Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Malware Found Pre-loaded on Phones Sold in Asia, Africa: Research

Researchers at mobile security firm Lookout say they have found malware pre-loaded on mobile devices being sold in Asia and Africa.

Researchers at mobile security firm Lookout say they have found malware pre-loaded on mobile devices being sold in Asia and Africa.

The malware is known as ‘DeathRing’, and masquerades as a ringtone app. In actuality however, the malware is capable of downloading SMS and WAP (Wireless Application Protocol) content from its command and control server to the victim’s phone to perform malicious activity.

The researchers spotted the malware in the system directory of a number of devices from third-teir manufacturers selling phones to the developing world. A detailed list of the impacted devices can be found here, and includes: Gionee Gpad G1, Hi-Tech Amaze Tab and Haier H7.

“This is the number one malware threat we’ve detected since June 2014 for Indonesia, Nigeria, Tanzania, and Kenya,” said Jeremy Linden, senior security product manager at Lookout. “It is number two for Uganda. It is number five for Vietnam. It is a localized threat, but not insignificant if you happen to live in those countries.”

“We saw DeathRing in the system partition of the phone – an area of the phone not otherwise accessed by consumers or retailers,” he said. “It suggests to us that an attacker was somewhere in the distribution process flashing this malware onto the phones before it ever reached the retailers.”

According to Lookout, DeathRing may use SMS content to phish a victim’s personal information via fake text messages requesting the desired data. It may also use WAP or browser content to get victims to download further APKs (Android application packages). The malware is activated in two ways: the malware will start if the phone is powered down and rebooted five times, and it will start if the victim has been away and present at the device at least 50 times.

Earlier this year, Lookout detected another pre-loaded piece of malware called Mouabad. Like DeathRing, Mouabad is believed to have also been pre-installed somewhere in the supply chain and affected predominantly Asian countries. There were also some detections of Mouabad in Spain.

These types of supply chain attacks are relatively rare in global sense, Linden said.

“You can consider this, in some ways, a more targeted attack in that it occurs in specific manufacturing chains and is aimed at specific phones,” he said. “However, this is not insignificant for the regions it targets.”

“Really, it comes down to auditing your supply chain regularly,” he added. “They could also run better quality control programs and perhaps even purchase the devices from the end retailers and see if they match quality standards.”

The manufacturers impacted by the DeathRing malware were contacted but have not responded, Linden said.

Lookout recommends consumers in the impacted regions check their phone bills for any suspicious charges.

“Having something like this sit quietly on your phone is never the optimal situation for a victim,” Linden said. “A victim can take action to return the phone or demand a refund if they know their device has been infected with DeathRing. To us, knowledge is power.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.