Millions of Mobile Phones Come Pre-Infected With Malware, Say Researchers (theregister.com) 45
Trend Micro researchers at Black Hat Asia are warning that millions of Android devices worldwide come pre-infected with malicious firmware before the devices leave their factories. "This hardware is mainly cheapo Android mobile devices, though smartwatches, TVs, and other things are caught up in it," reports The Register. From the report: This insertion of malware began as the price of mobile phone firmware dropped, we're told. Competition between firmware distributors became so furious that eventually the providers could not charge money for their product. "But of course there's no free stuff," said [Trend Micro researcher Fyodor Yarochkin], who explained that, as a result of this cut-throat situation, firmware started to come with an undesirable feature -- silent plugins. The team analyzed dozens of firmware images looking for malicious software. They found over 80 different plugins, although many of those were not widely distributed. The plugins that were the most impactful were those that had a business model built around them, were sold on the underground, and marketed in the open on places like Facebook, blogs, and YouTube.
The objective of the malware is to steal info or make money from information collected or delivered. The malware turns the devices into proxies which are used to steal and sell SMS messages, take over social media and online messaging accounts, and used as monetization opportunities via adverts and click fraud. One type of plugin, proxy plugins, allow the criminal to rent out devices for up to around five minutes at a time. For example, those renting the control of the device could acquire data on keystrokes, geographical location, IP address and more. "The user of the proxy will be able to use someone else's phone for a period of 1200 seconds as an exit node," said Yarochkin. He also said the team found a Facebook cookie plugin that was used to harvest activity from the Facebook app.
Through telemetry data, the researchers estimated that at least millions of infected devices exist globally, but are centralized in Southeast Asia and Eastern Europe. A statistic self-reported by the criminals themselves, said the researchers, was around 8.9 million. As for where the threats are coming from, the duo wouldn't say specifically, although the word "China" showed up multiple times in the presentation, including in an origin story related to the development of the dodgy firmware. Yarochkin said the audience should consider where most of the world's OEMs are located and make their own deductions.
The team confirmed the malware was found in the phones of at least 10 vendors, but that there was possibly around 40 more affected. For those seeking to avoid infected mobile phones, they could go some way of protecting themselves by going high end. That is to say, you'll find this sort of bad firmware in the cheaper end of the Android ecosystem, and sticking to bigger brands is a good idea though not necessarily a guarantee of safety. "Big brands like Samsung, like Google took care of their supply chain security relatively well, but for threat actors, this is still a very lucrative market," said Yarochkin.
The objective of the malware is to steal info or make money from information collected or delivered. The malware turns the devices into proxies which are used to steal and sell SMS messages, take over social media and online messaging accounts, and used as monetization opportunities via adverts and click fraud. One type of plugin, proxy plugins, allow the criminal to rent out devices for up to around five minutes at a time. For example, those renting the control of the device could acquire data on keystrokes, geographical location, IP address and more. "The user of the proxy will be able to use someone else's phone for a period of 1200 seconds as an exit node," said Yarochkin. He also said the team found a Facebook cookie plugin that was used to harvest activity from the Facebook app.
Through telemetry data, the researchers estimated that at least millions of infected devices exist globally, but are centralized in Southeast Asia and Eastern Europe. A statistic self-reported by the criminals themselves, said the researchers, was around 8.9 million. As for where the threats are coming from, the duo wouldn't say specifically, although the word "China" showed up multiple times in the presentation, including in an origin story related to the development of the dodgy firmware. Yarochkin said the audience should consider where most of the world's OEMs are located and make their own deductions.
The team confirmed the malware was found in the phones of at least 10 vendors, but that there was possibly around 40 more affected. For those seeking to avoid infected mobile phones, they could go some way of protecting themselves by going high end. That is to say, you'll find this sort of bad firmware in the cheaper end of the Android ecosystem, and sticking to bigger brands is a good idea though not necessarily a guarantee of safety. "Big brands like Samsung, like Google took care of their supply chain security relatively well, but for threat actors, this is still a very lucrative market," said Yarochkin.
