Oysters tablet comes preinstalled with Trojanized Android firmware

“Keeping your mobile device free of malware requires intentional care, but sometimes even that is not enough. As Dr. Web researchers recently pointed out, a device you buy from a manufacturer or one of its resellers can already be compromised.


In this particular instance, the device in question is the Oysters T104 HVi 3G tablet running Android.

Manufactured by Oysters, a leading consumer electronic device producer in Russia, it is sold by virtually every major retail network in Russia, and by German chain MediaMarkt in Europe and Asia.

The researchers have discovered a backdoor Trojan preinstalled on the tablet, hidden in the GoogleQuickSearchBox.apk application – essentially, in the device’s firmware.

The malware, dubbed Android.Backdoor.114.origin, is not new, but this is the first time it is seen hiding in this manner.

It is capable of collecting a bucketload of information about the infected device, including its unique identifier, type (tablet or smartphone), MAC address, OS version, network connection type, list of applications installed, and more, and send it to its C&C server.

More importantly, it can receive commands from that server, and can be instructed to activate the disabled option to install applications from unreliable sources, and to download, install, and remove apps without the user being none the wiser.

The researchers noted that it can be difficult to wipe this kind of malware, and that in order to get rid of it, users usually have to reinstall the OS altogether.

“If a Trojan or any other malicious program is detected in the firmware, it is recommended to contact the device manufacturer in order to get an updated operating system image, because, in most cases, it is impossible to remove such malware using built-in tools (including anti-virus software),” they explained.

But this option is currently not available to users of this particular device – the researchers have notified Oysters about the problem, but the official firmware version offered for download by the company is still the backdoored one.”