Pre-Installed Android Malware Raises Security Risks In Supply Chain

Rogue retailers are unpacking phones made in China, installing malware and then selling the infected phones on the open market, security firm G DATA stated in a report released Sept. 1.

The scheme involves infecting mainly local brands of Android phones—such as Alps, Xiaomi and even a line of devices known as “NoName”—but also it affects phones from well-known international brands such as Huawei and Lenovo.

Eastern risk?

While some compromised phones have been discovered as far away as Europe, the devices were mainly sold through Chinese retailers, likely street vendors in urban areas of China, according to G DATA’s report.

The incidents, which involve nearly two dozen brands of phones, underscore the current difficulties in securing technology as it moves through the supply chain to its destination.

“This happens before the user ever gets the phone,” Andy Hayter, security evangelist with G DATA, told eWEEK. “We checked with some of the manufacturers and they are telling us that it is not happening on their end of the supply chain.”

The incidents underscore the dangers of untrusted supply chains. Companies and government agencies have grown worried about the security of the supply chain—the flow of goods from manufacturer to retailer to consumers.

In 2013, classified documents leaked by former contractor Edward Snowden showed that the U.S. National Security Agency and other national intelligence agencies have regularly infiltrated supply chains feeding technology to countries of interest to compromise devices that act as electronic moles, according to the documents. Devices from Cisco, Dell and other manufacturers, for example, have all been modified in transit to their destination to include implants to enable NSA monitoring.

Worrying

Recent events demonstrate that even rank-and-file consumers have to worry about the provenance of their devices and the software being installed by retailers and manufacturers. In February, for example, Lenovo shipped its customers’ personal computers pre-loaded with well-known adware known as Superfish.

In June, smartphone maker Samsung gave in to consumer pressure and agreed to allow users to disable pre-installed applications, many of which slowed down the systems and collected data on the users.

As mobile devices and the Internet of things (IoT) become more common, solving supply-chain security issues will become even more urgent, Theodora Titonis, vice president of software-security firm Veracode, told eWEEK.

“You are seeing all these means of inserting these security threats into the holes in the software supply chain,” she said. “Everything is moving so quickly and there are all these holes, so it makes securing the device that much harder.”

Under threat

In the latest scheme detected by G DATA, the rogue retailers apparently opened boxes of new Android phones and upgraded the firmware with a malicious version of a standard program—in this case, Facebook’s mobile app.

The Trojan application collects information and can take a variety of privacy-invading actions. These include leaking the phone’s location, “listening to and recording telephone calls or conversations, making purchases, bank fraud or sending premium SMS messages,” G DATA stated.

The result? Potentially stolen data and a large phone bill for the user; additional profits for the operator behind the malicious code.

G DATA recognized the first infections in Android mobile phones early last year. Since then, the number of incidents has increased, Hayter said.

While the problems mainly affect China, a small number of phones have appeared in Europe. Some compromised devices have been sold online through eBay and other auction sites, Hayter said.

Businesses need to worry about pre-loaded malware and potentially unwanted programs (PUPs) because such software can bypass the security checks on the phone. For consumers, the issue poses privacy problems. The operator controlling the malware can make additional cash by forcing advertising to show up on the phone and selling information about the user.

While security technology can detect malware on a phone, some surveillance programs can sneak by such defenses.

Earlier this year, documents leaked by the offensive-security firm Hacking Team revealed that the company had extensive tools for compromising mobile devices with programs designed to collect information on the user and their communications. While security firms had some ability to detect the programs, Hacking Team found ways to evade detection.

For many users, that means the first line of defense is to verify the security of the retailers from whom you or your company buys mobile technology, says Hayter. A trusted and vetted supply chain will not guarantee security, but it at least assures users and companies that the provider takes cyber-security seriously.

“Go through a trusted provider, not the street corner,” Hayter said.

Issues, such as bloatware, may be more minor, but still represent a failure to secure the supply chain, Veracode’s Titonis said. By installing bloatware on their products, the manufacturer shows they are willing to work against their customers’ interest to turn a more significant profit by trading consumers’ privacy for a little more revenue.

Such tactics leave consumers vulnerable to third-party applications that the device manufacturer has likely not vetted very well.”

I don’t know how many people ask me, after they buy a phone, how to get rid of bloatware,” Titonis said. “And that’s the stuff the consumer can see, but there is a lot more that they can’t see.”

With an estimated 50 billion devices connected to the Internet by 2020, making sure that those devices are secured from the manufacturer to the consumer is important. Equally important is making sure that manufacturers are not putting distrusted software on the devices, risking consumers’ privacy.

Are you a security pro? Try our quiz!

Originally published on eWeek.