Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malware Found In the Firmware of 26 Low-Cost Android Models (bleepingcomputer.com)

Posted by msmash on from the security-woes dept.

An anonymous reader writes: Security researchers have found malware hidden in the firmware of several low-end Android smartphones and tablets, malware which is used to show ads and install unwanted apps on the devices of unsuspecting users. 26 Android device models have been found to be vulnerable. The common link between all these devices is that all are low-cost devices, mostly marketed in Russia, and which run on MediaTek chipsets.

According to security researchers from Dr.Web, a Russian antivirus vendor, the malware appears to have been added to the firmware by "dishonest outsourcers who took part in [the] creation of Android system images decided to make money on users." The security firm has informed MediaTek and the device vendors about this issue so the affected companies can inspect their distribution chain and find the possible culprits.

60 comments

  1. The list by fred6666 · · Score: 4, Informative

    These were cheaper than cheap. No well known brand such as Samsung or even cheaper brands such as Huawei, ZTE and Xiaomi.

            MegaFon Login 4 LTE
            Irbis TZ85
            Irbis TX97
            Irbis TZ43
            Bravis NB85
            Bravis NB105
            SUPRA M72KG
            SUPRA M729G
            SUPRA V2N10
            Pixus Touch 7.85 3G
            Itell K3300
            General Satellite GS700
            Digma Plane 9.7 3G
            Nomi C07000
            Prestigio MultiPad Wize 3021 3G
            Prestigio MultiPad PMT5001 3G
            Optima 10.1 3G TT1040MG
            Marshal ME-711
            7 MID
            Explay Imperium 8
            Perfeo 9032_3G
            Ritmix RMD-1121
            Oysters T72HM 3G
            Irbis tz70
            Irbis tz56
            Jeka JK103

    1. Re:The list by Anonymous Coward · · Score: 0

      Xiaomi does it too...

    2. Re:The list by Anonymous Coward · · Score: 0

      The thing is, if you look around, none of those are "cheaper" than name-brand stuff like the mid-range HTC, LG, Motorola, et al stuff. Motorola in particular is great because as long as you select a non-asshole carrier then you can fully unlock the phone (that is, carrier and bootloader) with ease (search this and select based on how much a particular carrier is an asshole that doesn't let you unlock the physical hardware you paid for [eg. Verizon, AT&T, etc]).

    3. Re:The list by pecosdave · · Score: 1

      That reads like a who's who list of crap I wouldn't waste my money on if I saw it in the store.

      --
      The preceding post was not a Slashvertisement.
    4. Re:The list by Wycliffe · · Score: 1

      That reads like a who's who list of crap I wouldn't waste my money on if I saw it in the store.

      I bought a couple of these for my kids a few years ago when they were in their destructive stage and I was working on teaching them how to properly take care of things. At that point a $30 tablet that they could play angry birds on and look at wikipedia was all they really needed. I had suspected malware as one of them started having unwanted popups even after I reflashed it.

  2. What does MediaTek have to do with it? by Anonymous Coward · · Score: 0

    It's like trying to make their chips out as a bad, unsafe product. You might as well bring up that they're made of plastic and have touch-screens, or something else irrelevant. And by definition, every Android phone has malware, given how Google basically owns all your data.

    1. Re:What does MediaTek have to do with it? by ncy · · Score: 1

      From the summary: "The security firm has informed MediaTek and the device vendors about this issue so the affected companies can inspect their distribution chain and find the possible culprits." Other companies (i.e. Volkswagen, Toyota, Samsung, etc.) have survived massive recalls before, so there's no reason to think MediaTek will go down under just because they start an investigation. I'd say it's even exemplary to put in the efforts, time, and money to find who's responsible.

  3. Mediatek, WHAT IS YOUR PROBLEM?! by emil · · Score: 3, Insightful

    Why is Mediatek installing malware to extract and send the owner's data to China?

    I just bought the latest BN Nooks as Christmas gifts. Now I have to tell EVERYONE who receives these gifts to use burner accounts, no credit cards, no sensitive gmail.

