Well, here’s a new one for us. Security firm Check Point has discovered 38 36 Android devices from two specific companies infected with pre-installed malware. This pre-installed malware was not installed from the manufacturer but is suspected of being planted somewhere on down the supply chain.
UPDATED (03/13/2017 10:45a ET): Some clarification was made by Check Point
- Number of devices reduced from 38 to 36
- Nexus machines were removed
- Galaxy Note 8 was changed to Galaxy Note 8.0 tablet
ORIGINAL STORY
We’ve reported on Android malware in the past and often times the cause leads back to a user installing apps or downloading a file from a not so nice place. This particular pre-installed malware was pretty much undetectable by the user and was already onboard prior to them receiving their devices. Check Point concludes the malware was planted by someone through the supply chain before the devices were sold.
According to the findings, the malware were already present on the devices even before the users received them. The malicious apps were not part of the official ROM supplied by the vendor, and were added somewhere along the supply chain. Six of the malware instances were added by a malicious actor to the device’s ROM using system privileges, meaning they couldn’t be removed by the user and the device had to be re-flashed.
Below are two examples of the malware installation. The research team was able to determine when the manufacturer finished installing the system applications on the device, when the malware was installed, and when the user first received the device.
- A malicious adnet found in 6 mobile devices, APK com.google.googlesearch:
- Loki malware, APK com.androidhelper.sdk:
Most of the malware found to be pre-installed on the devices were info-stealers and rough ad networks, and one of them was Slocker, a mobile ransomware. Slocker uses the AES encryption algorithm to encrypt all files on the device and demand ransom in return for their decryption key. Slocker uses Tor for its C&C communications.
The most notable rough adnet which targeted the devices is the Loki Malware. This complex malware operates by using several different components; each has its own functionality and role in achieving the malware’s malicious goal. The malware displays illegitimate advertisements to generate revenue. As part of its operation, the malware steals data about the device and installs itself to system, allowing it to take full control of the device and achieve persistency.
While Check Point only found this on phones from two specific companies, this is an important find as it shows that users are becoming more aware of malware threats through downloading bad APK files or other files. Users becoming educated means malware distributors are trying to find new ways to get the information they’re after. Getting their people into the supply chain to pre-install malware before it even gets to the user is both ingenious and disturbing. Hopefully, Android manufacturers take note of this report and implement some security measures within the supply chain to circumvent these situations.
Some of the devices Check Point names are:
- Samsung Galaxy Note 2
- LG G4
- Samsung Galaxy S7
- Samsung Galaxy S4
- Samsung Galaxy Note 4
- Samsung Galaxy Note 5
- Samsung Galaxy Note 8.0 tablet
- Xiaomi Mi 4i
- Galaxy A5
- ZTE x500
- Samsung Galaxy Note 3
- Samsung Galaxy Note Edge
- Samsung Galaxy Tab S2
- Samsung Galaxy Tab 2
- Oppo N3
- Vivo X6 plus
- Asus Zenfone 2
- Lenovo S90
- Oppo R7 plus
- Xiaomi Redmi
- Lenovo A850
What do you think of this new method to infect users phones with malware? Let us know in the comments below or on Twitter, Facebook, and Google+.
[button link=”http://blog.checkpoint.com/2017/03/10/preinstalled-malware-targeting-mobile-users/” icon=”fa-external-link” side=”left” target=”blank” color=”285b5e” textcolor=”ffffff”]Source: Check Point[/button]
