On a total of 38 smartphones from different manufacturers, security researchers have discovered preinstalled malware, which has been installed “somewhere” on the distribution channels on the devices. The smartphones include devices from LG, Samsung, Xiaomi and Google, including former high-end devices. It may be a targeted attack against the companies in which the smartphones are deployed. An infection with the manufacturers can be excluded at the present time.
We discovered the malware of Check Point Software Technologies, which describes the incident on their company blog. The company is a specialized service provider, among others. Performs security checks in other companies, checks weak points, and offers appropriate software and hardware. Apparently the two companies with the infected equipment are customers of the company. It is unclear whether it was a routine investigation or whether there was a concrete initial suspicion for the investigation.
The detected malware was definitely not part of the official firmware installed by the smartphone manufacturers on the devices. Rather, the smartphones were apparently later manipulated somewhere along the supply chain, and equipped with the appropriate malware. In a total of six cases the malware was installed with extensive system permissions so that a complete flash of the smartphones and a new installation of the system was necessary for removal.
Most of the malicious programs were software, which collected all the information about the device, its user and its behavior and transmitted it to third parties. Some of the programs were also used to display advertisements. Thus, for example, “Loki” grants comprehensive privileges on the infected device and can switch with these rights at will and without a user compellingly noticed. Another app was the Ransomware “Slocker”, the Gate network to obscure the identity of its operators.
Vault 7: Google says, Android is safe. That is, almost.
The list of infected devices includes the Who’s Who of the smartphone industry. Among the models are also smartphones, which at the time of their purchase were among the high-end models:
Galaxy Note 2, 3, 4, 5, 8, Edge
Galaxy S4, S7
Xiaomi Mi 4i
Galaxy Tab S2
Galaxy Tab 2
Vivo X6 plus
Asus Zenfone 2
Check Point Software can not rule out the fact that the installed malware is also in use with other companies or private persons. The two companies, not named by name, should be a “major telecommunications provider” and a “multinational technology company”. If this is not a targeted attack against these two affected companies, the scenario of a much larger attack would be conceivable. For further knowledge one would have to investigate the distribution channel of the smartphones and determine, at which place the systems were infected.
Last year, a similar incident was public, at that time it concerned several million smartphones of the manufacturer BLU.
The new incident shows that an initial security check of newly acquired smartphones can make sense in the company environment, provided that the distribution channel can not be comprehended. Especially with alleged bargains or self-imports from only insufficiently well-known sources appears an increased skepticism attached. Security solutions for such an initial check are available in the App Stores, usually the check is done in a few minutes.
It goes without saying that you are a user in case of an actual infection. Before the problem that the manufacturer of their own smartphone might not offer any original firmware for download, with which the device could be put back into its original delivery condition.