Millions of Android phones are infected with malware before they even leave the factory

Millions of Android devices around the world are infected with malicious firmware before the devices even leave the factory, Trend Micro researchers warned at the Black Hat Asia conference.

These are mostly cheap Android mobile phones, but there are also smart watches, TVs and other devices among them.

The production of the device is left to the OEM (Original Equipment Manufacturer). That outsourcing allows someone in the manufacturing process, such as a firmware vendor, to infect products with malicious code as they ship, the researchers said.

They think this has been going on for a while. Something similar happened in 2017.

The researchers characterized this threat as a “growing problem for users and businesses.”

“What’s the easiest way to infect millions of devices?” asked Trend Micro researcher Fyodor Jarochkin, speaking with colleague Zengyu Dong at a conference in Singapore.

Jarochkin compared this infiltration at such an early stage in the device’s life cycle to a tree that absorbs liquid: put an infection in the root, and it spreads everywhere, to every branch and leaf.

This injection of malware started when the price of mobile phone firmware dropped. The competition between firmware distributors became so great that eventually the providers could not charge for their product.

“But, of course, nothing is free,” said Jarochkin, who explained that as a result of this situation, firmware began to come with invisible plugins. The team analyzed dozens of firmwares looking for malware. They found over 80 different supplements, although many of them were not widely distributed.

The most influential plugins were those that had a business model built around them, sold underground and marketed publicly on places like Facebook, blogs and YouTube.

The goal of malware is to steal information or make money from the information collected or delivered.

Malware turns devices into proxies that are used to steal and sell SMS messages, take over social media and messenger accounts, and use them as an opportunity to monetize through ads and click fraud.

One type of plug-in, proxy plug-ins, allows a criminal to rent devices for about five minutes at a time. For example, those who rent control over a device can obtain data about keystrokes, geographic location, IP address, and more.

“A proxy user will be able to use someone else’s phone for a period of 1,200 seconds as an exit node,” Jarochkin said. He also said the team found a cookie plugin for Facebook that was used to collect activity from the Facebook app.

Through telemetry data, the researchers estimated that there are millions of infected devices worldwide, but that most of them are in Southeast Asia and Eastern Europe. According to statistics reported by the criminals themselves, there are about 8.9 million of them, researchers say.

As for where the threats are coming from, the researchers did not specifically state, although the word “China” appeared several times in the presentation, including an origin story related to the development of the infected firmware. Jarochkin said that one should remember where most of the world’s OEM manufacturers are located and draw their own conclusions.

“It is difficult to determine exactly how this infection is introduced into the mobile phone because we do not know for sure at what point it entered the supply chain,” Jarochkin said.

The team confirmed that the malware was found in phones from at least 10 vendors, but that around 40 more were likely affected. For those who want to avoid infected cell phones, they could protect themselves in some way by sticking to high-end ones. In other words, you will find bad firmware on cheaper Android devices, so users are recommended to stick to bigger brands, such as Samsung or Google, which, according to the researchers, “have taken relatively good care of the security of their supply chain.”

Although this is not necessarily a guarantee of safety either.

Photo: Denny Mueller / Unsplash