Your spanking new Android handset might have malware that got pre-installed in the devices right in the factory where it was produced, malware researchers at the Russian antivirus company Doctor Web revealed.
The malware detected as Android.DownLoader.473.origin and Android.Sprovider.7 have been found to be installed in the firmware of dozens of cheap Android handsets right out of the box. These Trojans are devised to collect user’s data discreetly besides download apps without the user’s permission or display ads on top of running apps.
While the majority of the infected devices are in the low-end price bracket from companies none perhaps have ever heard of, the presence of at least two handsets from Lenovo does present a disturbing scenario. As has been found so far, the firmware of the low-end Lenovo A319 and the mid-range Lenovo A6000 has been found compromised.
Another trend that has emerged is that the Trojan Android.DownLoader.473.origin has been found hidden in the firmware of Android devices built around MediaTek chip. The Trojan gets executed each time the handset is turned on.
The Trojan then scans the Wi-Fi module and establishes communication with the command and control (C&C) server so as to receive the configuration file with instructions. This file lists out the application the Trojan should download. Once the downloaded is complete, Android.DownLoader.473.origin then installs it with the user having no idea what has happened.
For cybercriminals, one way they can earn money is by ‘increasing application download statistics and by distributing advertising software,’ researchers at Doctor Who revealed. “Therefore, [both Trojans] were incorporated into Android firmware because dishonest outsourcers who took part in the creation of Android system images decided to make money on users,’ the report further revealed.
Among the handsets that has been found to be infected by the malware include: Lenovo A319, Lenovo A6000, MegaFon Login 4 LTE, Bravis NB85, Bravis NB105, Irbis TZ85, Irbis TX97, Irbis TZ43, Irbis tz56, Pixus Touch 7.85 3G, SUPRA M72KG, SUPRA M729G, SUPRA V2N10, Itell K3300, Digma Plane 9.7 3G, General Satellite GS700, Nomi C07000, Optima 10.1 3G TT1040MG, Marshal ME-711, 7 MID, Explay Imperium 8, Perfeo 9032_3G, Prestigio MultiPad Wize 3021 3G, Prestigio MultiPad PMT5001 3G, Ritmix RMD-1121, Oysters T72HM 3G, Irbis tz70, and Jeka JK103.
However, researchers believe there could be more handsets added to the list.
This also isn’t the first instance when a Trojan has been found hidden in the firmware of cheap handsets. Just a few weeks back, the security researchers firm Kryptowire was hit upon a backdoor present in the firmware of several Android handsets. The firmware is the creation of the Chinese firm Ragentek Group and has been found to collect personally identifiable information and send them to China. Also, its handsets from BLU that has been found to be susceptible to the backdoor.
The China link is hard to miss too with handsets from another Chinese firm Xiaomi too has been found to carry factory loaded malware.