Trojans capable of installing additional malware are currently affecting the stock firmware of at least 26 Android smartphone models.
Russian anti-malware company Dr Web found that the Pixus Touch 7.85 3G, the Marshal ME-711, and more than 20 other smartphones for Android currently ship with stock firmware that is infected with malware.
Android.DownLoader.473.origin is one of those trojans. It’s a downloader program that starts up every time an affected device turns on, monitors the Wi-Fi signal, and communicates with its command-and-control (C&C) server in order to load up additional malware like Adware.AdBox.1.origin.
Doctor Web provides some insight on this secondary threat in a blog post:
“Once installed, it displays a small box image on top of running applications. The image cannot be removed from the screen. It is a shortcut clicking on which opens a catalog integrated into Adware.AdBox.1.origin. In addition, the Trojan shows advertisements.”
Showing advertisements, you say? Sounds a lot like some of the other Android trojans Dr Web’s researchers have come across.
Even so, Adware.AdBox.1.origin is more persistent than other types of malware. That’s because Android.DownLoader.473.origin will download and install Adware.AdBox.1.origin if and when the user should choose to delete it.
Android.DownLoader.473.origin isn’t the only downloader trojan affecting these smartphones. Doctor Web also detected Android.Sprovider.7 embedded in the stock firmware of Lenovo A319 and Lenovo A6000. This malware loads up Android.Sprovider.12.origin, a payload which is capable of downloading APKs and displaying advertisements.
Both of those capabilities help generate income for the attackers. As Dr Web explains:
“It is known that cybercriminals generate their income by increasing application download statistics and by distributing advertising software. Therefore, Android.DownLoader.473.origin and Android.Sprovider.7 were incorporated into Android firmware because dishonest outsourcers who took part in creation of Android system images decided to make money on users.”
At this time, users of the following smartphone models identified by Doctor Web should assume they’re affected:
- MegaFon Login 4 LTE
- Irbis TZ85
- Irbis TX97
- Irbis TZ43
- Bravis NB85
- Bravis NB105
- SUPRA M72KG
- SUPRA M729G
- SUPRA V2N10
- Pixus Touch 7.85 3G
- Itell K3300
- General Satellite GS700
- Digma Plane 9.7 3G
- Nomi C07000
- Prestigio MultiPad Wize 3021 3G
- Prestigio MultiPad PMT5001 3G
- Optima 10.1 3G TT1040MG
- Marshal ME-711
- 7 MID
- Explay Imperium 8
- Perfeo 9032_3G
- Ritmix RMD-1121
- Oysters T72HM 3G
- Irbis tz70
- Irbis tz56
- Jeka JK103
I would recommend customers contact their company’s technical support specialists as soon as possible. Most of those companies are working on a fix at the Russian anti-virus company’s prompting, but they might have some mitigation steps users can implement while they await clean firmware.
Graham,
I read that two Lenovo phones were part of this mix. Is this no longer the case?
• Lenovo A319
• Lenovo A6000
http://arstechnica.com/security/2016/12/covert-downloaders-found-preinstalled-on-dozens-of-low-cost-android-phone-models/?comments=1
The list we have came direct from the horse's mouth (Dr Web) who don't mention Lenovo. http://news.drweb.com/show/?i=10345&lng=en
BTW, to give credit where due, David Bisson wrote the article rather than me. :)
Weird. I wonder where Ars got that info then. Thank you for the reply though!
Actually, Doctor Web does mention Lenovo by name:
<blockquote>"Another Trojan found on the devices Lenovo A319 and Lenovo A6000 was named Android.Sprovider.7. The Trojan is incorporated into the application Rambla which provides access to the Android software catalog named the same."</blockquote>
I haven't seen anything from Lenovo addressing these issues. Please consider contacting Lenovo's tech support for more info.
May be wrong but I don't think I've heard of any of those phones in the UK
I strongly suspect the OEMs knew full well that this malware was part of the firmware. These are likely the cheapest phones going to third world nations, and a fix will never arrive. This is a growing trend, and even Sprint tried something similar here in the US a few years back with their Sprintzone app, which I wrote about at Android Central forums. Look for "Sprintzone adware" in search for more links.
http://forums.androidcentral.com/sprint/462256-sprint-zone-pushes-adware-latest-update.html
Every OEM and ISP service provider has their own installer apps installed on every phone they make, or provide internet service for. They all want a piece of the advertising pie, and so some are resorting to third party add-ons apparently. Even reputable companies have been trying varying ways to make more money, like all the apps pre-installed on flagship phones that can't be disabled or un-installed. For instance,
HTC m9 came with Lookout Security app installed that way, until a later update to the System. I highly suspect Sprint was responsible for that one, but it's getting out of hand. I can understand somewhat OEMs needing the additional revenue, but my service provider should not be competing to spam me with ads, and pre-installing apps. But, At&t, Verizon, and others, are even worse in the Spyware department. So, the fight is on, constantly.