Connect with us

Hi, what are you looking for?


Malware & Threats

Malware Found Pre-loaded on Phones Sold in Asia, Africa: Research

Researchers at mobile security firm Lookout say they have found malware pre-loaded on mobile devices being sold in Asia and Africa.

Researchers at mobile security firm Lookout say they have found malware pre-loaded on mobile devices being sold in Asia and Africa.

The malware is known as ‘DeathRing’, and masquerades as a ringtone app. In actuality however, the malware is capable of downloading SMS and WAP (Wireless Application Protocol) content from its command and control server to the victim’s phone to perform malicious activity.

The researchers spotted the malware in the system directory of a number of devices from third-teir manufacturers selling phones to the developing world. A detailed list of the impacted devices can be found here, and includes: Gionee Gpad G1, Hi-Tech Amaze Tab and Haier H7.

“This is the number one malware threat we’ve detected since June 2014 for Indonesia, Nigeria, Tanzania, and Kenya,” said Jeremy Linden, senior security product manager at Lookout. “It is number two for Uganda. It is number five for Vietnam. It is a localized threat, but not insignificant if you happen to live in those countries.”

Advertisement. Scroll to continue reading.

“We saw DeathRing in the system partition of the phone – an area of the phone not otherwise accessed by consumers or retailers,” he said. “It suggests to us that an attacker was somewhere in the distribution process flashing this malware onto the phones before it ever reached the retailers.”

According to Lookout, DeathRing may use SMS content to phish a victim’s personal information via fake text messages requesting the desired data. It may also use WAP or browser content to get victims to download further APKs (Android application packages). The malware is activated in two ways: the malware will start if the phone is powered down and rebooted five times, and it will start if the victim has been away and present at the device at least 50 times.

Earlier this year, Lookout detected another pre-loaded piece of malware called Mouabad. Like DeathRing, Mouabad is believed to have also been pre-installed somewhere in the supply chain and affected predominantly Asian countries. There were also some detections of Mouabad in Spain.

These types of supply chain attacks are relatively rare in global sense, Linden said.

“You can consider this, in some ways, a more targeted attack in that it occurs in specific manufacturing chains and is aimed at specific phones,” he said. “However, this is not insignificant for the regions it targets.”

“Really, it comes down to auditing your supply chain regularly,” he added. “They could also run better quality control programs and perhaps even purchase the devices from the end retailers and see if they match quality standards.”

The manufacturers impacted by the DeathRing malware were contacted but have not responded, Linden said.

Lookout recommends consumers in the impacted regions check their phone bills for any suspicious charges.

“Having something like this sit quietly on your phone is never the optimal situation for a victim,” Linden said. “A victim can take action to return the phone or demand a refund if they know their device has been infected with DeathRing. To us, knowledge is power.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.