Researchers at mobile security firm Lookout say they have found malware pre-loaded on mobile devices being sold in Asia and Africa.
The malware is known as ‘DeathRing’, and masquerades as a ringtone app. In actuality however, the malware is capable of downloading SMS and WAP (Wireless Application Protocol) content from its command and control server to the victim’s phone to perform malicious activity.
The researchers spotted the malware in the system directory of a number of devices from third-teir manufacturers selling phones to the developing world. A detailed list of the impacted devices can be found here, and includes: Gionee Gpad G1, Hi-Tech Amaze Tab and Haier H7.
“This is the number one malware threat we’ve detected since June 2014 for Indonesia, Nigeria, Tanzania, and Kenya,” said Jeremy Linden, senior security product manager at Lookout. “It is number two for Uganda. It is number five for Vietnam. It is a localized threat, but not insignificant if you happen to live in those countries.”
“We saw DeathRing in the system partition of the phone – an area of the phone not otherwise accessed by consumers or retailers,” he said. “It suggests to us that an attacker was somewhere in the distribution process flashing this malware onto the phones before it ever reached the retailers.”
According to Lookout, DeathRing may use SMS content to phish a victim’s personal information via fake text messages requesting the desired data. It may also use WAP or browser content to get victims to download further APKs (Android application packages). The malware is activated in two ways: the malware will start if the phone is powered down and rebooted five times, and it will start if the victim has been away and present at the device at least 50 times.
Earlier this year, Lookout detected another pre-loaded piece of malware called Mouabad. Like DeathRing, Mouabad is believed to have also been pre-installed somewhere in the supply chain and affected predominantly Asian countries. There were also some detections of Mouabad in Spain.
These types of supply chain attacks are relatively rare in global sense, Linden said.
“You can consider this, in some ways, a more targeted attack in that it occurs in specific manufacturing chains and is aimed at specific phones,” he said. “However, this is not insignificant for the regions it targets.”
“Really, it comes down to auditing your supply chain regularly,” he added. “They could also run better quality control programs and perhaps even purchase the devices from the end retailers and see if they match quality standards.”
The manufacturers impacted by the DeathRing malware were contacted but have not responded, Linden said.
Lookout recommends consumers in the impacted regions check their phone bills for any suspicious charges.
“Having something like this sit quietly on your phone is never the optimal situation for a victim,” Linden said. “A victim can take action to return the phone or demand a refund if they know their device has been infected with DeathRing. To us, knowledge is power.”