect tampering, but one must read the output wisely, as many files are okay to be different from the RPM checked version.
Q: Is there a way to permanently remove/uninstall all this Android stuff (Android support) from the SFOS phone? and btw. save memory space and maybe gain speed or reduce processor load? I do not use any Android apps and don’t need the Android support. It’s always switched off, and for safety or to prevent starting it by error I would be happy if it was away forever.
You can uninstall Android support (and of course you can choose to never install it in the first place):
# remove the package
devel-su pkcon remove aliendalvik
# disable the repo if you want
ssu dr aliendalvik
You can also do the first part from the Store application from “My Applications”
You can not uninstall “all Android stuff” because parts of SFOS basically function as a wrapper around a base Android install so there is always a core Android environment running…
@nephros: Now I did so and it worked fine. Now, on trying to start the Android support in the settings, the phone does nothing. (good so)
The first command did echo some system messages, the second command only taked a half of a second, then prompt appeared again.
Thanks very much!
So many questions arouse from above …
Why not using apps from the android app support which comes from the jolla store? (btw your link points to nothing, you might wanted to give this link
Do you have any references about the stripping of the core data? What makes you think, these machines wont work on SFOS phones?
Again I would appreciate a reference to it.
Do you have any working example of this being done?
Highly interesting. Any reference about it?
Well, why not using RAM obfuscation etc. to avoid this case?
How to know if the found differences are acceptable or not?
https://media.ccc.de/v/CC16_-109-__-sub_lounge-201605211815-your_baseband_is_watching_you-_dan
https://media.ccc.de/search/?q=baseband
3rd video
“(2020) According to Forbes, the hacker who carried out the theft actually stole information of 39 million users and has published information of 20 million users on a Dark Web forum.”
“(2016) Malware-found-in-3rd-party-app-stores. Aptoide has informed us that the malicious apps hosted on their store have been removed…”
Ok, but :
Apotoide said that the breach did not impact 97% of its users as they never signed up to use its services
Where do you download the Aurora store from? In F-Droid it is marked as incompatible, and is maintained by a single guy (not a team). The same mark incompatible also for
Aptoide has something to do with trust. They didn’t deserve this in the past. My opinion.
I don’t have Aurora, sorry. What kind of device do you have?
For me Aurora Store in F-Droid is marked as “unwanted characteristics” because it advertises proprietary services - surprise.
But I can install and use it anyway.
I’m definitely not an expert but I’d guess they have to be programmed to deal with each specific model. (Minimal) security by obscurity.
I looked but couldn’t find the article. I just remember it was about five years ago. Whatever the hole was, it has probably been patched.
Apologies for bumping an old topic. It took rather a while, but eventually I got around to summarising the paper for the community news, in case it’s still of interest to you.