Android ‘DeathRing’ malware being pre-loaded on cheap smartphones


Chinese supply chain under suspicion yet again

By John E Dunn | Techworld | Published: 13:06, 04 December 2014

For the second time in a year, Chinese-made Android smartphones have been discovered pre-flashed with malware, this time a Trojan security firm Lookout Mobile has ominously dubbed ‘DeathRing’.

On infected handsets, DeathRing pretends to be a ringtone app but can be used to download other malware, communicating with its command and control via SMS or even the ancient WAP. It activates once the device has been rebooted five times or, in other cases, the device has been accessed 50 times by its owner from the homescreen.

By today’s ambitious mobile malware standards, DeathRing is pretty low-rent. The list of cheao clone handsets on which is was found – including models from Gionee, Polytron, Karbonn, Hi-Tech, Jiayu, Haier, TECNO, and GPAD – aren’t sold to consumers beyond Asian and Africa so the threat is non-existent in the UK and US.

That might also explain the use of WAP, a defunct technology elsewhere. According to Lookout, the countries affected are Vietnam, Indonesia, India, Nigeria, Taiwan, and China.

The wider significance is that the issue of malware loaded on to devices as a part of factory or supply chain firmware flashing seems to be getting slowly worse. Earlier this year, Lookout reported another Trojan called Mouabad which used an identical method to get itself on to factory-fresh handsets.

In a separate attack, security firm Marble Security discovered a fake Russian-made version of Netflix that had been pre-installed on Android devices.

Could higher-end Android handsets be affected by this sort of attack in the near future?

“It’s theoretically definitely possible, but for the time being unlikely. This is because many manufacturers of the higher-tier devices generally found in Western countries have more stringent regulation over their supply chains and better quality control programs,” said Lookout’s Jeremy Linden.

“However, like all malware, where the money is, the malware technology follows. If authors find this distribution method to be lucrative, they may evolve to attack the bigger fish.”

For the user, it’s not a case of detecting and removing these Trojans. Loaded as part of the firmware image (older versions of Android), they can’t be removed manually without re-flashing the operating system.

According to Lookout, detection rates have been in the “tens of thousands” which suggests that an issue only affecting some handsets.