contador web Skip to content

Behind the scenes of a crime: Can smartphones get factory infected?

About the CheckPoint Study

Digital security company CheckPoint reported the result of a study in which it found 38 spyware-infected devices in two different clients. In both situations, the malware was preinstalled on the device at some point in the supply chain. In other words, some malicious employee installed malicious software on smartphones somewhere between the time the phone was made in the factory and the time it was marketed in the store.

Following this logic, the malware in question was not part of the manufacturer's official ROM. In six cases, virus was installed with administrator privileges (root access). As a result, the new owner of the device will not be able to remove the virus simply by restoring the factory data, the famous reset. Moreover, it would be necessary to flash the official ROM of the device, ie reinstall the official software of the manufacturer.

The threats were found on cell phones of two major companies.

Who are responsible for this?

According to the research team, the threats were found on cell phones of two large companies, which unfortunately were not identified. According to the publication, one is a large telecommunications company and the other a multinational technology company.

Most malware contained adware (eg Loki malware) and data theft tools. In one case ransomware was found, which could lock the phone with encryption and release it again for payment. The latter, of course, is the worst of them and could be used to blackmail users in extortion crime.

From ad = "ad", and software = "program", any computer program that runs automatically and displays a large amount of ads without the permission of the user. A type of malware that restricts access to the infected system and charges a "ransom" value so that access can be reestablished.

Why are Android devices common targets?

As the most widely used mobile platform in the world, Android is a sure target for digital crimes. To get an idea, according to the site StatCounter, which monitors worldwide web traffic for browser and operating system usage statistics, Google's platform is close to outperforming Windows in percent of connected devices. The company's latest report shows that 37.4% of online devices use the Android system, compared to 38.6% of Windows.

Android a safe operating system

In addition, the number of handsets running Google's operating system is immense, the number of manufacturers is much larger than, for example, handsets running Apple's iOS platform.

Android the 2012 2017
Worldwide Operating System Market Share / StatCounter

In addition, Google's Play Store-hosted application review framework opens the door for malicious developers to cheat the system and upload malicious store applications because of the computer-based selection process.

Having older versions of Android increases the vulnerability of the system. Google offers updates containing monthly security patches, however, only for devices running Android 4.4 or higher:

"When an AOSP-corrected high or moderate severity security vulnerability, we will notify Android partners of the details of the issue and provide patches for a minimum of three versions of Android. The Android security team currently provides patches for Android versions 4.4 (KitKat), 5.0 (Lollipop), 5.1 (Lollipop MR1) and 6.0 (Marshmallow). This list of supported versions changes with each new version of Android ", Google.

Do not misunderstand, Android a safe operating system. Because it is an open source project, there are many developers doing ongoing system maintenance. However, the fact that it is very popular and has an absurd fragmentation makes it more vulnerable to attacks of the kind.

List of infected devices and target of this search

Although we do not have the names of the two major mobile companies involved in this scheme, at least we have been informed of the list of devices that have already reached infected customers.

However, it is very important to know that, regardless of the devices below, does not mean that all phones of the listed brands leave the factory with compromised security. According to CheckPoint, some handsets of these models have been tampered with on their way to the consumer, and this is by smartphone standard.

Interestingly, three days after the publication of this study, Google's Nexus line devices were removed without further explanation. Was the removal made by mistake in the primary analysis of the devices? Will it be removed at Google's request? Finally, I could not confirm this with the team that developed the research so far.

Espionage: A Problem of Modern Society

The result of this research raises concerns about the safety of mobile devices, however, espionage and the use of data collection technologies for the purpose of extortion are the concerns of modern society.

Recently, the Wikileaks website published what it called "the largest leaking document in CIA history," the US intelligence agency. According to the organization, the 8,761 "Vault 7" documents contain hundreds of thousands of lines of programming codes that allow the agency to spy on smartphones running on Android, iOS and Windows systems.

In other words, CIA agents are introducing viruses to gain access to a smartphone's microphone, for example, even when turned off, allowing agency hackers to access thousands of conversations around the globe.

Finally, with specific knowledge and access, it is possible to intercept the distribution of a device, be it the CIA or a specialized extortion gang, and corrupt the system to the point where it has control. This happened in the past when Chinese manufacturer Xiaomi was accused of sending data from its smartphone users to China.

Opinion by Camila Rinaldi

Espionage and the use of data collection technologies for the purpose of extortion are the concerns of modern society.

At the time, Redmi Note was continually trying to connect to an Internet Protocol (IP) address in Beijing. The device was constantly trying to make the connection even after the cloud service was turned off. Worse than that, even reinstalling the new official version of Android, the problem persisted. Xiaomi denies any involvement in this case.

In the same year, researchers at G Data, Germany's cybersecurity company, found that the Chinese smartphone Generic Star N9500 ​​had the same error. The device had pre-installed spyware program Uupay.D, which was stealing data and sending it to an IP address in China.

As with the Xiaomi smartphone, the spy program on the Star N9500 ​​could not be removed with a factory reset. This N9500 ​​security breach allowed you to hear phone calls, have access to e-mails and text messages, and to remotely control the handset's microphone and camera. Any resemblance to Wikileaks Vault 7 is no coincidence.

How to tell if your smartphone arrived infected from the store

Of course, the first reaction of a user when faced with such news is to ask about the possibility of having an infected smartphone. But once again, keep in mind that if your device appears among the above interface names, it does not mean that it has gone out of the box with compromised security.

I contacted Oren Koriat of the CheckPoint research team, but I didn't get any more information about this study until this article was published. However, when posting on the research firm's website, there are some general tips for users to follow in these cases:

  • Avoid buying smartphones from stores you don't know about or have a bad reputation among users;
  • Before buying a phone from a small dealer, you should ask to examine the device. Turn on your device, browse the web a bit, connect to Wi-Fi, and so on. If you see ads as soon as you unlock your phone screen or even full screen ads popping up at random locations, do not buy the device.
  • Avoid downloading apps from alternative and unreliable stores;
  • Keep device software up to date and with appropriate security patches.

An antivirus application you need to make sure your smartphone has pre-installed malware.

What is the most effective measure in these cases?

If you purchased a device and it was delivered infected, please be aware that you may not even realize that the device contains malware. In conversation with Nikos Chrysaidos, Head by Mobile Threat Intelligence & Security on Avast, an antivirus application you need to make sure your smartphone has pre-installed malware:

"Antivirus is the main and, in some cases, the only way to know if a smartphone is infected with malware. In many cases and as in this case, malware hides and works in the background, which means, for example, that The phone owner will not see the malware icon in the list of applications operating on the phone. This is, of course, made so that malware designed to collect personal information can remain on the device for as long as possible without being detected. "

Can smartphones get factory infected?

Until proven otherwise, smartphones can't get factory-infected. However, as CheckPoint proves, during some point between when a factory-made mobile phone is sold to a store, malware can be installed on the device by a third party.

Do you need to worry about it? Perhaps. If you bought the device from stores or manufacturers with little credibility in the market, yes.

Is there a way to check if your device is infected? Yes. If you are concerned or suspicious about the legitimacy of your smartphone software, install an antivirus.

Do you need an antivirus installed on your smartphone to be safe? Not necessarily. If you don't use alternative store services to download apps, don't click buttons with the promise of miraculous or current discounts on messaging apps, you'll be safe on Android.

And, do you worry about the outcome of this CheckPoint study?

(tagsToTranslate) How to tell if your smartphone has come infected from the store