Trend Micro analysts presented an interesting report at the Black Hat Asia conference: according to their information, millions of Android devices around the world have malware directly embedded in their firmware and are infected with it before they leave the factory where they were produced. Basically, we are talking about cheap Android mobile phones, but a similar situation is observed with smart watches, TVs, and so on.
Vulnerability in Android Devices Touches Millions
According to the researchers, the production of gadgets is mainly outsourced to OEMs, and such outsourcing allows various parties involved in the production process (for example, firmware suppliers) to infect products with malware at the production stage.
It is worth saying that this problem has been known for a long time. For example, back in 2017, Check Point experts warned that 38 different smartphone models from well-known brands, including Samsung, LG, Xiaomi, Asus, Nexus, Oppo, and Lenovo, contained malware right out of the box. Now, representatives of Trend Micro described what is happening as “a growing problem for ordinary users and enterprises.”
Fedor Yarochkin, a senior researcher at Trend Micro, and his colleague Zhenyu Dong, said that the introduction of malware at such an early stage began with the fact that prices for firmware for mobile devices fell. The competition between firmware distributors has become so serious that in the end they generally lost the opportunity to charge money for their product.
Yarochkin notes that, of course, nothing is free, and as a result, “silent” plug-ins began to appear in the firmware. Researchers say they have scoured dozens of firmware images for malware and found more than 80 such plugins, although many of them have not been widely adopted.
As a rule, the purpose of such malware is stealing information, as well as making money on the collected or transmitted information. In essence, the malware turns infected devices into proxy servers that are used to steal and sell SMS messages, hijack accounts on social networks and instant messengers, and monetize through ads and click fraud.
For example, the team discovered a Facebook cookie plugin that was used to collect activity information from the Facebook app. Another type of plugin, proxy plugins, allows criminals to rent out infected devices for up to 5 minutes. As a result, those who rent access to the device can intercept data about keystrokes, geographic location of the victim, IP address and much more.
The researchers calculated that millions of devices infected in this way are working around the world, but Southeast Asia and Eastern Europe are the leaders in infections. According to experts, the statistical analysis confirms approximately 8.9 million of infected devices.
Analysts are evasive about where such threats come from, although the word “China” was often heard during the report, including when it came to the development of suspicious firmware. Yarochkin says users should think about the relationship between the location of the world’s OEMs, incidence of infected firmware discovery, and draw its own conclusions.
Overall, the researchers say the malware was found on devices from at least 10 unnamed vendors and likely affected about 40 more. To avoid buying infected mobile phones out of the box, experts say users can opt for higher-end devices. In other words, malware is more likely to be found on cheaper devices in the Android ecosystem, and it’s best to stick with the big brands, although that’s no guarantee of security either.