can smartphones arrive infected at the factory?

Di belakang layar kejahatan: dapatkah ponsel cerdas terinfeksi di pabrik?

About the study released by CheckPoint

The digital security company CheckPoint released the results of a study in which it found 38 devices infected with spyware on two different customers. In both situations, the malware was pre-installed on the device at some unidentified point in the supply chain. In other words, some malicious employee installed malicious software on smartphones at some point between the time the phone was produced at the factory and the time it was sold in the store.

Following this logic, the malware in question was not part of the official ROM of the manufacturer. In six of the cases, the virus was installed with administrator privileges (root access). As a consequence, the new owner of the device will not be able to remove the virus with the simple act of restoring factory data, the famous reset. In fact, for that, it would be necessary to flash the device’s official ROM, that is, reinstall the official software of the manufacturer.

The threats were found on the phones of two major companies

Who are responsible for this?

According to the team that carried out the research, the threats were found on cell phones of two large companies, which unfortunately were not identified. According to the publication, one of them is a “large telecommunications company” and the other a “multinational technology company”.

Most malware contained adware (eg, Loki malware) and data theft tools. In one case, a ransomware was found, which could lock the phone with encryption and only release it again with payment. The latter, of course, is the worst of them and could be used to blackmail users in extortion crimes.

Ransomware Adware

From English ad = «ad», and software = «program», is any computer program that automatically runs and displays a large number of ads without the user’s permission. A type of malware that restricts access to the infected system and charges a «ransom» amount so that access can be re-established.

Why are Android devices common targets?

As the most widely used mobile platform in the world, Android is a sure target for digital crimes. To get an idea, according to the website StatCounter, which monitors worldwide web traffic to obtain usage statistics for browsers and operating systems, the Google platform is close to surpassing Windows in percentage of connected devices. The company’s latest report shows that 37.4% of online devices use the Android system, against 38.6% for Windows.

Android is a secure operating system

In addition, the number of devices running with the Google operating system is immense, the number of manufacturers is much greater than, for example, devices running on iOS, Apple’s platform.

Android os 2012 2017

Operating system market share around the world / © StatCounter

In addition, the Google Play store-hosted application review structure ends up opening doors so that malicious developers can trick the system and upload malicious applications to the store, as the selection process is done by computer.

The fact that we still have older versions of Android increases the vulnerability of the system. Google offers updates containing monthly security patches, however, only for devices running Android 4.4 or higher:

«When a high or moderate severity security vulnerability is fixed in AOSP, we will notify Android partners of the details of the problem and provide patches for a minimum of the latest three versions of Android. The Android security team currently provides patches for Android 4.4 (KitKat), 5.0 (Lollipop), 5.1 (Lollipop MR1) and 6.0 (Marshmallow) versions. This list of supported versions changes with each new version of Android «, Google.

Don’t get it wrong, Android is a safe operating system. Because it is an open source project, there are many developers doing continuous maintenance of the system. However, the fact that it is very popular and has an absurd fragmentation makes it more vulnerable to attacks of this kind.

List of infected devices and target of this research

Although we do not have the names of the two major cell phone companies involved in this scheme, at least we were informed of the list of devices that have already reached infected customers.

However, it is very important to know that, regardless of the devices below, it does not mean that all cell phones of the listed brands leave the factory with compromised security. According to CheckPoint, some devices on these models have been tampered with on their way to the consumer, and that is not standard with smartphones.

The curious thing is that three days after the publication of this study, Google’s Nexus line devices were removed without further explanation. Was the removal done by error in the primary analysis of the devices? Was it removed at Google’s request? Anyway, I couldn’t confirm this with the team that developed the research so far.

Espionage: a problem in modern society

The result of this research raises concerns regarding the security of mobile devices, however, the espionage and use of technologies for data collection with the objective of extortion are the concerns of modern society.

