Millions of Mobile Phones Come Pre-Infected With Malware, Say Researchers (theregister.com) 45
Trend Micro researchers at Black Hat Asia are warning that millions of Android devices worldwide come pre-infected with malicious firmware before the devices leave their factories. "This hardware is mainly cheapo Android mobile devices, though smartwatches, TVs, and other things are caught up in it," reports The Register. From the report: This insertion of malware began as the price of mobile phone firmware dropped, we're told. Competition between firmware distributors became so furious that eventually the providers could not charge money for their product. "But of course there's no free stuff," said [Trend Micro researcher Fyodor Yarochkin], who explained that, as a result of this cut-throat situation, firmware started to come with an undesirable feature -- silent plugins. The team analyzed dozens of firmware images looking for malicious software. They found over 80 different plugins, although many of those were not widely distributed. The plugins that were the most impactful were those that had a business model built around them, were sold on the underground, and marketed in the open on places like Facebook, blogs, and YouTube.
The objective of the malware is to steal info or make money from information collected or delivered. The malware turns the devices into proxies which are used to steal and sell SMS messages, take over social media and online messaging accounts, and used as monetization opportunities via adverts and click fraud. One type of plugin, proxy plugins, allow the criminal to rent out devices for up to around five minutes at a time. For example, those renting the control of the device could acquire data on keystrokes, geographical location, IP address and more. "The user of the proxy will be able to use someone else's phone for a period of 1200 seconds as an exit node," said Yarochkin. He also said the team found a Facebook cookie plugin that was used to harvest activity from the Facebook app.
Through telemetry data, the researchers estimated that at least millions of infected devices exist globally, but are centralized in Southeast Asia and Eastern Europe. A statistic self-reported by the criminals themselves, said the researchers, was around 8.9 million. As for where the threats are coming from, the duo wouldn't say specifically, although the word "China" showed up multiple times in the presentation, including in an origin story related to the development of the dodgy firmware. Yarochkin said the audience should consider where most of the world's OEMs are located and make their own deductions.
The team confirmed the malware was found in the phones of at least 10 vendors, but that there was possibly around 40 more affected. For those seeking to avoid infected mobile phones, they could go some way of protecting themselves by going high end. That is to say, you'll find this sort of bad firmware in the cheaper end of the Android ecosystem, and sticking to bigger brands is a good idea though not necessarily a guarantee of safety. "Big brands like Samsung, like Google took care of their supply chain security relatively well, but for threat actors, this is still a very lucrative market," said Yarochkin.
The objective of the malware is to steal info or make money from information collected or delivered. The malware turns the devices into proxies which are used to steal and sell SMS messages, take over social media and online messaging accounts, and used as monetization opportunities via adverts and click fraud. One type of plugin, proxy plugins, allow the criminal to rent out devices for up to around five minutes at a time. For example, those renting the control of the device could acquire data on keystrokes, geographical location, IP address and more. "The user of the proxy will be able to use someone else's phone for a period of 1200 seconds as an exit node," said Yarochkin. He also said the team found a Facebook cookie plugin that was used to harvest activity from the Facebook app.
Through telemetry data, the researchers estimated that at least millions of infected devices exist globally, but are centralized in Southeast Asia and Eastern Europe. A statistic self-reported by the criminals themselves, said the researchers, was around 8.9 million. As for where the threats are coming from, the duo wouldn't say specifically, although the word "China" showed up multiple times in the presentation, including in an origin story related to the development of the dodgy firmware. Yarochkin said the audience should consider where most of the world's OEMs are located and make their own deductions.
The team confirmed the malware was found in the phones of at least 10 vendors, but that there was possibly around 40 more affected. For those seeking to avoid infected mobile phones, they could go some way of protecting themselves by going high end. That is to say, you'll find this sort of bad firmware in the cheaper end of the Android ecosystem, and sticking to bigger brands is a good idea though not necessarily a guarantee of safety. "Big brands like Samsung, like Google took care of their supply chain security relatively well, but for threat actors, this is still a very lucrative market," said Yarochkin.
So how 'bout naming names?! (Score:1)
Otherwise we have to assume all of them are bugged (buggered)
Re: So how 'bout naming names?! (Score:1)
Re: So how 'bout naming names?! (Score:-1)
About names:
Well here is a name where all mobile phones they sell through their affiliates (they don't really own anything) or recommend come pre-infected with malware related to long tail revenue stream scams:
The Creamiest Technologies and Associates company!
I can't figure out why the Feds haven't busted them yet. Maybe because the Feds use a priority system and they are considered low priority because even with all their fraudulent and scamming efforts, they only reported a turn over 33 cents last month.
Re: So how 'bout naming names?! (Score:2)
Most likely the android devices you purchase locally are not the 'droids they are sear.. looking at.
Through telemetry data, the researchers estimated that at least millions of infected devices exist globally, but are centralized in Southeast Asia and Eastern Europe. A statistic self-reported by the criminals themselves, said the researchers, was around 8.9 million.
If you purchased your android device from a retail store or cell provider, you are probably not infected with these plugins.
