Thursday 1 October 09:30 - 10:00, Green room
Alexander Burris (G Data Software)
download slides (PDF)
Since the discovery of pre-installed malware on the Android smartphone N9500 in spring 2014, we have spent quite a bit of time investigating further. In the process we have uncovered more and more smartphone models with pre-installed malware. But where does the malware come from and who is installing it? We are certain that the manufacturers are not the perpetrators in the majority of cases. Renowned companies like Huawei, Lenovo and Xiaomi will not risk their reputation by putting these apps on their devices; nonetheless, we found malware on some of them. We suspect that third parties in the supply chain are to blame. They either manipulate the devices or try to sell rip-offs. In addition to the revenue gained from selling the device, they try to make additional financial gains from stolen user data and enforced advertising.
A common method used to compromise a device is to piggyback on a legitimate app which the victim is likely to use a lot, so the user doesn't second-guess the fact that the app is running in the background at all times. Often popular apps such as the Facebook or Twitter app are used. All of their original functions are still present in the manipulated version. Some users complained about apps which were installed overnight without their knowledge or consent, but all too often the hidden activities go unnoticed. The secret add-on functions are diverse. In many cases, the app can access the Internet, read and send text messages, install apps, as well as access, store and manipulate call data. In addition, they have the ability to access information about the device, to access the contact list, obtain location data and monitor app updates. These permissions enable extensive misuse. The seemingly unlimited possibilities include, but are not limited to location detection, eavesdropping on and recording of telephone calls or conversations, making purchases, performing bank fraud or sending premium rate text messages. Any subsequently installed apps come from several different third-party markets which we also took a look at. Of the first 7,000 apps we downloaded and scanned, over 20% were detected as malicious.
Uninstalling this pre-installed malware is often not possible. Even a 'factory data reset' does not help. We advise affected users to contact the manufacturer of the device.
We have found manipulated pre-installed apps to be present on some mobile devices in factory condition. Through extensive feedback from customers, support calls, other security researchers and our own research we were able to identify many more devices with malicious software pre-installed. At the time of writing the overall number of affected devices exceeds 100.