Millions of Android Phones Comes Pre-Infected with Malware Firmware

Researchers from Trend Micro at Black Hat Asia claim that criminals have pre-infected millions of Android devices with malicious firmware before the devices ever leave their manufacturing.

The manufacturing of the gadgets is outsourced to an original equipment manufacturer (OEM). According to the researchers, this outsourcing makes it possible for someone in the manufacturing process, like a firmware provider, to infect devices as they are shipped out with malicious code.

The team at Trend Micro termed the issue “a growing problem for regular users and enterprises.” Thus use it as a combined warning and reminder.

Viruses started to be introduced as the cost of mobile phone firmware decreased. Distributors of firmware finally found themselves in such fierce competition with one another that they could not demand payment for their goods.

The senior Trend Micro researcher Fyodor Yarochkin responded, “But of course, there’s no free stuff,” He explained that because of this competitive environment, the firmware has started to include undesired features like silent plugins. 

The team searched through several firmware images for malicious software. Over 80 plugins were discovered, though many were not extensively used.

Notably, the most significant plugins had a business model developed around them, were bought and sold illegally, and were openly promoted on websites like Facebook, blogs, and YouTube.

Malware’s Goal Is To Steal Information Or Use It To Gain Money

The malware’s goal is to steal information or to profit from the collection or delivery of information.

The infection turns the devices into proxies used to monetize through advertisements and click fraud, steal and sell SMS messages, hijack social media and online messaging accounts, and steal contacts.

Further, proxy plugins are one form of a plugin that lets the criminal rent out devices for up to five minutes at a time. For instance, people renting the device’s control could learn about keystrokes, location, IP address, and more.

“The user of the proxy will be able to use someone else’s phone for 1200 seconds as an exit node,” said Yarochkin.

Likewise, he said that the team discovered a Facebook cookie plugin employed to gather data from the Facebook app.

The researchers determined from telemetry data that there are at least millions of infected devices worldwide, primarily in Southeast Asia and Eastern Europe. The researchers claimed that the perpetrators themselves had self-reported a figure of 8.9 million.

Although the word “China” appeared numerous times in the presentation, including in an origin narrative tied to the creation of the dodgy firmware, the duo refused to address where the dangers were coming from. 

Yarochkin advised the audience to consider the locations of the majority of the world’s OEMs and draw their conclusions. 

He added that it is challenging to determine precisely how this infection gets into this mobile phone because we are unsure of when it entered the supply chain.

“Big brands like Samsung, like Google, took care of their supply chain security relatively well, but for threat actors, this is still a very lucrative market,” said Yarochkin.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus

Guru baran

Recent Posts

WordPress POP Chain Flaw Exposes Over 800M+ Websites to Attack

A critical remote code execution vulnerability has been patched as part of the Wordpress 6.4.2 version. This vulnerability exists in…

11 hours ago

Russian Star Blizzard New Evasion Techniques to Hijack Email Accounts

Hackers target email accounts because they contain valuable personal and financial information. Successful email breaches enable threat actors to:- Identity…

12 hours ago

Exploitation Methods Used by PlugX Malware Revealed by Splunk Research

PlugX malware is sophisticated in evasion, as it uses the following techniques to avoid detection by antivirus programs, making it…

1 day ago

TA422 Hackers Attack Organizations Using Outlook & WinRAR Vulnerabilities

Hackers exploit Outlook and WinRAR vulnerabilities because these widely used software programs are lucrative targets.  Outlook vulnerabilities offer:- Access to…

2 days ago

Bluetooth keystroke-injection Flaw: A Threat to Apple, Linux & Android Devices

An unauthenticated Bluetooth keystroke-injection vulnerability that affects Android, macOS, and iOS devices has been discovered. This vulnerability can be exploited…

2 days ago

Atlassian Patches RCE Flaw that Affected Multiple Products

Atlassian has been discovered with four new vulnerabilities associated with Remote Code Execution in multiple products. The CVEs for these…

2 days ago