Re: So how 'bout naming names?! (Score:2)
Why bother? Any cheap smart phone comes with an associated cost.
But please don't assume that expensive phones are free of those costs and risks.
Re: So how 'bout naming names?! (Score:5, Funny)
Facebook app is one very common infestation.
Re:So how 'bout naming names?! (Score:2, Insightful)
Android.
Re:So how 'bout naming names?! (Score:2)
Without names I assume this is simply FUD and clickbait.
Re:So how 'bout naming names?! (Score:0)
Yes, this is way I see it also. Without full transparency, it probably is FUD
"the duo wouldn't say specifically" should trigger everybody's bullshit detector
Re:So how 'bout naming names?! (Score:4, Informative)
It's the likes of Tecno, Cubot and Doogee these days. Naming is tricky, coz most of the time, those phones are not infected by the manufacturer, but resellers - both on aliexpress and especially brick and mortar shops in south east Asia.
A telltale sign is when the device is cheaper than from the manufacturer, or doesn't jump into Android setup, but comes up already preconfigured. Unlocked bootloader rootkits exist too, but are far less common. Trend Micro itself is invested in spreading FUD around this to sell their wares for years now, so don't expect anything but sales copy from them. Others did look into it in more detail though [imdea.org].
Re:So how 'bout naming names?! (Score:1)
- ASUS
- Samsung
- Lenovo
- LG
- Google (yup, even Google)
There's a (small, incomplete, made in 30 seconds) list of brands that come with bloatware preinstalled.
I'd classify it both as spyware AND a vulnerability as those apps:
- Collect telemetry
- Are prone to vulnerability
So there you go. Any phone manufacturer that doesn't offer a stock android experience has essentially opened the floodgates, and you enabled them by purchasing it.
Agreed (Score:2, Funny)
Too many phones come with Android.
Re: Agreed (Score:2)
Ios is the alternative, but it's not better. It's another can of worms to handle.
Luckily Windows is out of the market and can only be seen on special devices.
Re: Agreed (Score:2)
Ios is the alternative, but it's not better. It's another can of worms to handle.
You're welcome to make an actual case in support of this statement instead of just a blanket statement with nothing to support it at all.
Re: Agreed (Score:2)
A while ago at work we had an iPhone that got stuck so bad that it couldn't be restarted.
Wait for the battery to run out was the option.
Re: Agreed (Score:2)
Saying that the expensive luxury phone is the only safe one reeks of extortion. The problem is not that Android is unsafe, the "problem" is that it's open source. OK, the second problem is that most hardware requires closed-source drivers and that means you can't just build hardware and load vanilla Android and expect it to work. Someone has to do the work. And third, most larger governments actually want all of the interfaces with the radio chip to be closed source because they're afraid people will somehow do bad things with RF transmission.
My phone is a dumb phone. (Score:2)
System = beat.
300k+ Biden phones given to illegals (Score:-1)
https://abcnews4.com/news/nati... [abcnews4.com]
Re:300k+ Biden phones given to illegals (Score:0, Interesting)
Let's see you pay for white people to install your new roof. I don't think so.
Re: 300k+ Biden phones given to illegals (Score:1)
Re:300k+ Biden phones given to illegals (Score:4, Informative)
It says non-citizens, not illegals. They are not illegal if they presented themselves at the border to CBP and obtained approval to enter until a court date or whatever. It's not illegal to request entry/asylum, is it? Only if they were denied entry, or didn't present themselves to CBP then they are here not here legally.
Re:300k+ Biden phones given to illegals (Score:0, Troll)
When they fail to show up for their court case they became illegal. A high percentage fail to show up.
This was their plan all along.
Re:300k+ Biden phones given to illegals (Score:1)
Argument failure detected.
Re:300k+ Biden phones given to illegals (Score:3)
This was their plan all along.
To sneak into the USA and get a low end Android phone?
Re:300k+ Biden phones given to illegals (Score:1)
>"They are not illegal if they presented themselves at the border to CBP and obtained approval to enter until a court date or whatever."
That is true, for those who are let in. Many never show up for a court date and BECOME illegal. A huge number are not let in, but sneak in, and that is instantly illegal.
>"It's not illegal to request entry/asylum, is it?
The vast majority do not even remotely have a valid claim for what asylum was meant to be. Asylum is a fear of actual *persecution* from their government. Not poor living conditions or being poor. Not just facing general crime or lack of resources or opportunities. Can't blame people for trying, however. Especially since we keep continuously watering-down what "asylum" means.
The system is broken that we are letting people in, and trying to give court hearings for everyone, without even reasonable screening of the claims BEFORE entry. We simply do not have the resources to do what we have been doing. The current system of allowing many *millions* of people to come in and then some year (average now is FIVE) we might get around to hearing their almost certainly very weak or invalid asylum claims, and "here is a 'free' low-end Android phone", then never really following up, added to the millions who cross illegally, has been and is utterly unsustainable.
Simple Solution! (Score:0)
big brands backdoors (Score:1)
Re:big brands backdoors (Score:3)
Are you pretty sure because you have evidence that you'd like to present, or are you pretty sure as a matter of faith?