So how 'bout naming names?! (Score:1)
Otherwise we have to assume all of them are bugged (buggered)
Re: So how 'bout naming names?! (Score:1)
Re: (Score:2)
Most likely the android devices you purchase locally are not the 'droids they are sear.. looking at.
Through telemetry data, the researchers estimated that at least millions of infected devices exist globally, but are centralized in Southeast Asia and Eastern Europe. A statistic self-reported by the criminals themselves, said the researchers, was around 8.9 million.
If you purchased your android device from a retail store or cell provider, you are probably not infected with these plugins.
Re: (Score:2)
Why bother? Any cheap smart phone comes with an associated cost.
But please don't assume that expensive phones are free of those costs and risks.
Re: So how 'bout naming names?! (Score:5, Funny)
Facebook app is one very common infestation.
Re: (Score:2, Insightful)
Android.
Re: (Score:2)
Without names I assume this is simply FUD and clickbait.
Re:So how 'bout naming names?! (Score:4, Informative)
It's the likes of Tecno, Cubot and Doogee these days. Naming is tricky, coz most of the time, those phones are not infected by the manufacturer, but resellers - both on aliexpress and especially brick and mortar shops in south east Asia.
A telltale sign is when the device is cheaper than from the manufacturer, or doesn't jump into Android setup, but comes up already preconfigured. Unlocked bootloader rootkits exist too, but are far less common. Trend Micro itself is invested in spreading FUD around this to sell their wares for years now, so don't expect anything but sales copy from them. Others did look into it in more detail though [imdea.org].
Re: (Score:1)
- ASUS
- Samsung
- Lenovo
- LG
- Google (yup, even Google)
There's a (small, incomplete, made in 30 seconds) list of brands that come with bloatware preinstalled.
I'd classify it both as spyware AND a vulnerability as those apps:
- Collect telemetry
- Are prone to vulnerability
So there you go. Any phone manufacturer that doesn't offer a stock android experience has essentially opened the floodgates, and you enabled them by purchasing it.
Agreed (Score:2, Funny)
Too many phones come with Android.
Re: Agreed (Score:2)
Ios is the alternative, but it's not better. It's another can of worms to handle.
Luckily Windows is out of the market and can only be seen on special devices.
Re: (Score:2)
Ios is the alternative, but it's not better. It's another can of worms to handle.
You're welcome to make an actual case in support of this statement instead of just a blanket statement with nothing to support it at all.
Re: (Score:2)
A while ago at work we had an iPhone that got stuck so bad that it couldn't be restarted.
Wait for the battery to run out was the option.
Re: (Score:2)
Saying that the expensive luxury phone is the only safe one reeks of extortion. The problem is not that Android is unsafe, the "problem" is that it's open source. OK, the second problem is that most hardware requires closed-source drivers and that means you can't just build hardware and load vanilla Android and expect it to work. Someone has to do the work. And third, most larger governments actually want all of the interfaces with the radio chip to be closed source because they're afraid people will so
My phone is a dumb phone. (Score:2)
System = beat.
Re: 300k+ Biden phones given to illegals (Score:1)
Re:300k+ Biden phones given to illegals (Score:4, Informative)
It says non-citizens, not illegals. They are not illegal if they presented themselves at the border to CBP and obtained approval to enter until a court date or whatever. It's not illegal to request entry/asylum, is it? Only if they were denied entry, or didn't present themselves to CBP then they are here not here legally.
Re: (Score:1)
Argument failure detected.
Re: (Score:3)
This was their plan all along.
To sneak into the USA and get a low end Android phone?
Re: (Score:1)
>"They are not illegal if they presented themselves at the border to CBP and obtained approval to enter until a court date or whatever."
That is true, for those who are let in. Many never show up for a court date and BECOME illegal. A huge number are not let in, but sneak in, and that is instantly illegal.
>"It's not illegal to request entry/asylum, is it?
