Pre-loaded malware on new Android phones is on the rise

The danger of having your Android handset come preloaded with malware is rising, especially if you live in Asia and Africa and are on the market for a cheap, low-level phone.

Lookout researchers have discovered another Android Trojan pre-loaded on a number of entry-level phones sold by third-tier manufacturers: counterfeit Samsung GS4/Note II devices, a variety of TECNO and Gionee devices, Polytron Rocket S2350, Hi-Tech Amaze Tab, Karbonn TA-FONE A34/A37, Jiayu G4S – Galaxy S4 clones, Haier H7, and a i9502+ Samsung clone by an unspecified manufacturer.

The Trojan, dubbed DeathRing, pretends to be a ringtone app, and is loaded in the system directory. This, according to the researchers, makes it possible for mobile AV solutions to remove it.

The malware is capable of downloading SMS and WAP content from its C&C server, which can result in the forced download of additional malware, as well as difficult to spot smishing (SMS phishing) attempts against the user.

“The malware is activated in two ways — both dependent on the victim’s use of the phone,” the researchers discovered. “First, the malware will activate if the phone is powered down and rebooted five times. On the fifth reboot, the malware starts. Second, the malicious service will start after the victim has been away and present at the device at least fifty times.”

Currently the most targets reside in Vietnam, Indonesia, India, Nigeria, Taiwan, and China, but it’s unknown where in the supply chain DeathRing is installed.

Since it’s impossible to remove, the researchers advise users to install a mobile security app and check for it (and other pre-installed malware) on a newly bought device. If you find something, you should ideally be able return the device to the seller and ask for a refund.

Lookout researchers pointed out that this is not the first time that malware like this came pre-installed on brand new devices. Earlier this year, some variants of the MouaBad malware were also found pre-loaded on devices sold by retailers in China, India, and the Philippines.

Russian AV company Dr. Web has also recently discovered a Trojan embedded directly in the firmware of numerous inexpensive Android handhelds.

Don't miss