Recently, Wikileaks published what it called «the biggest document leak in the history of the CIA,» the US intelligence agency. According to the organization, the 8,761 «Vault 7» documents contain «hundreds of thousands of lines of programming code» that allow the agency to spy on smartphones running on Android, iOS and Windows systems.

In other words, CIA agents are introducing viruses to gain access to a smartphone’s microphone, for example, even when they are turned off, allowing agency hackers to access thousands of conversations around the globe.

Finally, with specific knowledge and access, it is possible to intercept the distribution of a device, be it the CIA or a gang specialized in extortion, and corrupt the system to the point of having control over it. This happened in the past, when Chinese manufacturer Xiaomi was accused of sending data from its smartphone users to China.

Opinion by Camila Rinaldi

Espionage and the use of technologies for data collection with the objective of extortion are the concerns of modern society.

At the time, Redmi Note was continually trying to connect to an IP address (internet protocol) in Beijing. The device was constantly trying to make the connection, even after the cloud service was turned off. Worse than that, even reinstalling the new and official version of Android, the problem persisted. Xiaomi denies any involvement in this case.

In the same year, researchers at G Data, a cybersecurity company in Germany, found that the Chinese smartphone Generic Star N9500 ​​had the same error. The device had preinstalled the spyware program Uupay.D, which was stealing data and sending it to an IP address in China.

As with the Xiaomi smartphone, the spy program on the Star N9500 ​​could not be removed with a factory reset. This security hole in the N9500 ​​allowed you to hear phone calls, have access to emails and text messages, and remotely control the device’s microphone and camera. Any resemblance to Wikileaks’ Vault 7 is no coincidence.

How to know if your smartphone arrived infected from the store

Of course, a user’s first reaction when faced with this type of news is to ask themselves about the possibility of having an infected smartphone. However, again, keep in mind that if your device appears among the names in the list above, it does not mean that it left the factory with compromised security.

I contacted Oren Koriat, from the CheckPoint research team, but did not obtain any more information about this study until the publication of this article. However, in the publication on the research company’s website, there are some general tips for users to follow in these cases:

  • Avoid buying smartphones from stores that you do not know or that do not have a good reputation among users;
  • Before purchasing a phone from a small retailer, you should ask to examine the device. Turn on your device, browse the web a bit, connect to the Wi-Fi network, and so on. If you see ads as soon as you unlock your phone screen or even full-screen ads appearing at random locations, don’t buy the device.
  • Avoid downloading applications from alternative and unreliable stores;
  • Keep the device software always up to date and with appropriate security patches.

An antivirus application is what you need to make sure your smartphone has preinstalled malware

What is the most effective measure in these cases?

If you purchased a device and it was delivered infected, know that you may not even realize that the device contains malware. In conversation with Nikos Chrysaidos, Head of Mobile Threat Intelligence & Security at Avast, an antivirus application is what you need to make sure your smartphone has malware pre-installed:

«Antivirus is the main and, in some cases, the only way to know if a smartphone is infected with malware. In many cases and as in this case, the malware hides and works in the background, which means, for example, that the phone owner will not see the malware icon in the list of applications operating on the phone. This, of course, is done so that malware designed to collect personal information can remain on the device for as long as possible, undetected. «

Can smartphones arrive infected at the factory?

Until proven otherwise, no, smartphones cannot be infected at the factory. However, as verified by CheckPoint, during the time between the time the phone is produced at the factory and the time it is sold in the store, malware can be installed on the device by a third person.

Do you need to worry about that? Perhaps. If you bought the device from stores or manufacturers with little credibility in the market, yes.

Is there a way to check if your device is infected? Yes. If you are concerned or suspicious about the legitimacy of your smartphone’s software, install an antivirus.

Do you need an antivirus installed on your smartphone to be safe? Not necessarily. If you don’t use alternative store services to download apps, don’t click buttons promising miraculous or current discounts on messaging apps, you’re safe on Android.

So, do you worry about the result of this CheckPoint study?