Security researchers at Dr.Web, a Russia-based antivirus developer firm, have identified various cheap Android brands are being shipped with a malware in their firmware that lets cybercriminals secretly collects data and performs a variety of other irritating steps such as showing different ads on the activated applications and downloading unrequired APK files on the infected device.
It is identified that a huge number of famous Android devices are plagued with this malicious firmware. It is worth nothing that a majority of these devices are marketed in Russia.
According to Dr.Web researchers, there are two kinds of downloader Trojans that have been incorporated in the firmware: 1 Android.DownLoader.473.origin and 2: Android.Sprovider.7.
These Trojans can:
* Collect data from and about the infected smartphones
* Communicate with their command and control server (C&C server)
* Update the software automatically
* Download and install apps secretly as per the instructions received from the C&C server
* Automatically run when the device is turned on or restarted
The list of Android smartphone models that contains the malicious firmware is as follows:
“Lenovo A319, Lenovo A6000, MegaFon Login 4 LTE, Bravis NB85, Bravis NB105, Irbis TZ85, Irbis TX97, Irbis TZ43, Irbis tz56, Pixus Touch 7.85 3G, SUPRA M72KG, SUPRA M729G, SUPRA V2N10, Itell K3300, Digma Plane 9.7 3G, General Satellite GS700, Nomi C07000, Optima 10.1 3G TT1040MG, Marshal ME-711, 7 MID, Explay Imperium 8, Perfeo 9032_3G, Prestigio MultiPad Wize 3021 3G, Prestigio MultiPad PMT5001 3G, Ritmix RMD-1121, Oysters T72HM 3G, Irbis tz70, and Jeka JK103.” Source
According to the research team at Dr.Web, this is yet another strategy adopted by cybercriminals to generate income by “increasing application download statistics and by distributing advertising software.”
“Therefore, [both Trojans] were incorporated into Android firmware because dishonest outsourcers who took part in the creation of Android system images decided to make money on users,” explained the researchers.
Android.Sprovider.7 trojan, which was identified in Lenovo A319 and Lenovo A6000 smartphones can download/install/run APK files, automatically open a certain URL in the browser, make phone calls through a standard system application to specific numbers, run the standard system phone application if the specified number has already been dialed and update another dangerous module. Apart from these functions, the firmware can show ads on all applications and create a shortcut on the mobile’s home screen and display unwanted ads in the status bar.
Android.DownLoader.473. alternately, was identified in the remaining devices. This firmware downloads and installs additional malware and also unrequired applications. It is also capable of downloading H5Game Center, an ad program, which displays a small box picture on all the applications that are running on the smartphone and the user cannot disable it. Even if this app is removed, it will be reinstalled by the firmware Trojan.
Dr.Web has already informed manufacturers of aforementioned devices. Let’s wait and see what solution they come up with.