Researchers from Trend Micro at Black Hat Asia claim that criminals have pre-infected millions of Android devices with malicious firmware before the devices ever leave their manufacturing.

The manufacturing of the gadgets is outsourced to an original equipment manufacturer (OEM). According to the researchers, this outsourcing makes it possible for someone in the manufacturing process, like a firmware provider, to infect devices as they are shipped out with malicious code.

The team at Trend Micro termed the issue “a growing problem for regular users and enterprises.” Thus use it as a combined warning and reminder.

Viruses started to be introduced as the cost of mobile phone firmware decreased. Distributors of firmware finally found themselves in such fierce competition with one another that they could not demand payment for their goods.

The senior Trend Micro researcher Fyodor Yarochkin responded, “But of course, there’s no free stuff,” He explained that because of this competitive environment, the firmware has started to include undesired features like silent plugins. 

The team searched through several firmware images for malicious software. Over 80 plugins were discovered, though many were not extensively used.

Notably, the most significant plugins had a business model developed around them, were bought and sold illegally, and were openly promoted on websites like Facebook, blogs, and YouTube.

Malware’s Goal Is To Steal Information Or Use It To Gain Money

The malware’s goal is to steal information or to profit from the collection or delivery of information.

The infection turns the devices into proxies used to monetize through advertisements and click fraud, steal and sell SMS messages, hijack social media and online messaging accounts, and steal contacts.

Further, proxy plugins are one form of a plugin that lets the criminal rent out devices for up to five minutes at a time. For instance, people renting the device’s control could learn about keystrokes, location, IP address, and more.

“The user of the proxy will be able to use someone else’s phone for 1200 seconds as an exit node,” said Yarochkin.

Likewise, he said that the team discovered a Facebook cookie plugin employed to gather data from the Facebook app.

The researchers determined from telemetry data that there are at least millions of infected devices worldwide, primarily in Southeast Asia and Eastern Europe. The researchers claimed that the perpetrators themselves had self-reported a figure of 8.9 million.

Although the word “China” appeared numerous times in the presentation, including in an origin narrative tied to the creation of the dodgy firmware, the duo refused to address where the dangers were coming from. 

Yarochkin advised the audience to consider the locations of the majority of the world’s OEMs and draw their conclusions. 

He added that it is challenging to determine precisely how this infection gets into this mobile phone because we are unsure of when it entered the supply chain.

“Big brands like Samsung, like Google, took care of their supply chain security relatively well, but for threat actors, this is still a very lucrative market,” said Yarochkin.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus