Prologue: Lenovo makes laptops. Sometime in late 2014, it started selling laptops with preinstalled Superfish, reverse-image-search software (useful?) which was financially supported by…

• injecting ads into web pages (bad!)
• monitoring user activity to make those ads more targeted (worse!)
• enabling the above by breaking SSL and HTTPS protection for every website the user visits (where did I put my torch and pitchfork?)
• and the only thing standing between that excessive access and every other malefactor on the Net was a weaker password than I have on my DeviantArt account (what the actual fuck!??)

I hadn’t bought a Lenovo machine before that story broke in 2015, and I sure as fuck haven’t bought one since.

Motorola makes phones. They aren’t generally considered top tier, but they’re often good enough; I’ve owned a couple over the years.

I didn’t know Lenovo had bought Motorola…

Today: Motorola has a phone app called “Smart Feed,” which is some kind of app drawer sub-component serving up targeted ads and suggested clickbait articles. That’s already something I get enough of from Google…

Despite this already being monetized (it’s advertising) and despite Motorola having already sold you a phone, they just couldn’t help themselves. When a user clicked on the Amazon app in the app drawer, Smart Feed would redirect to a website which would open the app for you… with a new affiliate code attached, so someone would “earn” a percentage of whatever you spent. And if you wanted to use another affiliate code to support a content creator or something, tough shit.

This isn’t exactly what Honey got called out for, but it’s close enough.

A commenter on Hacker News speculated that this was done not by the corp but by a “rogue employee.”

Point in favor of the “rogue employee” theory: the shady-ass website is named after an unrelated fashion influencer, a move that sounds too… mischievous to be corporate-approved.

Points against: either the “when app icon is clicked, open some shady website in Chrome instead” function existed in Smart Feed already and no one’s ever seen it used until now, or the “rogue employee” would have had to add that function without any of his coworkers noticing. Also, as mentioned above, this isn’t Lenovo’s first rodeo.

It’d sure be handy if WHOIS still returned at least some user info. As is, all we can see is that the scummy website was registered through Cloudflare… on May 22, the same day as Smart Feed’s most recent update at time of writing. So they hypothetical “rogue employee” would have had to push an entire app update without his coworkers noticing… no, I don’t think so, either.

The story broke on the 25th. The stupid assholes torched what was left of their reputation for three days of affiliate-link revenue.

Motorola responded by calling the “issue” “unintended.”

…Motorola says this has been rectified. We’re no longer seeing this behavior on our Razr Fold, still running the same Smart Feed app version.

…so Motorola does control the shady website, then? Because how else could they have “rectified” anything without updating the app?

So much for the “rogue employee” theory. Unless more info comes out with more details of this “rogue employee” aspiring master cybercrook, this was absolutely authorized by corporate.

Epilogue: A few days later, someone started hyping that Motorola phones are getting GrapheneOS support! Hooray! (I wonder who could have wanted a new story to be the most recent news about Motorola…)

It isn’t happening yet; it’ll start with next year’s batch of phone models. And it didn’t happen just now; this tweet from the GrapheneOS team is from April 8:

We have an official partnership with Motorola. We’re working with them to improve their devices to meet our requirements. They’re working on fully porting GrapheneOS to their devices including supporting all of our hardware-based security features such as hardware memory tagging.

…they’re doing the porting. Them. The same people who were just caught slipping shady shit into OS components a few days ago.

GrapheneOS responded to the news by clinging to the “rogue employee” theory like that’s still credible when Motorola just proved it controls the website. And the GrapheneOS team is so focused on market footprint that it’s still trusting both the untrustworthy corporation and its hypothetical “rogue employees” to port its allegedly privacy- and security-focused OS… oof.

Via Louis Rossmann. His commenters’ consensus seems to be “what was unintended was getting caught.”

The subcontractor that wrote Smart Feed has nuked its website. Wayback exists, though, for those interested.