Tuesday, February 11, 2025
HomeCyber Security NewsMillions of Android Phones Comes Pre-Infected with Malware Firmware

Millions of Android Phones Comes Pre-Infected with Malware Firmware

Published on

SIEM as a Service

Follow Us on Google News

Researchers from Trend Micro at Black Hat Asia claim that criminals have pre-infected millions of Android devices with malicious firmware before the devices ever leave their manufacturing.

The manufacturing of the gadgets is outsourced to an original equipment manufacturer (OEM). According to the researchers, this outsourcing makes it possible for someone in the manufacturing process, like a firmware provider, to infect devices as they are shipped out with malicious code.

The team at Trend Micro termed the issue “a growing problem for regular users and enterprises.” Thus use it as a combined warning and reminder.

Viruses started to be introduced as the cost of mobile phone firmware decreased. Distributors of firmware finally found themselves in such fierce competition with one another that they could not demand payment for their goods.

The senior Trend Micro researcher Fyodor Yarochkin responded, “But of course, there’s no free stuff,” He explained that because of this competitive environment, the firmware has started to include undesired features like silent plugins. 

The team searched through several firmware images for malicious software. Over 80 plugins were discovered, though many were not extensively used.

Notably, the most significant plugins had a business model developed around them, were bought and sold illegally, and were openly promoted on websites like Facebook, blogs, and YouTube.

Malware’s Goal Is To Steal Information Or Use It To Gain Money

The malware’s goal is to steal information or to profit from the collection or delivery of information.

The infection turns the devices into proxies used to monetize through advertisements and click fraud, steal and sell SMS messages, hijack social media and online messaging accounts, and steal contacts.

Further, proxy plugins are one form of a plugin that lets the criminal rent out devices for up to five minutes at a time. For instance, people renting the device’s control could learn about keystrokes, location, IP address, and more.

“The user of the proxy will be able to use someone else’s phone for 1200 seconds as an exit node,” said Yarochkin.

Likewise, he said that the team discovered a Facebook cookie plugin employed to gather data from the Facebook app.

The researchers determined from telemetry data that there are at least millions of infected devices worldwide, primarily in Southeast Asia and Eastern Europe. The researchers claimed that the perpetrators themselves had self-reported a figure of 8.9 million.

Although the word “China” appeared numerous times in the presentation, including in an origin narrative tied to the creation of the dodgy firmware, the duo refused to address where the dangers were coming from. 

Yarochkin advised the audience to consider the locations of the majority of the world’s OEMs and draw their conclusions. 

He added that it is challenging to determine precisely how this infection gets into this mobile phone because we are unsure of when it entered the supply chain.

“Big brands like Samsung, like Google, took care of their supply chain security relatively well, but for threat actors, this is still a very lucrative market,” said Yarochkin.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

SHA256 Hash Calculation from Data Chunks

The SHA256 algorithm, a cryptographic hash function, is widely used for securing data integrity...

New Report of of 1M+ Malware Samples Show Application Layer Abused for Stealthy C2

A recent analysis of over one million malware samples by Picus Security has revealed...

Seven-Year-Old Linux Kernel Bug Opens Door to Remote Code Execution

Researchers have uncovered a critical vulnerability in the Linux kernel, dating back seven years,...

Ransomware Payments Plunge 35% as More Victims Refuse to Pay

In a significant shift within the ransomware landscape, global ransom payments plummeted by 35%...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

SHA256 Hash Calculation from Data Chunks

The SHA256 algorithm, a cryptographic hash function, is widely used for securing data integrity...

New Report of of 1M+ Malware Samples Show Application Layer Abused for Stealthy C2

A recent analysis of over one million malware samples by Picus Security has revealed...

Seven-Year-Old Linux Kernel Bug Opens Door to Remote Code Execution

Researchers have uncovered a critical vulnerability in the Linux kernel, dating back seven years,...