Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Firmware of Dozens Android Device Models Packed with Trojans

Firmware controlling dozens of Android mobile device models incorporates Trojans capable of covertly downloading and installing other programs, security firm Doctor Web has revealed.

Firmware controlling dozens of Android mobile device models incorporates Trojans capable of covertly downloading and installing other programs, security firm Doctor Web has revealed.

Researchers from the  security firm discovered that Trojans are stored in system catalogs on affected devices, which were incorporated into the devices firmware by “dishonest outsourcers” who wanted to cash in on their access to the creation of Android system images.

Dubbed Android.DownLoader.473.origin, one of the Trojans was found to impact many popular Android devices powered by MediaTek platforms, including 26 smartphone models. Doctor Web researchers suggest that additional models might also be impacted.

The Trojan was designed to continuously monitor the Wi-Fi module and to connect to the command and control (C&C) server to receive the configuration file with instructions. The malicious program starts every time the device is turned on and, based on the information received from the C&C, it can download and install applications on the infected device.

One of the applications that this Trojan actively distributes is the advertising program H5GameCenter, which Dr.Web detects as Adware.AdBox.1.origin. The malicious software displays a small box image on top of running applications and does not allow users to remove the image from the screen.

This image, however, is actually a shortcut that would take users to a catalog integrated into the malware itself. H5GameCenter was also observed displaying advertisements, and the security researchers say that the malware is actually rather difficult to remove, because Android.DownLoader.473.origin would download and install it again if it gets deleted.

The device models affected by the Trojan downloader include MegaFon Login 4 LTE, Irbis TZ85, Irbis TX97, Irbis TZ43, Bravis NB85, Bravis NB105, SUPRA M72KG, SUPRA M729G, SUPRA V2N10, Pixus Touch 7.85 3G, Itell K3300, General Satellite GS700, Digma Plane 9.7 3G, Nomi C07000, Prestigio MultiPad Wize 3021 3G, Prestigio MultiPad PMT5001 3G, Optima 10.1 3G TT1040MG, Marshal ME-711, 7 MID, Explay Imperium 8, Perfeo 9032_3G, Ritmix RMD-1121, Oysters T72HM 3G, Irbis tz70, Irbis tz56, and Jeka JK103.

One other Trojan that Doctor Web researchers discovered in the firmware of Android devices, this time only in the Lenovo A319 and Lenovo A6000, is Android.Sprovider.7. The malware, they say, was incorporated into the application Rambla, which was designed to provide access to the Android software catalog that carries the same name.

Advertisement. Scroll to continue reading.

The Android.Sprovider.7’s payload is located in a separate program module (Android.Sprovider.12.origin), encrypted and stored in the resources of the main malware program. As soon as the user unlocks the home screen, the Trojan checks whether the module is still active, retrieves the component and runs it if necessary.

Android.Sprovider.12.origin, researchers say, can download applications and attempt to install them (though it requires confirmation from the user); run the installed applications; open a specified link in a browser; make a phone call on a certain number by using a standard system application; run a standard system phone application in which a specified number is already dialed; show advertisements on top of all applications or in the status bar; create a shortcut on the home screen; and update a main malicious module.

The main purpose of both Android.DownLoader.473.origin and Android.Sprovider.7 is to generate revenue for their operators by increasing application download statistics and by distributing advertising software, the security researchers conclude.

The affected smartphone manufacturers were already informed on the issue. Impacted users are advised to contact technical support specialists to receive an update for their device’s software as soon as it is ready.

Related: “PluginPhantom” Android Trojan Uses Plugins to Evade Detection

Related: Android Trojan Prevents Security Apps From Launching

Related: Attackers Exploited Chrome Zero-Day to Deliver Android Trojan

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.