The vast majority do not even remotely have a valid claim for what asylum was meant to be. Asylum is a fear of actual *persecution* from their gove
big brands backdoors (Score:1)
Re: (Score:3)
Are you pretty sure because you have evidence that you'd like to present, or are you pretty sure as a matter of faith?
Because if it's the latter, I've got a tinfoil hat that I'm pretty sure will protect you from that sort of thing, and I'd be happy to sell it to you for just $99.99.
Re: big brands backdoors (Score:3)
Everything has a backdoor these days, you just have to find it and unlock it.
Hell with locked bootloaders... (Score:5, Interesting)
This makes me wonder about regulation needed to stop locked bootloaders. It is bad enough that a locked bootloader + updates ending effectively makes an Android phone useless or easy prey, but coming pre-compromised?
It would be nice to just throw one's choice of OS or firmware. LineageOS, AOSP, maybe even a conventional Linux distribution with kernel modules for the SoC drivers and executables to handle the phone and such. Maybe Tizen, or other operating systems. If one wants commercial security, there is always QNX or INTEGRITY that can be used.
This not just will ensure phones are clean, but ensure that even when the device maker stops producing updates, the phone still can remain secure.
Re: (Score:2)
I am interested in the Librem 5, since it is a non-android Linux phone with a fully made in America option if you can spring for the cost....
But all the reviews I can find complain about things like the camera not working, really short battery life even if you keep it asleep all day, and other problems. I wish they would hurry up and get that sorted out, since it sounds like the phone simply isn't worth buying yet.
This info may be out of date too, since all the reviews I can find are from 2020. Hmmm.
Re: (Score:2)
Ideally there would be some way to install your own OS but still have apps that require security checks to work, assuming you didn't disable the secure features. Like banking apps and Google/Apple Pay. Even the UK lottery app needs it.
Re: (Score:1)
"Locked" really means, "secure bootloading" wherein at the point a device is powered on, the components loaded are all verified, via signatures, they are known, and therefore (presumably) "secure"..
Right up the UEFI [wikipedia.org] alley, right?
Does not address the same problem with Certificate Authorities (CAs) ( more of a hand-wave vs. an actual solution ): Individuals, or companies individual trust,
Re: (Score:2)
The irony is that it's most commonly cheap Chinese brands that get infected - they all come with unlocked bootloader by default. This is great for firmware tinkering, but for average joe, not so much. Such OEMs are perhaps tacitly complicit in the trojan ecosystem - nudge nudge wink wink we're selling phones that are easier to backdoor by resellers.
There are two types of people (Score:1)
The Second, who does not know they have been hacked.
(Do not remember the who said this)
Desktops/laptops come pre-loaded with malware too! (Score:3, Interesting)
Very few brand new desktops or laptops I've been told to use or purchased don't come with malware of some sort. Phones don't have a corner on this market. Sometimes I've been able to never boot into the malware and install Linux upon the first boot.
Re: (Score:2)
It's got slightly better since Microsoft started clamping down on it with Windows Vista. It's harder for apps to be shitty now as it generates big warning messages from Windows.
Maybe Google could do something with OS level stuff. Most of their security is aimed at normal apps running in the standard Android sandbox. This malware is root level stuff. Microsoft pretty much did away with the concept of root/admin accounts, so that except for the reserved system account the warning messages still appear.
That explains some things (Score:4, Interesting)
A few months ago, I ordered some books from Amazon. The package which arrived contained... two cheap smart watches. I contacted Amazon support, they said "keep them". Of course, I never opened the boxes. Considered giving them away to someone, but I don't have enough enemies.
Re: (Score:1)
if you do, my ig is Rabbirta
Re: (Score:2)
They are 20 bucks a piece on Amazon. I'm sure you can afford to buy one :)
Because they are locked down (Score:2)
It is ridiculous that I can't do anything against it. When I had an old PC, I could reflash the BIOS, reinstall the operating system, and that was the whole software stack.
now if there was only a way... (Score:1)
The name of the malware is... (Score:2)
Facebook.
They probably couldn't risk naming it without risking meta payback...