Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Firmware of Dozens Android Device Models Packed with Trojans

Firmware controlling dozens of Android mobile device models incorporates Trojans capable of covertly downloading and installing other programs, security firm Doctor Web has revealed.

Firmware controlling dozens of Android mobile device models incorporates Trojans capable of covertly downloading and installing other programs, security firm Doctor Web has revealed.

Researchers from the  security firm discovered that Trojans are stored in system catalogs on affected devices, which were incorporated into the devices firmware by “dishonest outsourcers” who wanted to cash in on their access to the creation of Android system images.

Dubbed Android.DownLoader.473.origin, one of the Trojans was found to impact many popular Android devices powered by MediaTek platforms, including 26 smartphone models. Doctor Web researchers suggest that additional models might also be impacted.

The Trojan was designed to continuously monitor the Wi-Fi module and to connect to the command and control (C&C) server to receive the configuration file with instructions. The malicious program starts every time the device is turned on and, based on the information received from the C&C, it can download and install applications on the infected device.

One of the applications that this Trojan actively distributes is the advertising program H5GameCenter, which Dr.Web detects as Adware.AdBox.1.origin. The malicious software displays a small box image on top of running applications and does not allow users to remove the image from the screen.

This image, however, is actually a shortcut that would take users to a catalog integrated into the malware itself. H5GameCenter was also observed displaying advertisements, and the security researchers say that the malware is actually rather difficult to remove, because Android.DownLoader.473.origin would download and install it again if it gets deleted.

The device models affected by the Trojan downloader include MegaFon Login 4 LTE, Irbis TZ85, Irbis TX97, Irbis TZ43, Bravis NB85, Bravis NB105, SUPRA M72KG, SUPRA M729G, SUPRA V2N10, Pixus Touch 7.85 3G, Itell K3300, General Satellite GS700, Digma Plane 9.7 3G, Nomi C07000, Prestigio MultiPad Wize 3021 3G, Prestigio MultiPad PMT5001 3G, Optima 10.1 3G TT1040MG, Marshal ME-711, 7 MID, Explay Imperium 8, Perfeo 9032_3G, Ritmix RMD-1121, Oysters T72HM 3G, Irbis tz70, Irbis tz56, and Jeka JK103.

One other Trojan that Doctor Web researchers discovered in the firmware of Android devices, this time only in the Lenovo A319 and Lenovo A6000, is Android.Sprovider.7. The malware, they say, was incorporated into the application Rambla, which was designed to provide access to the Android software catalog that carries the same name.

The Android.Sprovider.7’s payload is located in a separate program module (Android.Sprovider.12.origin), encrypted and stored in the resources of the main malware program. As soon as the user unlocks the home screen, the Trojan checks whether the module is still active, retrieves the component and runs it if necessary.

Android.Sprovider.12.origin, researchers say, can download applications and attempt to install them (though it requires confirmation from the user); run the installed applications; open a specified link in a browser; make a phone call on a certain number by using a standard system application; run a standard system phone application in which a specified number is already dialed; show advertisements on top of all applications or in the status bar; create a shortcut on the home screen; and update a main malicious module.

The main purpose of both Android.DownLoader.473.origin and Android.Sprovider.7 is to generate revenue for their operators by increasing application download statistics and by distributing advertising software, the security researchers conclude.

The affected smartphone manufacturers were already informed on the issue. Impacted users are advised to contact technical support specialists to receive an update for their device’s software as soon as it is ready.

Related: “PluginPhantom” Android Trojan Uses Plugins to Evade Detection

Related: Android Trojan Prevents Security Apps From Launching

Related: Attackers Exploited Chrome Zero-Day to Deliver Android Trojan

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...


Pig Butchering, also known as Sha Zhu Pan and CryptoRom, is an ugly name for an ugly scam.