9 December 2014
One of the first things you should do upon buying a new Android smartphone is load up an antivirus utility, to fend off any possibility of malware attack. However, new research by mobile security vendor Lookout reveals that by the time you walk out of the store it may already be too late.
In a recent blog post, Lookout researcher Jeremy Linden described a pernicious Trojan that comes pre-loaded on certain Android phones. Dubbed DeathRing, this Trojan appears to be a harmless ringtone app. However, its command and control center can send SMS and WAP (Wireless Access Protocol) data to the affected phone.
That doesn’t sound quite as bad as intercepting texts or stealing data, but there are plenty of possibilities for mischief. According to Linden, DeathRing could send fake SMS messages phishing for personal information, or use WAP to download additional malware that “extends the adversary’s reach into the victim’s device and data.”
In an attempt to conceal its presence, the Trojan doesn’t go into action right away. It remains dormant until one of two trigger events occurs. Powering the phone all the way off and on again five times is one trigger. If you’re not big on powering off, “the malicious service will start after the victim has been away and present at the device at least fifty times,” meaning you’ve locked and opened it fifty times.
Here’s the good news. If you bought an Android phone made by a well-known vendor, you’re probably safe. The only phones that Lookout has found with DeathRing pre-loaded are “third-tier manufacturers selling phones to the developing world.” Among the manufacturers affected are Gionee, Haler, Jiayu, Hi-Tech, and Karbonn. Right. I hadn’t heard of them either.
This isn’t the first instance of pre-installed malware. Earlier this year, Lookout reported on another example that they called MouaBad. DeathRing seems most prevalent in Vietnam, Indonesia, India, Nigeria, Taiwan, and China. MouaBad’s spread is also primarily Asian, but researchers also found some infections in Spain.
If you actually did purchase a phone with malware pre-installed, there’s basically nothing you can do about it. Antivirus products can detect it, but can’t remove it because it’s installed in the phone’s system directory. Lookout’s advice: if your antivirus reports DeathRing’s presence, ask for a refund on the phone. And consider getting a reputable brand next time.
Source – http://securitywatch.pcmag.com/security-software/330164-mobile-threat-monday-deathring-malware-pre-loaded-on-android-smartphones