Because if it's the latter, I've got a tinfoil hat that I'm pretty sure will protect you from that sort of thing, and I'd be happy to sell it to you for just $99.99.
Re: big brands backdoors (Score:3)
Everything has a backdoor these days, you just have to find it and unlock it.
Have they counted them? (Score:0)
Who knows, maybe this is another dieselgate: Only show up when someone comes a-pokin'.
At any rate, it's the usual "cyber security" fare: Lots of panic and vagueness. Coloured hats, too.
At the same time, it doesn't surprise.
Small vendors going a step further than the large ones? They always try. They have to offer something the big ones don't. Even if it is a step further in selling out the end-user. This isn't merely a "cyber security" issue, a field so far mostly unsolved and the various "cyber security" peddlers haven't really helped improve over the last few decades either, with their panicking and fearmongering. It's also that vendors have made it a habit of selling out the end-user, whether he's the customer or not. So going by the "best current industry practices", this is okay, really.
It's an industry-wide problem. Not just of "at least ten fly-by-night vendors". All of them.
Shit, microsoft makes a habit of this shit. facebook does. apple does. google does. samsung does. Why them and nobody else? Why not these small android vendors? What have you against competition, hm?
Hell with locked bootloaders... (Score:5, Interesting)
This makes me wonder about regulation needed to stop locked bootloaders. It is bad enough that a locked bootloader + updates ending effectively makes an Android phone useless or easy prey, but coming pre-compromised?
It would be nice to just throw one's choice of OS or firmware. LineageOS, AOSP, maybe even a conventional Linux distribution with kernel modules for the SoC drivers and executables to handle the phone and such. Maybe Tizen, or other operating systems. If one wants commercial security, there is always QNX or INTEGRITY that can be used.
This not just will ensure phones are clean, but ensure that even when the device maker stops producing updates, the phone still can remain secure.
Re:Hell with locked bootloaders... (Score:2)
I am interested in the Librem 5, since it is a non-android Linux phone with a fully made in America option if you can spring for the cost....
But all the reviews I can find complain about things like the camera not working, really short battery life even if you keep it asleep all day, and other problems. I wish they would hurry up and get that sorted out, since it sounds like the phone simply isn't worth buying yet.
This info may be out of date too, since all the reviews I can find are from 2020. Hmmm.
Re:Hell with locked bootloaders... (Score:2)
Ideally there would be some way to install your own OS but still have apps that require security checks to work, assuming you didn't disable the secure features. Like banking apps and Google/Apple Pay. Even the UK lottery app needs it.
Re:Hell with locked bootloaders... (Score:1)
"Locked" really means, "secure bootloading" wherein at the point a device is powered on, the components loaded are all verified, via signatures, they are known, and therefore (presumably) "secure"..
Right up the UEFI [wikipedia.org] alley, right?
Does not address the same problem with Certificate Authorities (CAs) ( more of a hand-wave vs. an actual solution ): Individuals, or companies individual trust, issue self-signed certificates that act as the trust anchor. If I choose to "trust" a malicious CA, I've just opened the door.. Same problem with making a bootloader choosable..
Re:Hell with locked bootloaders... (Score:2)
The irony is that it's most commonly cheap Chinese brands that get infected - they all come with unlocked bootloader by default. This is great for firmware tinkering, but for average joe, not so much. Such OEMs are perhaps tacitly complicit in the trojan ecosystem - nudge nudge wink wink we're selling phones that are easier to backdoor by resellers.
There are two types of people (Score:1)
The Second, who does not know they have been hacked.
(Do not remember the who said this)
Desktops/laptops come pre-loaded with malware too! (Score:3, Interesting)
Very few brand new desktops or laptops I've been told to use or purchased don't come with malware of some sort. Phones don't have a corner on this market. Sometimes I've been able to never boot into the malware and install Linux upon the first boot.
Re:Desktops/laptops come pre-loaded with malware t (Score:2)
It's got slightly better since Microsoft started clamping down on it with Windows Vista. It's harder for apps to be shitty now as it generates big warning messages from Windows.
Maybe Google could do something with OS level stuff. Most of their security is aimed at normal apps running in the standard Android sandbox. This malware is root level stuff. Microsoft pretty much did away with the concept of root/admin accounts, so that except for the reserved system account the warning messages still appear.
That explains some things (Score:4, Interesting)
A few months ago, I ordered some books from Amazon. The package which arrived contained... two cheap smart watches. I contacted Amazon support, they said "keep them". Of course, I never opened the boxes. Considered giving them away to someone, but I don't have enough enemies.
Re:That explains some things (Score:1)
if you do, my ig is Rabbirta
Re:That explains some things (Score:2)
They are 20 bucks a piece on Amazon. I'm sure you can afford to buy one :)
Buy an iPhone (Score:-1)
And you'll be good.
Because they are locked down (Score:2)
It is ridiculous that I can't do anything against it. When I had an old PC, I could reflash the BIOS, reinstall the operating system, and that was the whole software stack.
now if there was only a way... (Score:1)
The name of the malware is... (Score:2)
Facebook.
They probably couldn't risk naming it without risking meta payback...