Malware has been discovered preinstalled on 36 Android phones belonging to two companies, security software maker Check Point reported on Friday.
“In all instances, the malware was not downloaded to the device as a result of the users’ use — it arrived with it,” noted Oren Koriat, a member of Check Point’s Mobile Research Team.
The malicious apps on the phones of a telecommunications company and a multinational technology business were not part of the official ROM supplied by the vendor, he explained. They were added somewhere along the supply chain.
Six of the malware instances were added by a malicious actor to the device’s ROM using system privileges, meaning they couldn’t be removed by the user and the device had to be re-flashed, Koriat added.
Most of the preinstalled malware consisted of information stealers and rough ad networks, he said. Included in the malicious software array was Slocker, a mobile ransomware program that encrypts all the information on a device and demands a payment to decrypt it.
Loki malware also was part of the mix. It not only generates revenue by displaying bogus ads, but also steals data about a device and can take control of it.
“Unfortunately, this isn’t unexpected or even the first time we’ve seen this type of supply chain attack,” said Mark Nunnikhoven, principal engineer of cloud and emerging technologies at Trend Micro.
The path from maker to user for a third-party Android phone typically entails four steps: First, a new version of the operating system is released. Then a phone vendor will test and customize the OS before passing it on to a carrier. The carrier also will test and customize the phone. Finally, it will end up in the user’s hands.
“The problem is that when the phone is customized, malicious software or adware can be injected into it,” Nunnikhoven told LinuxInsider. “This appears to have been the case here.”
There is a law of computer security that physical access is always enough for an attacker to gain control of a device, said Craig Young, a senior security researcher at Tripwire.
“That means that anyone with physical access to the device — either an intruder or an insider — could connect the devices one by one to a computer and install malicious applications,” he told LinuxInsider.
Supply chain attacks like the one discovered by Check Point pose a serious problem to any consumer who receives such a phone.
“In a scenario like this, the only method to protect yourself from this threat would be to scan the phone right out of the box,” said Troy Gill, a senior security analyst with AppRiver.
“Of course, this is a fairly disturbing proposition,” he told LinuxInsider, “but unfortunately the only solution in this case.”
Consumers are at the mercy of manufacturers in a case like this, said Michael Patterson, CEO of Plixer International.
“There is an expectation of trust, which in this case was broken,” he told LinuxInsider.
“Given this situation where malware was installed as part of the supply chain, the only way for consumers to be protected is for manufacturers to begin to do a final quality assurance test of products before they are shipped to the consumer,” Patterson suggested.
Hunting Mobile Users
Because Android is an open operating system, it can be more vulnerable to malware attacks than its chief rival, Apple’s iOS. However, Android’s openness isn’t the culprit in this case, argued Patterson.
“In this case, the issue is one of a corrupt supply chain,” he said. “This was not a matter of whether or not there are inherent vulnerabilities in Android — this was a matter of a manufacturing process that failed the consumer.”
While a ROM attack on an iPhone is unlikely, hackers have attacked the Apple supply chain successfully. One of the most notable forays was the poisoning of SDK kits used by Chinese iOS developers, which resulted in preinfected apps being uploaded to Apple’s App Store.
Enterprise certificates are another route being used by hackers to attack iOS, noted Tripwire’s Young.
“Enterprises can’t cook their own ROMs to run iOS,” he said, “and all code running on it needs to be signed.”
However, Apple allows businesses to issue “enterprise certificates.” Apps with one of those certificates will be accepted by an iPhone as if they were downloaded from the App Store.
“That has been used in the past to distribute malware,” Young said.
Mobile users can never exercise too much care to protect their phones, said Tom Kellermann, CEO of Strategic Cyber Ventures.
“Consumers must realize that they are being hunted,” he told LinuxInsider.
“When someone hacks your mobile device, they invade your physical life as they can become present in your immediate surroundings via the microphone, camera and location settings,” Kellermann pointed out.
“Consumers must deploy mobile security on these devices and turn off location and Bluetooth when not using those functions,” he advised. “If in a sensitive setting, turn on airplane mode.”