Security firm warns of Trojans shipping with stock firmware. Russian security company Dr. Web, who also makes a PC antivirus solution bearing the same name, warns that it discovered a total of 26 smartphone models running Android and infected with malware that’s injected in the stock firmware they are shipped with.
Most of the models on the list, which you find in full at the end of the article, are smartphones sold on the Russian market and based on the MTK platform, which is a chipset developed by Taiwan-based MediaTek. The list includes phones sold by Prestigio, Irbis, MegaFon, and SUPRA.
The security firm says all these models are shipped with a Trojan called Android.DownLoader.473.origin, which is a downloader that automatically starts when the device is powered on.
Once an Internet connection is detected, the Trojan connects to a C&C server and waits for instructions, while at the same time downloading and installing an application called H5GameCenter. In its turn, this application comes with an aggressive form of adware, which the security company flags as Adware.AdBox.1.origin.
“Once installed, it displays a small box image on top of running applications. The image cannot be removed from the screen. It is a shortcut clicking on which opens a catalog integrated into Adware.AdBox.1.origin. In addition, the Trojan shows advertisements,” the security firm said.
If users attempt to remove the H5GameCenter app from their smartphones, the Trojan automatically downloads and installs it again at a later time, without notifying users.
Lenovo phones also infected
Dr. Web says it also discovered a Trojan on Lenovo A319 and Lenovo A6000, which is part of an application called Rambla and which deploys a software catalog on affected devices.
The Trojan is flagged as Android.Sprovider.7 and makes it possible for attackers to download APK files and install them on target smartphones, make phone calls to specific numbers, show ads, upload infected files, and open malicious links in browsers.
“It is known that cybercriminals generate their income by increasing application download statistics and by distributing advertising software. Therefore, Android.DownLoader.473.origin and Android.Sprovider.7 were incorporated into Android firmware because dishonest outsourcers who took part in creation of Android system images decided to make money on users,” the security firm said.
Android vendors whose devices come with Trojans have already been contacted by the firm and users who purchased one of the smartphones confirmed to come with malware are recommended to contact the manufacturer for support.