    None of these companies can be trusted.

    1. Re:Mediatek, WHAT IS YOUR PROBLEM?! by Gaygirlie · · Score: 1

      It's not Mediatek who is installing the malware, they're just the company that manufactures the SoC! Also, this has absolutely nothing to do with Mediatek in the first place, this is just greedy middle-hands being greedy!

    2. Re:Mediatek, WHAT IS YOUR PROBLEM?! by cmiller173 · · Score: 1

      Not sure which latest Nooks you are talking about, but since they are rebranded samsung tablets with qualcom processors and not mediatek processors, you shouldn't need to.

    3. Re:Mediatek, WHAT IS YOUR PROBLEM?! by emil · · Score: 1
      Uh, no.

      Processor MediaTek MT8163 ARM Cortex-A53 Quad-Core

    4. Re:Mediatek, WHAT IS YOUR PROBLEM?! by trevc · · Score: 1
      Why did you buy them; don't you like these people?

      Why is Mediatek installing malware to extract and send the owner's data to China?

      I just bought the latest BN Nooks as Christmas gifts. Now I have to tell EVERYONE who receives these gifts to use burner accounts, no credit cards, no sensitive gmail.

      None of these companies can be trusted.

  4. DT Ignite by Anonymous Coward · · Score: 0

    Shouldn't DT Ignite also be considered malware because it installs unwanted apps? If so, there is malware in the firmware of many US phones, too.

  5. Only apps can app apps! by Anonymous Coward · · Score: 0

    Only LUDDITES think that extra apps are "malware". Modern app appers know that these are simply bonus apps added to App Phones as an extra feature!

    Apps!

  6. Redundant by BigBuckHunter · · Score: 0

    There is no need to say "Low Cost Android Phones".... Mainly because there are no "Low Cost Apple Phones", and we already know that all "Low Cost Windows Phones" contain malware by virtue of being Windows.

    1. Re:Redundant by freeze128 · · Score: 1

      There are still low-cost feature phones... and blackberry. Yeah.

    2. Re:Redundant by Anonymous Coward · · Score: 0

      I guess you're blind and can't SEe what low-cost phones they might still be SElling. SEe what I did there?

    3. Re:Redundant by Obfuscant · · Score: 1

      And by the definition of malware as "used to show ads and install unwanted apps on the devices of unsuspecting users" there are NO phones that don't contain malware. Google Chrome, which used to be bundled with Java updates (as I recall, it might have been something else) is malware under that definition.

    4. Re:Redundant by thsths · · Score: 1

      If a Java update installs Chrome, then Java is the malware here. Sure, Google paid for it, so they are complicit, but Oracle conveniently "forgot" to ask the user.

  7. Why do people bother with "low-end"? by Anonymous Coward · · Score: 0

    I mean you can pick up a number of decent name-brand mid-range devices that can be fully unlocked for less than $30.

    1. Re:Why do people bother with "low-end"? by Anonymous Coward · · Score: 0

      Because some people are poor, numbnuts. Some people can barely scrape together $30 for the phone, never mind for an unlocking fee.

    2. Re:Why do people bother with "low-end"? by Anonymous Coward · · Score: 1

      Why not? Just sell pussy or ass...

    3. Re:Why do people bother with "low-end"? by AvitarX · · Score: 2

      Like what?

      I got a BLU studio energy 2 a year or so back (just under a year). It is a pretty decent phone, slows down and hangs periodically requiring reboots (twice daily maybe if I run pokemon, otherwise about every other day), and incoming calls fuck it all up (takes about 15 seconds before it's responsive enough to answer, a slight nuisance once a week or so), but it has an honest 2 days of battery heavy use, I've never run it dead in 24 hours, with screen on times of 8+ hours leaving me ample battery still.

