Android phones are often sold with a bunch of preinstalled software: messengers, social networks, games, and sometimes even Trojans.
Cybersecurity experts conducted a study of a number of cases of distribution of malicious programs hidden in smartphones’ firmware. To begin with, let’s talk about how Trojans get into the firmware of mobile devices. This distribution channel of malicious software is called a supply chain attack. To understand the source of the problem, let’s recall the history of the evolution of modern Chinese smartphones.
Behind the Great Wall
About ten years ago, several companies in China, the largest of which is MediaTek, launched the serial production of system-on-chip (SoC), which actually constituted a ready-made basis for an Android smartphone. After that, a huge number of smaller factories appeared on the market. They began to make their own models of smartphones based on SoC. The market was quickly flooded with “semi-finished products” – completely ready devices but shipped without firmware. These devices were bought by other Chinese companies specializing in bulk sales of phones and tablets on various marketplaces.
If there is “hardware,” there will be “software.” The Chinese market responded to the flow of “raw smartphones” with the emergence of thousands of firms that produce firmware for such devices. This is a separate, very capacious business sector. Such companies create firmware with a different set of software, with various launchers for different categories of customers – shops, wholesalers, or foreign offices that sell such phones under their own label. It got to the point that on the way from the factory to the end user, the smartphone may change the firmware several times.
Despite the high demand, competition in this market is also very high. Developers had to turn to dumping. In order to recoup the costs of creating firmware and earn some extra money, they came up with alternative monetization channels. They started to take a commission from software manufacturers for the preinstallation of apps on smartphones.
The next step was quite obvious. If you add a bootloader to the firmware of the smartphone, which can download and install other apps on command from the control server, then you can earn even more. Together with companies involved in the supply of firmware, separate agencies started to appear. They specialized in selling mobile advertising, software preinstallation services, etc.
Surprises inside the firmware
Apps included in the firmware of an Android phone, by default, have more rights. They can access other applications, send SMS, access the user’s address book, and get the opportunity to download and install other programs. For ordinary users, it is not easy or sometimes even impossible to remove such applications.
In recent years, this market has become a little more civilized. A significant share of it is now occupied by developers of OEM devices, as well as companies offering so-called white labeling – the release of mobile phones of one of the existing Chinese models but under the brand name of the customer.
All these devices need localization, launchers, over-the-air update mechanisms, etc. At the same time, Chinese manufacturers do not develop firmware themselves but delegate these tasks to subcontractors. It is impossible to track what myriads of subcontractors add to their firmware. So, from time to time, smartphones with surprises appear on AliExpress and other marketplaces.
Sometimes, in addition to downloaders and advertising networks, something dangerous may get into the firmware, like apps for intercepting confidential data, trackers, and other spy apps. Some infected devices are able to unite into botnets that malicious actors use, for example, for DDoS attacks.
Other ways of monetization for hidden apps include automatic cheating of websites’ stats counters, fake ad clicks, subscribing to paid services, and even obtaining screenshots or photos of the device’s owner for the purpose of online extortion.
Data collected from infected telephones are sold on Chinese forums. Remote control of infected phones may cost about 300 yuan. In addition, criminals offer to rent C&C servers for your own botnets.
A popular fraud scheme
Often, infected phones are used by services for receiving and sending SMS. These services are very popular since, for registration on many websites, users need to enter their phone number. At the same time, the owner of the Chinese device does not even suspect that someone is quietly renting his phone number. With the help of such SMS services, operating not only in China, it is possible to build mass registration of one-time accounts.
In 2018, the Chinese division of Starbucks launched a promo offer. Each registered user of the mobile application was offered a coupon for a free cup of coffee. On the first day of the promo offer, in order to get free coffee, users created more than 400 thousand fake accounts with the help of platforms for mass registration of online accounts.
Phone-Verified Accounts
Registration of accounts verified with the help of SMS is called phone-verified account (PVA). If earlier SMS PVA services used IP telephony technologies and special SMS gateways, today the process of receiving and transmitting messages is hidden behind the scenes. Confirmation codes are sent to the service via API. The security experts from VPNBrains have determined that some of these services run on top of botnets that include thousands of infected Android smartphones.
Infected smartphones are used to receive, analyze, and transmit SMS confirmation codes without the knowledge and consent of the phone owner. The security experts found that the malicious software was either originally preinstalled in the firmware of the smartphone or hiddenly downloaded to the phone later by special loaders.
Creating an SMS PVA service does not involve significant costs. Its owners do not need to spend money on expensive equipment, a large number of SIM cards and pay for carrier services. All that is needed is access to the database of infected smartphones that allows you to send, receive, and forward messages and also receive geolocation data. In this way, customers can choose the region in which they wish to receive SMS and register their account.
At the same time, virus writers introduce restrictions on the forwarding of messages. They have two goals: first, not to interfere with the receipt of SMS requested by the phone owner, and second, to exclude attempts to use multifactor authentication, which can lead to the theft of funds from the owners of infected devices.
The actual owner of the telephone in some cases may lose the opportunity to register on a number of websites since malefactors have already used his phone number.
In the event of problems, it will be almost impossible to establish the real identity of a cybercriminal. The law enforcement officers come to the actual owner of the compromised phone number to which the account is registered.
Based on the statistics on the use of SMS PVA services and the number of phone numbers they offer, the problem is huge, and it is global. There are hundreds of thousands of telephone numbers offered by such platforms.
Most infected devices, as a rule, are inexpensive Android smartphones produced by little-known companies.
Conclusion
SMS registration using one-time codes seems to have outlived its usefulness and can no longer be considered safe and effective. Nevertheless, this method is still one of the most common authorization mechanisms. It is widely used by many services, which eventually suffer from the influx of bots.
As to the primary source of the problem – infected phones, the only effective method of protection here is to refrain from buying cheap devices made by unknown manufacturers.