Firmware controlling dozens of Android mobile device models incorporates Trojans capable of covertly downloading and installing other programs, security firm Doctor Web has revealed.
Researchers from the security firm discovered that Trojans are stored in system catalogs on affected devices, which were incorporated into the devices firmware by “dishonest outsourcers” who wanted to cash in on their access to the creation of Android system images.
Dubbed Android.DownLoader.473.origin, one of the Trojans was found to impact many popular Android devices powered by MediaTek platforms, including 26 smartphone models. Doctor Web researchers suggest that additional models might also be impacted.
The Trojan was designed to continuously monitor the Wi-Fi module and to connect to the command and control (C&C) server to receive the configuration file with instructions. The malicious program starts every time the device is turned on and, based on the information received from the C&C, it can download and install applications on the infected device.
One of the applications that this Trojan actively distributes is the advertising program H5GameCenter, which Dr.Web detects as Adware.AdBox.1.origin. The malicious software displays a small box image on top of running applications and does not allow users to remove the image from the screen.
This image, however, is actually a shortcut that would take users to a catalog integrated into the malware itself. H5GameCenter was also observed displaying advertisements, and the security researchers say that the malware is actually rather difficult to remove, because Android.DownLoader.473.origin would download and install it again if it gets deleted.
The device models affected by the Trojan downloader include MegaFon Login 4 LTE, Irbis TZ85, Irbis TX97, Irbis TZ43, Bravis NB85, Bravis NB105, SUPRA M72KG, SUPRA M729G, SUPRA V2N10, Pixus Touch 7.85 3G, Itell K3300, General Satellite GS700, Digma Plane 9.7 3G, Nomi C07000, Prestigio MultiPad Wize 3021 3G, Prestigio MultiPad PMT5001 3G, Optima 10.1 3G TT1040MG, Marshal ME-711, 7 MID, Explay Imperium 8, Perfeo 9032_3G, Ritmix RMD-1121, Oysters T72HM 3G, Irbis tz70, Irbis tz56, and Jeka JK103.
One other Trojan that Doctor Web researchers discovered in the firmware of Android devices, this time only in the Lenovo A319 and Lenovo A6000, is Android.Sprovider.7. The malware, they say, was incorporated into the application Rambla, which was designed to provide access to the Android software catalog that carries the same name.
The Android.Sprovider.7’s payload is located in a separate program module (Android.Sprovider.12.origin), encrypted and stored in the resources of the main malware program. As soon as the user unlocks the home screen, the Trojan checks whether the module is still active, retrieves the component and runs it if necessary.
Android.Sprovider.12.origin, researchers say, can download applications and attempt to install them (though it requires confirmation from the user); run the installed applications; open a specified link in a browser; make a phone call on a certain number by using a standard system application; run a standard system phone application in which a specified number is already dialed; show advertisements on top of all applications or in the status bar; create a shortcut on the home screen; and update a main malicious module.
The main purpose of both Android.DownLoader.473.origin and Android.Sprovider.7 is to generate revenue for their operators by increasing application download statistics and by distributing advertising software, the security researchers conclude.
The affected smartphone manufacturers were already informed on the issue. Impacted users are advised to contact technical support specialists to receive an update for their device’s software as soon as it is ready.