      Phone + Sim + Memory card = $150

      I look now and see maybe a moto G4 play (wasn't out yet) or a moto Z play (much more expensive, and bigger) as the only two maybe competitive now nearly a year later,

      --
      Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
    4. Re:Why do people bother with "low-end"? by Anonymous Coward · · Score: 0

      BLU Phone eh? You're gonna have a bad time: http://arstechnica.com/security/2016/11/powerful-backdoorrootkit-found-preinstalled-on-3-million-android-phones/

    5. Re:Why do people bother with "low-end"? by AvitarX · · Score: 1

      BLU that rapidly patched and released an update to this?

      --
      Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
  8. Google by 110010001000 · · Score: 2, Insightful

    Google needs to get a grip on Android, somehow. They are ultimately responsible for this mess. Stop fucking around with self-driving cars and do your job.

    1. Re:Google by The-Ixian · · Score: 2, Informative

      Google needs to get a grip on Android, somehow

      They have, it's called a Pixel.

      If you buy an AOSP or Android device from any other manufacturer, your relationship is with that manufacturer, not with Google.

      Google just makes the OS that runs on the hardware.

      --
      My eyes reflect the stars and a smile lights up my face.
    2. Re:Google by fuzzyfuzzyfungus · · Score: 1

      That is basically "Google Play Services". With each Android revision a bit more of what you would actually want to use ends up provided by GPS rather than AOSP.

      On the plus side, this makes for better application compatibility for devices stuck on old Android versions by OEMs who don't give a damn. On the minus side, it provides no protection against malice; only applies if your device is a google vassal; and does absolutely nothing about the fact that embedded ARM is a balkanized shithole of gratuitously ill-standardized quasi-platforms, copious binary blobs; and vendor BSPs so awful that the widespread GPL noncompliance might actually be an act of mercy.

    3. Re:Google by fermion · · Score: 1
      Low cost is the key. No manufacturer is going to sell a product with no hope of making profit. We say this MS Windows machines many years ago. The cost of a MS Windows license was so great, and the pressures to keep cost low so intense, that they only way for the average OEM to generate a profit was to use the machines as promotional vehicles. In the end, every consumer MS Windows machine ended up being a means for MS to gain market share and third parties to generate profit, not a tool for useful work.

      I noticed this on Amazon tablets as well. I have kindle with promotional items, and it is not too intrusive. The ad is there, but disappears as soon as I am ready to read. On the other hand I recently got a Fire, i.e. cheap android based tablet, and the promotional items are must more intrusive. It takes a significant effort to move from the promotional screen to the home screen so that work can get done.

      Now, in principle, Google does not charge for Android so they are not at fault in the same way that MS was and is for the loading of machines with malware and spyware. I do not see anything they can do if they are looking to create a commodity OS for tablets like MS did for desktops.

      --
      "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
    4. Re:Google by snookiex · · Score: 1

      Telepathy exists

      --
      Open Source Network Inventory for the masses! Kuwaiba
  9. Kill the market for this crud by anthony_greer · · Score: 4, Interesting

    Google needs to start working with vendors in the markets that use these lower end phones to make secure and reliable hardware. If there are a couple vendors making reliable phones for the ultra low end, with Googles official support and endorsement, it could go a long way in killing the market for these sorts of devices and win them a lot of favor in places where they might not be so highly regarded.

    1. Re:Kill the market for this crud by Anonymous Coward · · Score: 1

      Google _does_ work with the vendors in low end market, with the Android One initiative.

      Google's involvement inevitably pushes up the price -- but they do have a plan for this.

    2. Re:Kill the market for this crud by bgarcia · · Score: 1

      Google needs to start working with vendors in the markets that use these lower end phones to make secure and reliable hardware. If there are a couple vendors making reliable phones for the ultra low end, with Googles official support and endorsement, it could go a long way in killing the market for these sorts of devices and win them a lot of favor in places where they might not be so highly regarded.

      Google created Android One as an attempt to do exactly this. But people who sell phones that are subsidized by malware creators are able to sell those phones for even less. Go figure.

