Wednesday, December 6, 2023

Millions of Android Phones Comes Pre-Infected with Malware Firmware

Researchers from Trend Micro at Black Hat Asia claim that criminals have pre-infected millions of Android devices with malicious firmware before the devices ever leave their manufacturing.

The manufacturing of the gadgets is outsourced to an original equipment manufacturer (OEM). According to the researchers, this outsourcing makes it possible for someone in the manufacturing process, like a firmware provider, to infect devices as they are shipped out with malicious code.

The team at Trend Micro termed the issue “a growing problem for regular users and enterprises.” Thus use it as a combined warning and reminder.

Viruses started to be introduced as the cost of mobile phone firmware decreased. Distributors of firmware finally found themselves in such fierce competition with one another that they could not demand payment for their goods.

The senior Trend Micro researcher Fyodor Yarochkin responded, “But of course, there’s no free stuff,” He explained that because of this competitive environment, the firmware has started to include undesired features like silent plugins. 

The team searched through several firmware images for malicious software. Over 80 plugins were discovered, though many were not extensively used.

Notably, the most significant plugins had a business model developed around them, were bought and sold illegally, and were openly promoted on websites like Facebook, blogs, and YouTube.

Malware’s Goal Is To Steal Information Or Use It To Gain Money

The malware’s goal is to steal information or to profit from the collection or delivery of information.

The infection turns the devices into proxies used to monetize through advertisements and click fraud, steal and sell SMS messages, hijack social media and online messaging accounts, and steal contacts.

Further, proxy plugins are one form of a plugin that lets the criminal rent out devices for up to five minutes at a time. For instance, people renting the device’s control could learn about keystrokes, location, IP address, and more.

“The user of the proxy will be able to use someone else’s phone for 1200 seconds as an exit node,” said Yarochkin.

Likewise, he said that the team discovered a Facebook cookie plugin employed to gather data from the Facebook app.

The researchers determined from telemetry data that there are at least millions of infected devices worldwide, primarily in Southeast Asia and Eastern Europe. The researchers claimed that the perpetrators themselves had self-reported a figure of 8.9 million.

Although the word “China” appeared numerous times in the presentation, including in an origin narrative tied to the creation of the dodgy firmware, the duo refused to address where the dangers were coming from. 

Yarochkin advised the audience to consider the locations of the majority of the world’s OEMs and draw their conclusions. 

He added that it is challenging to determine precisely how this infection gets into this mobile phone because we are unsure of when it entered the supply chain.

“Big brands like Samsung, like Google, took care of their supply chain security relatively well, but for threat actors, this is still a very lucrative market,” said Yarochkin.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus


Latest articles

BlueNoroff: New Malware Attacking MacOS Users

Researchers have uncovered a new Trojan-attacking macOS user that is associated with the BlueNoroff APT...

Serpent Stealer Acquires Browser Passwords and Erases Intrusion Logs

Beneath the surface of the cyber realm, a silent menace emerges—crafted with the precision...

Doppelgänger: Hackers Employ AI to Launch Highly sophistication Attacks

It has been observed that threat actors are using AI technology to conduct illicit...

Kali Linux 2023.4 Released – What’s New!

Kali Linux 2023.4, the latest version of Offensive Security's renowned operating system, has been...

Trickbot Malware Developer Pleads Guilty & Faces 35 Years in Prison

A 40-year-old Russian national, Vladimir Dunaev, pleaded guilty for developing and deploying Trickbot malware....

ICANN Launches RDRS to Assist Law Enforcement Agencies to Discover Private Info

ICANN is a non-profit organization that is responsible for coordinating the global internet's-DNSIP address...

Hackers Use Weaponized Documents to Attack U.S. Aerospace Industry

An American aerospace company has been the target of a commercial cyberespionage campaign dubbed...

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles