Last month, authorities disclosed that the FBI and the Australian Federal Police were secretly operating an “encrypted device company” called “Anom”. The company sold 12,000 smartphones to criminal syndicates around the world. These were intended to be secure devices, but were actually honeypot devices that forwarded all messages to an FBI server. The reveal was light on details, but now that it’s public, Anom phones are being unloaded in the secondary market. That means we normal people can finally check them out, starting with this Vice article detailing one of the devices.
The FBI has basically weaponized what the Android modding community has been doing for years. Some Android phones have unlockable bootloaders, which allow you to erase the original OS and replace it with your own build of an OS, a custom ROM. The Anom device Vice got was a Google Pixel 4a, one of the most developer-friendly devices out there. The FBI’s custom ROM shows an “ArcaneOS” boot screen, and it replaced the normal Google Android distribution with Android 10’s FBI skin.
The FBI’s sales pitch to alleged criminals was that these were security-focused devices (so please use them to document your illegal activities!), and that involved a lot of fun security theater. A “pin scrambling” feature would reverse the order of the lock screen numbers so that no one could guess your code from screen swipes.
Two different interfaces will launch depending on the PIN you entered on the lock screen. PIN one would show some popular but non-functional apps such as Tinder, Instagram, Facebook, Netflix and Candy Crush. Presumably this was meant to fool third parties who monitor your phone.
A second PIN would enter the secure area of the phone, containing three apps: a clock, calculator, and the settings. From here, the “calculator” app opened up a login screen for Anom, which the targets were told was a secure, encrypted way to chat. This was basically the smartphone equivalent of a fake book that activated a bookshelf to slide over it and reveal a secret passageway. It’s so secret, it must be safe!
With the new knowledge that the FBI phones presented themselves to users as “ArcaneOS,” Vice was able to find several other confused users on the Internet who apparently ended up with second-hand FBI devices. Here’s a forum post from XDA Developers user “mayday175” asking how they can fix their recently purchased, pre-owned Pixel 4a with a barely functional build of “ArcaneOS” in place. Since no one had ever heard of this bizarre operating system, the user posted a wealth of screenshots in an effort to get help. Mayday writes, “The OS installed is ArcaneOS 10. The system updater says ArcaneOS 11 is available for download (but I don’t want to do that in case it makes it even harder to fix).” I wonder how good the FBI is at providing timely Android OS updates?
The FBI’s compromised phones certainly show some red flags that a tech-savvy user should be able to spot. When you boot up an Android phone, the first check performed is Verified Boot, which ensures that the operating system is cryptographically signed by your device’s manufacturer so it hasn’t been tampered with. If a device cannot boot authenticated, either by an unlocked bootloader or a re-locked bootloader with tampered software, it will display a message during boot. In this case, the FBI devices display a message saying, “Your device is loading a different operating system,” complete with a yellow exclamation point and a link to a Google support page at g.co/ABH. This message is very important.
As the support page says, if you did this yourself to install a custom ROM or root your device, it’s not a problem, but if you do not know why this message appears on your device that is a huge problem and you should definitely not use the phone. I cannot emphasize enough how important this post is. Check that booting is “step one” for all phone security and this message indicates that it has been compromised. While this message is showing, Android is adding a 10-second delay to the boot process, and there’s even a “Press the power button to pause” message on this screen, as it’s supposed to help you change the boot sequence. aborts if you suddenly see this message .
Normally, the right way to fix a compromised device like this is to download a clean, official system image from Google, wipe the unknown OS and install regular Google Android. Several users report that this would not work in this case. ArcaneOS doesn’t allow users in the developer options to unlock the bootloader, so once the FBI unlocks the bootloader, flash Arcane OS and lock the bootloader, you’re pretty much stuck with ArcaneOS. This is a malicious operating system.
The FBI has changed quite a few of the main Android operating system and removed useful Android settings that could reveal the true nature of the device. The system settings for apps, storage and accounts have been removed. There is now no way to see a list of all installed system apps, where users may see something suspicious, such as “FBI_Spyware.APK.” What is installed on the phone is a black box. The FBI also cleared “Location” settings, probably in an effort to prevent users from turning off GPS tracking.
If you’re not interested in a group chat with the FBI and some targeted criminals, the phones don’t seem very useful. They don’t have the Play Store or any other Google apps, and other than a clock and the calculator app that leads to this compromised chat app, it doesn’t sound like any other apps have worked.
I’m sure this won’t be the last we hear about Anom and Arcane OS. Now that the word is out, and with some 12,000 devices out there, it’s probably only a matter of time before the Android modding community has a full dump of the FBI’s Android skin. Who wants to install it?
List image by Vice