Malware from the factory: Android Trojan rents out victim smartphones by the minute

Security researchers warn that criminals are renting out remote access to Android smartphones – they charge by the minute.

Millions of Android smartphones are said to be factory-installed with malware. With various malicious code plug-ins, cyber gangsters can, among other things, enable access to devices. Trend Micro security researchers warned of this at the Black Hat Asia IT security event.

Delivery including Trojan

In their presentation “Behind the Scenes: How Criminal Enterprises Pre-infect Millions of Mobile Devices” they warn that criminals are using outsourcing to latch onto supply chains in order to embed malicious code in firmwares. This is particularly dangerous because devices prepared in this way come with malware from the factory. As a rule, victims are not aware of the malicious functions during operation.

Based on statements made by cybercriminals, they estimate that around 9 million devices worldwide have already been infected with malware during production. The majority of these are said to be in Southeast Asia and Eastern Europe.

Malicious Code Finds

The security researchers state that their analysis found more than 80 different malware plug-ins in more than a dozen firmware images. However, many of them are said not to be widespread. A business model should be built around many plug-ins. Advertising for this should take place on social media. There are sales offers on the Darknet.

They presented “proxy plugins” as an example of a malicious code plug-in. Criminals are also said to be able to rent out remote access to compromised smartphones by the minute. The malicious code sets up a proxy and uses the device as an exit node, so that keyboard entries for passwords end up with the criminals. But they can also set up click fraud apps and generate profit from them.

Factory tampered Android firmware is not new and such incidents happened back in 2018. As at this point in time, it is primarily cheap Android smartphones that are affected. The security researchers do not have any specific security tips in stock. They merely state that buyers of high-end Android smartphones are safer from such manipulations. According to them, Google, Samsung & Co. control their supply chain better. The researchers assume that the threat of manipulated firmware will continue to grow.