Mostly landfill Androids from odd places, but Lenovo makes the list too
More than two dozen cheap Androids have been found to host pre-installed malicious apps capable of downloading persistent adware and making phone calls.
The phones, which include Lenovo’s A6000 and A319, were discovered bearing the pre-installed malicious apps by security researchers with antivirus firm Dr Web.
Dr Web reckons resellers and firms in the supply chain are to blame.
It says there are likely to be many more compromised handsets bearing the apps capable of quietly downloading various trojans from remote servers.
Most of the downloads appear to be adware, a class of malware more irritating than dangerous, other than to the wallet of those who end up paying excess data charges. Mobile adware mostly strikes in China and Russia.
Entire companies have been found pushing advertising malware apps onto devices, ignoring the option to steal passwords and data using the acquired root privileges.
One firm based in Xingdu, China, was this year fingered for slinging the Hummingbad malware and was said to be making $US300,000 a month through some 10 million infected devices.
Dr Web’s researchers described a trojan which activates on boot and connects to its command and control to download configuration files when a WiFi connection is established.
“The file contains information about the application that the trojan should download [and] covertly install,” the researchers said.
“Android.DownLoader.473.origin actively distributes the advertising program H5GameCenter that is detected by Dr.Web as Adware.AdBox.1.origin [which] displays a small box image on top of running applications that cannot be removed from the screen.”
Affected devices include the following handsets:
MegaFon Login 4 LTE
Pixus Touch 7.85 3G
General Satellite GS700
Digma Plane 9.7 3G
Prestigio MultiPad Wize 3021 3G
Prestigio MultiPad PMT5001 3G
Optima 10.1 3G TT1040MG
Explay Imperium 8
Oysters T72HM 3G
Trojans found on Lenovo A319 and A6000 devices classified as Android.Sprovider.7 are built into the Rambla application providing access to an Android software catalog by the same name.
Its unencrypted payload executes functions including the ability to download and install Android installation apps, open browser links, call dedicated phone numbers, throw top-of-screen ads, and update its main malware module.
“Android.DownLoader.473.origin and Android.Sprovider.7 were incorporated into Android firmware because dishonest outsourcers who took part in creation of Android system images decided to make money on users,” the researchers say. ®
Sponsored: Flash enters the mainstream.
Visit The Register’s storage hub