      --
      I'm a leaf on the wind. Watch how I soar.
  10. Oysters?!?! by Anonymous Coward · · Score: 0

    Who came up with that brand name?!?!

    1. Re:Oysters?!?! by geekmux · · Score: 1

      Who came up with that brand name?!?!

      Wow, good point. Perhaps I'll Google and see if there are any other weird company names. Oh look, Apple offers cell plans from Verizon.

      Now if you'll excuse me I'm off to the Amazon to order some music, fishing lures, and cabbage...

    2. Re:Oysters?!?! by GrumpySteen · · Score: 1

      Some shellfish bastard in Russia

    3. Re:Oysters?!?! by PCM2 · · Score: 1

      Russians.

      There's a preparation of oysters called Oysters Moscow, and Anton Chekhov has a short story called "Oysters," but I can't think of any other connection.

      --
      Breakfast served all day!
    4. Re:Oysters?!?! by OhSoLaMeow · · Score: 1

      Who came up with that brand name?!?!

      It was either that or Bearded Clam.

      --
      They can take my LifeAlert pendant when they pry it from my cold dead fingers.
  11. Rolex uses Oyster as a model. by Anonymous Coward · · Score: 0

    Makes no fucking sense either.

  12. So what? by Anonymous Coward · · Score: 0

    Malware mines your contact list, emails, photos, and text messages. It also tracks your location. Google mines your contact list, emails, photos, and text messages. Google also tracks your location. I don't really see a difference. Oh yeah, one of them makes you "agree" to a multi-page contract written by their legal department (300 lawyers) for their own benefit.

    1. Re:So what? by cmiller173 · · Score: 4, Insightful

      I know what I get in exchange for trading my information with Google and I know how to secure my communications when necessary for sensitive information Google and I both benefit from the relationship. When a third party gets their malware on a phone (hasn't happened to me) the user of that device has not made an informed decision to make that trade and rarely benefits from it.

    2. Re:So what? by Anonymous Coward · · Score: 0

      If you think you have a beneficial "relationship" with google, you are sadly mistaken. Does a mark have a relationship with a conman? Does a turkey have a relationship with a poultry farmer? Nope. You are google's product to do with as they see fit, nothing more, nothing less. Whatever you traded to become their product must have had little value to you.

  13. Free Software anyone? by Anonymous Coward · · Score: 0

    If you're going to insist on using proprietary closed source software, I don't want to hear you complaining.

  14. Nothing new by fubarrr · · Score: 1

    Russian clickfarms were conspiring with cellphone network staff since prehistoric times (first heard of paid sms scams around year 2002, 2003 or so).

    Now they mostly sell access on sms validation market.

  15. Androids with malware by TrixX · · Score: 2

    For a second I read the "Android" in the headline as talking of a humanoid robot instead of the smartphone OS, and it was a really good base for a sci-fi story

  16. Landfill android is accurate by ilsaloving · · Score: 1

    This shouldn't be a surprise. I mean, it's called Landfill Android for a reason. Landfills are riddled with god-knows what diseases. These devices are simply extending the metaphor.

  17. It most CERTAINLY IS Mediatek! by emil · · Score: 5, Informative

    They were caught red handed.

    When Google had previously updated its systems to check for ADUPS, MediaTek (they make the chipset in millions of low-end phones) simply modified their system software to evade Google’s checks. Nice one MediaTek!

    DO NOT BUY EQUIPMENT WITH MEDIATEK CPUS!

    1. Re:It most CERTAINLY IS Mediatek! by Anonymous Coward · · Score: 1

      You represent exactly the kind of malice and misunderstanding the writer was hoping for: get people, and consequently product developers, to believe that MediaTek is bad. It's not MediaTek's chips that are bad, it's the next vendor in line who included ADUPS and evaded the checks for it.

      And all of these complaints are hilarious, because they boil down to people being mad because their malware is not stealthy enough. You never complain about Google, Microsoft, NSA etc. collecting your info secretly, but when Chinese companies do it in a very forthcoming and open manner, THEN you get upset? Hilarious.

