Saturday, June 22, 2024

Millions of Android Phones Comes Pre-Infected with Malware Firmware

Researchers from Trend Micro at Black Hat Asia claim that criminals have pre-infected millions of Android devices with malicious firmware before the devices ever leave their manufacturing.

The manufacturing of the gadgets is outsourced to an original equipment manufacturer (OEM). According to the researchers, this outsourcing makes it possible for someone in the manufacturing process, like a firmware provider, to infect devices as they are shipped out with malicious code.

The team at Trend Micro termed the issue “a growing problem for regular users and enterprises.” Thus use it as a combined warning and reminder.

Viruses started to be introduced as the cost of mobile phone firmware decreased. Distributors of firmware finally found themselves in such fierce competition with one another that they could not demand payment for their goods.

The senior Trend Micro researcher Fyodor Yarochkin responded, “But of course, there’s no free stuff,” He explained that because of this competitive environment, the firmware has started to include undesired features like silent plugins. 

The team searched through several firmware images for malicious software. Over 80 plugins were discovered, though many were not extensively used.

Notably, the most significant plugins had a business model developed around them, were bought and sold illegally, and were openly promoted on websites like Facebook, blogs, and YouTube.

Malware’s Goal Is To Steal Information Or Use It To Gain Money

The malware’s goal is to steal information or to profit from the collection or delivery of information.

The infection turns the devices into proxies used to monetize through advertisements and click fraud, steal and sell SMS messages, hijack social media and online messaging accounts, and steal contacts.

Further, proxy plugins are one form of a plugin that lets the criminal rent out devices for up to five minutes at a time. For instance, people renting the device’s control could learn about keystrokes, location, IP address, and more.

“The user of the proxy will be able to use someone else’s phone for 1200 seconds as an exit node,” said Yarochkin.

Likewise, he said that the team discovered a Facebook cookie plugin employed to gather data from the Facebook app.

The researchers determined from telemetry data that there are at least millions of infected devices worldwide, primarily in Southeast Asia and Eastern Europe. The researchers claimed that the perpetrators themselves had self-reported a figure of 8.9 million.

Although the word “China” appeared numerous times in the presentation, including in an origin narrative tied to the creation of the dodgy firmware, the duo refused to address where the dangers were coming from. 

Yarochkin advised the audience to consider the locations of the majority of the world’s OEMs and draw their conclusions. 

He added that it is challenging to determine precisely how this infection gets into this mobile phone because we are unsure of when it entered the supply chain.

“Big brands like Samsung, like Google, took care of their supply chain security relatively well, but for threat actors, this is still a very lucrative market,” said Yarochkin.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus


Latest articles

PrestaShop Website Under Injection Attack Via Facebook Module

A critical vulnerability has been discovered in the "Facebook" module (pkfacebook) from for...

Beware Of Illegal OTT Platforms That Exposes Sensitive Personal Information

A recent rise in data breaches from illegal Chinese OTT platforms exposes that user...

Beware Of Zergeca Botnet with Advanced Scanning & Persistence Features

A new botnet named Zergeca has emerged, showcasing advanced capabilities that set it apart...

Mailcow Mail Server Vulnerability Let Attackers Execute Remote Code

Two critical vulnerabilities (CVE-2024-31204 and CVE-2024-30270) affecting Mailcow versions before 2024-04 allow attackers to...

Hackers Attacking Vaults, Buckets, And Secrets To Steal Data

Hackers target vaults, buckets, and secrets to access some of the most classified and...

Hackers Weaponizing Windows Shortcut Files for Phishing

LNK files, a shortcut file type in Windows OS, provide easy access to programs,...

New Highly Evasive SquidLoader Attacking Employees Mimic As Word Document

Researchers discovered a new malware loader named SquidLoader targeting Chinese organizations, which arrives as...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles