When you walk out of a retailer with a shiny new phone, you trust that it’s clean and safe to use. But this might not always be the case, as evidenced by the latest pre-loaded malware Lookout identified called "DeathRing". DeathRing is a Chinese Trojan that is pre-installed on a number of smartphones most popular in Asian and African countries.

The Trojan masquerades as a ringtone app, but instead can download SMS and WAP content from its command and control server to the victim’s phone. It can then use this content for malicious means. For example, DeathRing might use SMS content to phish victim’s personal information by fake text messages requesting the desired data. It may also use WAP, or browser, content to prompt victims to download further APKs — concerning given that the malware authors could be tricking people into downloading further malware that extends the adversary’s reach into the victim’s device and data.

The malware is activated in two ways — both dependent on the victim’s use of the phone. First, the malware will activate if the phone is powered down and rebooted five times. On the fifth reboot, the malware starts. Second, the malicious service will start after the victim has been away and present at the device at least fifty times.

Counterfeit Samsung GS4/Note II
Various TECNO devices
Gionee Gpad G1
Gionee GN708W
Gionee GN800
Polytron Rocket S2350
Hi-Tech Amaze Tab
Karbonn TA-FONE A34/A37
Jiayu G4S – Galaxy S4 Clone
Haier H7
No manufacturer specified i9502+ Samsung Clone

The main countries of concern are Vietnam, Indonesia, India, Nigeria, Taiwan, and China.

For the second time in a year, Chinese-made Android smartphones have been discovered pre-flashed with malware, this time a Trojan security firm Lookout Mobile has ominously dubbed 'DeathRing'.

On infected handsets, DeathRing pretends to be a ringtone app but can be used to download other malware, communicating with its command and control via SMS or even the ancient WAP.

It activates once the device has been rebooted five times or, in other cases, the device has been accessed 50 times by its owner from the homescreen.
[How to spot a phishing email]

By today's ambitious mobile malware standards, DeathRing is pretty low-rent. The list of cheap clone handsets on which is was found - including models from Gionee, Polytron, Karbonn, Hi-Tech, Jiayu, Haier, TECNO, and GPAD - aren't sold to consumers beyond Asia and Africa so the threat is non-existent in the UK and US.

That might also explain the use of WAP, a defunct technology elsewhere. According to Lookout, the countries affected are Vietnam, Indonesia, India, Nigeria, Taiwan, and China.

The wider significance is that the issue of malware loaded on to devices as a part of factory or supply chain firmware flashing seems to be getting slowly worse. Earlier this year, Lookout reported another Trojan called Mouabad which used an identical method to get itself on to factory-fresh handsets.

In a separate attack, security firm Marble Security discovered a fake Russian-made version of Netflix that had been pre-installed on Android devices.

Could higher-end Android handsets be affected by this sort of attack in the near future?

"It's theoretically definitely possible, but for the time being unlikely. This is because many manufacturers of the higher-tier devices generally found in Western countries have more stringent regulation over their supply chains and better quality control programs," said Lookout's Jeremy Linden.

"However, like all malware, where the money is, the malware technology follows. If authors find this distribution method to be lucrative, they may evolve to attack the bigger fish."

For the user, it's not a case of detecting and removing these Trojans. Loaded as part of the firmware image (older versions of Android), they can't be removed manually without re-flashing the operating system.

According to Lookout, detection rates have been in the "tens of thousands" which suggests that an issue only affecting some handsets.

This story, "Android 'DeathRing' malware being pre-loaded on cheap smartphones" was originally published by Techworld.com.

The folks over at Lookout Security have an interesting blog piece on “DeathRing,” a Chinese Trojan that comes pre-installed on a number of smartphones most popular in Asian and African countries.

According to the bulletin, the Trojan masquerades as a ringtone app, but downloads an SMS and WAP (or “wireless access protocol” ) content from a command and control server to the victim’s phone once it is installed.

That downloaded content can be used for various malicious, money-making schemes, according to Lookout. For example, DeathRing can use the SMS content to send phishing text messages to the phone to elicit sensitive information from the user. The WAP content to manipulate a mobile user’s web browsing session. For example: the attackers might prompt victims to download additional mobile applications or add-ons, potentially extending their reach over the victim’s device and data.

[Read more Security Ledger coverage of supply chain risks.]

Lookout said that DeathRing has been found only in low numbers and outside of Western markets. Copies of the mobile malware have turned up in Vietnam, Indonesia, India, Nigeria, Taiwan, and China. The malware has been identified running on off-market counterfeit phones posing as Samsung devices including the Galaxy S4, the GS4/Note II and others. Other affected platforms include devices by Gionee (Gpad G1, GN708W, GN800) Polytron Rocket S2350, Hi-Tech Amaze Tab Karbonn TA-FONE A34/A37, the Jiayu G4S (another Galaxy S4 Clone) and the Haier H7.

The pattern and features of DeathRing are similar to another piece of mobile malware that was also linked to corrupted supply chains: Mouabad, which Lookout warned of in April. Like DeathRing, that malware also used premium SMS and asked victims to install added modules that extended the malware’s functionality.

Mobile handset makers are particularly vulnerable to corrupt- or corrupted supply chain partners, given the intense price pressure and the myriad of components that make up even a low-end smart phone.

Legal and information security experts say that attacks that come by way of suppliers and other third-party business partners are one of the biggest threats that modern organizations face. However, few firms prioritize scrutiny of third-party contractors and components.

At an expert panel on supply chain security that met in Boston in November, companies were encouraged to beef up auditing of internal- and partner assets and to seek contractual protections that will indemnify them in the event that a breach at a supplier or business partner exposes data that materially affects their firm.

Read more via The Official Lookout Blog | DeathRing: Pre-loaded malware hits smartphones for the second time in 2014.

By today's ambitious mobile malware standards, DeathRing is pretty low-rent. The list of cheap clone handsets on which is was found - including models from Gionee, Polytron, Karbonn, Hi-Tech, Jiayu, Haier, TECNO, and GPAD - aren't sold to consumers beyond Asia and Africa so the threat is non-existent in the UK and US.

Counterfeit Samsung GS4/Note II
Various TECNO devices
Gionee Gpad G1
Gionee GN708W
Gionee GN800
Polytron Rocket S2350
Hi-Tech Amaze Tab
Karbonn TA-FONE A34/A37
Jiayu G4S – Galaxy S4 Clone
Haier H7
No manufacturer specified i9502+ Samsung Clone

Lookout said that DeathRing has been found only in low numbers and outside of Western markets. Copies of the mobile malware have turned up in Vietnam, Indonesia, India, Nigeria, Taiwan, and China. The malware has been identified running on off-market counterfeit phones posing as Samsung devices including the Galaxy S4, the GS4/Note II and others. Other affected platforms include devices by Gionee (Gpad G1, GN708W, GN800) Polytron Rocket S2350, Hi-Tech Amaze Tab Karbonn TA-FONE A34/A37, the Jiayu G4S (another Galaxy S4 Clone) and the Haier H7.