    2. Re:It most CERTAINLY IS Mediatek! by thsths · · Score: 1

      Exactly this. They have been caught in questionable dealing way to often: violating the GPU, preventing updates that a technically perfectly possible, dealing with developers who install malware ... they certainly have a track record that should make you very worried.

      This is not to say that everybody else is doing great work, but with MediaTek you can be quite certain to be screwed one way and/or another.

    3. Re:It most CERTAINLY IS Mediatek! by jofas · · Score: 1

      Strawman. While they don't *directly* install malware, they have been called out NUMEROUS times for not patching vulns in subsequent generations of same hardware. The list above was one or two manufacturers in 2014 and is now as long as it is because they don't give a shit. Bottom line: they are not marketing to North American demographics of any kind.

  18. Device makers to try to find the culprits by Streetlight · · Score: 2

    Quote from OP: "The security firm has informed MediaTek and the device vendors about this issue so the affected companies can inspect their distribution chain and find the possible culprits."

    How about updating the OS in these cheap phones, even the ones already sold, with an uninfected OS. Why waste time looking for the miscreants, who may be well hidden? Just fix the OS.

    --
    In a time of universal deceit, telling the truth is a revolutionary act. George Orwell
  19. Preloaded crap? by IMightB · · Score: 1

    Can we start calling all the preloaded crap that isn't stock android malware?

    all the shit that vendors load that spy on you all the time?

    tmobile
    verison
    att

    etc etc etc
    I can't uninstall that stuff

    1. Re:Preloaded crap? by Obfuscant · · Score: 2

      all the shit that vendors load that spy on you all the time?

      Vendors? You mean like Google?

      Right now I see "GoogleLocationManager", "ContextManagerService", GoogleLocationService", and "GcmService" all running on my tablet. This is with "Location Service" turned off and after I've explicitly stopped the Google Play Services app, on a device that is in airplane mode and not been used for any app that needs location. (Any my phone, which is a later version of Android, doesn't let me stop Google Play Services at all.)

      That ignores the google analytics service that shows up when the device actually is connected to the net, so that google can monitor web accesses for me.

    2. Re:Preloaded crap? by IMightB · · Score: 1

      Sure add google to the list

  20. News Flash..... DUH! by Lumpy · · Score: 1

    Sorry but if you buy a crap-tacular phone you can not expect it to be even safe to turn on. These companies are known for selling flash media pre loaded with malware.

    --
    Do not look at laser with remaining good eye.
  21. Low end market by XSportSeeker · · Score: 2

    It's probably the case for generic low end devices here in Brazil too, and probably most other countries.
    Bought one of those earlier this year, something like 50 bucks for a quadcore tablet that performed pretty decently.
    If you try to root it, the whole thing factory resets itself after power down.

    It has several suspicious stuff pre-installed into it, and they'll always be back no matter which way you try to uninstall or delete them.
    Some apps are simply shovelware, but there's plenty of stuff that apparently had no purpose there.

    Crapshoot. I wanted a tablet to read some comics and do some of the basics, and also to experiment on rooting and making a device secure... ended up in the trash, going for a reputable brand instead.

  22. Do any of these run the Play store? by Rob+Y. · · Score: 1

    I would assume none of them can load apps from the Play store. Based on the now common wisdom - you're (more or less) safe if you only ever install apps from the Google Play Store, and if not, you're not ever going to get software updates, so consider yourself hacked - these things are all malware vectors from the get go. Their vendors just gave them a head start...

    --
    Posted from my Android phone. Oh, I can change this? There, that's better...
  23. It's not OMAP anymore, but... by emil · · Score: 1

    ...I thought that I could trust BN. They would have been better served with a Sitara.

  24. The latest Barnes & Noble Nook is ADUPS-infect by emil · · Score: 1

    I just checked the new tablet and found:

    /system/app/AdupsFota/AdupsFota.apk

    Is this the Mediatek malware in question?