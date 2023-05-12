Researchers from Trend Micro claim that criminals have pre-infected millions of Android devices with malicious firmware even before the devices ever leave their manufacturing factories.

According to the researchers, although smartwatches, TVs, and other items are included in this list of hardware, cheap Android smartphones make up the majority of it.

Malware Planted During Manufacturing

In the phone manufacturing industry, many companies produce devices by outsourcing the manufacturing process from an original equipment manufacturer (OEM). While that might be more affordable and convenient to the company since it shifts the burden and extra costs to the OEM, the process is filled with risks.

One of the main threats is that the supply chain of the outsourced OEM can easily be infiltrated by a third party with access to the manufacturing process, like a firmware provider, and infect the devices with malicious code as they are shipped out.

Speaking on “How Criminal Enterprises Pre-infect Millions of Mobile Devices” at the Black Hat Asia Event in Singapore this week, Trend Micro researcher Fyodor Yarochkin termed it the easiest way to infect millions of devices.

According to Yarochkin, the infiltration of a device at such an early stage of its life cycle is comparable to a tree absorbing a liquid. When the infection is placed at the root of the tree, it spreads out to every single branch and leaf.

He explained that this virus infiltration started as the cost of mobile phone firmware decreased. The fierce competition among distributors of firmware eventually prevented the suppliers from charging for their products.

But since it is not possible to have products at no cost, as a result of this competitive environment, the firmware suppliers began to include undesired features like silent plugins. Using the malware, the supplier’s goal is to steal information and make a profit from the information collected and delivered.

Through the analysis of telemetry data, researchers established that there are millions of infected devices worldwide most of which are concentrated in Southeast Asia and Eastern Europe. They further claimed that the perpetrators themselves had self-reported a figure of 8.9 million infected devices.

High-End Phones May Be Safer

As the Trend Micro group searched through several firmware images for harmful malware, over 80 plugins were discovered, although many were not extensively used.

However, the most impactful of these plugins were those that had a business model developed around them. These plugins were bought and sold illegally and were openly promoted on websites like Facebook, blogs, and YouTube.

The malware would then turn the infected devices into mobile proxies and use them as tools for stealing and selling SMS messages, social media, and online messaging accounts and monetization through advertisements and click fraud.

During the search, the team found a Facebook cookie plugin that could be used to harvest activity from the Facebook app. This information could then be used to create fraudulent links that a user is likely to fall for.

Another form of these plugins is a Proxy plugin that lets the criminal rent out devices for up to five minutes at a time. Through this plugin, people renting the device’s control could, for instance, learn information about keystrokes, location, IP address, and more.

“The user of the proxy will be able to use someone else’s phone for a period of 1200 seconds as an exit node,” said Yarochkin.

While Yarochkin did not openly state where the malware originated from, he and his co-presenter, Zhengyu Dong, mentioned China even as they told the origin story related to the development of the dodgy firmware.

“Even though we possibly might know the people who build the infrastructure for this business, its difficult to pinpoint how exactly this infection gets put into this mobile phone because we don’t know for sure at what moment it got into the supply chain,“ Yarochkin said.

Phones from at least 10 vendors had the malware, according to the researchers, but there may have been up to 40 more. As a way to avoid such phones, the team stated that going high-end could offer some protection though it would not guarantee safety.

“Big brands like Samsung, like Google, took care of their supply chain security relatively well, but for threat actors, this is still a very lucrative market,” said Yarochkin.

