According to a newly published report on mobile malware from researchers at G Data, "well over 26" smartphones have been discovered shipping complete with pre-installed malware in the device firmware.
Earlier this year the same company revealed the presence of adware on Android devices, along with 'potentially unwanted programs' or PUPs. Now it says that monitoring applications – aka spyware – to collect data without the smartphone owner realising, along with other malware, is also becoming a problem on certain Chinese handsets.
The shipping of mobile devices with pre-installed malware is nothing new, certainly not to me. Some eight years ago I won an award for my investigation and subsequent breaking of a news story involving TomTom GO 910 satnav units that came with a bunch of Trojans right out of the box.
Back then, although never actually confirmed, it appeared that the malware was most likely introduced through the quality assurance process ironically enough – random units taken off the production line and plugged into an infected computer for testing.
This was what you might call an accidental infection.
According to the G Data researchers, there is unlikely to have been anything accidental about the malware it discovered pre-installed on at least 26 different smartphones from manufacturers including Huawei, Lenovo and Xiaomi.
Which isn't to say the security firm thinks that the manufacturers are the perpetrators here, far from it. In fact, G Data reckons it is down to 'middlemen' in the distribution chain who are looking to add to their revenue by making "additional financial gains from stolen user data and enforced advertising".
G Data admits that it's not always obvious – given that legitimate apps often request permissions that go beyond the accepted usual activity of the product – when something is malware or not. These are often referred to as PUPs for this very reason. However, the researchers also point out that monitoring malware that can hide itself, by coming already pre-installed, so avoiding any opportunity for the owner to review these permissions during installation, is an altogether different proposition.
Among the spyware apps that G Data discovered being used for nefarious purposes out of the box was one pretending to be the Google Drive app but actually identified by researchers as Android.Monitor.Gsyn.B which contains no functionality other than the ability to monitor and steal a wide range of data without the user knowing. It can, they say, listen in to telephone conversations, copy contacts, ask for location data, record audio with the microphone, disable AV software and read the device browser history. All highly useful resources for a would-be data thief.
Then there was malware hidden in totally legit apps that have been manipulated to contain the malware code as an add-on alongside the expected functions. These will most often run quietly in the background, causing no suspicion to the user.
Facebook was one such app that had been hijacked by the bad guys, infected with the Android.Trojan.Andup.D malware that could do pretty much everything that the previous spyware example did along with sending premium SMS for profit and the potential for committing bank fraud.
So just how big a problem is the introduction of malware via the supply chain, in the smartphone market specifically and within IT hardware generally?
Speaking exclusively to SCMagazineUK.com, Chris Boyd, the senior malware intelligence analyst at Malwarebytes, said that there are still very few reports of mobile malware turning up pre-installed on phones, and the biggest threat is always going to come from purchases at markets and places off the beaten track – especially where the seller has physical access to an unboxed device.
"Counterfeit phones would also be at risk from unauthorised programs being installed, so it pays to purchase from verified vendors or the phone maker themselves," he said.
Boyd went on to suggest that while there are too few instances of this happening to be able to spot any real pattern in favoured malware types, "anything with the ability to send premium rate SMS, install additional apps or listen to calls is going to present a serious threat to your privacy and overall security".
Loucif Kharouni, senior threat researcher at Damballa, isn't overly concerned that there is some kind of grand criminal enterprise at work here. "This seems to be the work of some groups who happened to have access to the devices at some point in the chain," he told us, adding that while there is no evidence of organised criminal gangs, "we do not believe it is the work of one-off chancers" either.
Meanwhile, Simon Mullis, global technical lead at FireEye, reckons that the fact that this can occur at all is significant and it could be "as a result of deliberate action by the manufacturer or by allowing third-parties to have access to the systems through a failure or lack of process".
Mullis warns that the fact the bad guys seem to have been able to insert themselves in the supply-chain in between the manufacturer and the end user "suggests a degree of sophistication to their operations."
Whether or not they are opportunistically looking for simple ways to generate revenue does not dictate what they might want in the future. "You cannot estimate risk based on what you think might be the motivations of the attackers in a week's time," he explains, adding: "Certainly, as we see regularly, it's very common for sophisticated – possibly nation-state – threat actors to use whatever tricks they can to hide attribution."
Jim Black, head of product management at Bloxx, wonders whether "gaining access to modify pre-installed apps is most likely to be done by employees who may or may not be willing participants".
If they are willing participants, then they could be acting alone or more likely in collaboration with organised criminal gangs who may be paying them to compromise the apps, or may be acting under duress.
Professor Steven Furnell, a senior member of the IEEE, says there has been growing concern voiced over deliberate spiking in the supply chain, with suspected motivations most commonly linked to data theft.
"In the particular case of smartphones, one would hope that the risk could be mitigated in the way that the G DATA study itself describes – by ensuring that an appropriate security solution is installed to scan the device," he says. "While one would equally hope that such scanning would already take place at the manufacturer end of things, if there is a bogus intervention later in the supply chain then the user can still end up at risk. Unfortunately, as the G DATA study again observes, if the malicious code is lodged in the firmware then users may initially find themselves rather stuck with it."