Several dozen models of Android phones running on a mobile platform from MediaTek have been found to contain trojans that were secretly implanted in their firmware.
According to a report by antivirus firm Dr.Web, an unscrupulous outsourced developer of apps and/or firmware was most likely responsible for tampering with the devices. The trojans, which Dr. Web researchers discovered stored in system catalogs, are designed to install unwanted programs and malware, often to generate money via advertisements and unauthorized downloads.
“It is known that cybercriminals generate their income by increasing application download statistics and by distributing advertising software,” reads the Dr.Web report. “Therefore, [the trojans] were incorporated into Android firmware because dishonest outsourcers who took part in [the] creation of Android system images decided to make money on users.”
Alexander Goryachov, an analyst at Doctor Web told SC Media in an email interview that it does not appear as if a vulnerability in the MediaTek chipsets was the vector of infection.
One of the trojans, named Android.DownLoader.473.origin, is a downloader program found embedded in at least 26 Android smartphone models from a variety of manufacturers, listed by Dr.Web as follows:
- MegaFon Login 4 LTE
- Irbis TZ85
- Irbis TX97
- Irbis TZ43
- Bravis NB85
- Bravis NB105
- SUPRA M72KG
- SUPRA M729G
- SUPRA V2N10
- Pixus Touch 7.85 3G
- Itell K3300
- General Satellite GS700
- Digma Plane 9.7 3G
- Nomi C07000
- Prestigio MultiPad Wize 3021 3G
- Prestigio MultiPad PMT5001 3G
- Optima 10.1 3G TT1040MG
- Marshal ME-711
- 7 MID
- Explay Imperium 8
- Perfeo 9032_3G
- Ritmix RMD-1121
- Oysters T72HM 3G
- Irbis tz70
- Irbis tz56
- Jeka JK103
A BleepingComputer report found that the above devices generally share two common links: they are low in cost and marketed primarily in Russia.
As soon as an infected device is turned on, the Android.DownLoader.473.origin immediately connects to a command-and-control server to receive instructions on which unauthorized application to download and install. According to Dr.Web, one of these apps is H5GameCenter (also identified as Adware.Adbox.1.origin), which annoys users by continuously displaying a small box image on top of running applications. Clicking on the box opens a catalog of additional apps, apparently in hopes that the user will download even more programs.
Worse, the box cannot be removed, and if a user tries to delete H5GameCenter, Android.DownLoader.473.origin simply reinstalls it. The original downloader also has its own adware functionality that displays ads on impacted devices.
Dr. Web researchers also found a second Trojan – a dropper named Android.Sprovider.7 – on Lenovo smartphone models A319 and A6000. The malware was reportedly incorporated into an application called Rambla that provides users access to a catalog of Android software programs.
This trojan's payload module, dubbed Android.Sprovider.12.origin,is designed to download and install additional files (with user confirmation), as well as generate unwanted advertisements, displaying them on top of running applications and the status bar. Dr.Web also noted that the payload can make a phone call to "a certain number, using a standard system application,” but did not specify what the intent of this functionality is.
Dr.Web has informed MediaTek and the affected smartphone manufacturers of its findings. Also, Goryachov confirmed to SC Media that MediaTek has been told the name of the suspect developer. SC Media has reached out to MediaTek for comments.
To prevent such schemes in the future, mobile manufacturers can take measures to protect themselves from underhanded business partners.
"In order to prevent situations like this, producers need to maintain solid partner relations with outsourcers who have a good reputation and proved to be reliable themselves," said Goryachov. "It's impossible to eliminate [the threat of an] inside job... completely, but it can be minimized."
"One can also get security companies to analyze and audit all software for backdoors, malicious functionality and undeclared APIs, Goryachov added. "It costs a lot of money and takes a lot of time, of course, but lowers the associated risks too."
UPDATE 12/14: The article has been update to include quote from Alexander Goryachov and to clarify that the suspected outsourcer company is most likely a developer of apps or firmware.