Rogue retailers are unpacking phones made in China, installing malware and then selling the infected phones on the open market, security firm G DATA stated in a report released Sept. 1.
The scheme involves infecting mainly local brands of Android phones—such as Alps, Xiaomi and even a line of devices known as “NoName”—but also it affects phones from well-known international brands such as Huawei and Lenovo.
The incidents, which involve nearly two dozen brands of phones, underscore the current difficulties in securing technology as it moves through the supply chain to its destination.
“This happens before the user ever gets the phone,” Andy Hayter, security evangelist with G DATA, told eWEEK. “We checked with some of the manufacturers and they are telling us that it is not happening on their end of the supply chain.”
The incidents underscore the dangers of untrusted supply chains. Companies and government agencies have grown worried about the security of the supply chain—the flow of goods from manufacturer to retailer to consumers.
In 2013, classified documents leaked by former contractor Edward Snowden showed that the U.S. National Security Agency and other national intelligence agencies have regularly infiltrated supply chains feeding technology to countries of interest to compromise devices that act as electronic moles, according to the documents. Devices from Cisco, Dell and other manufacturers, for example, have all been modified in transit to their destination to include implants to enable NSA monitoring.
In June, smartphone maker Samsung gave in to consumer pressure and agreed to allow users to disable pre-installed applications, many of which slowed down the systems and collected data on the users.
As mobile devices and the Internet of things (IoT) become more common, solving supply-chain security issues will become even more urgent, Theodora Titonis, vice president of software-security firm Veracode, told eWEEK.
“You are seeing all these means of inserting these security threats into the holes in the software supply chain,” she said. “Everything is moving so quickly and there are all these holes, so it makes securing the device that much harder.”
In the latest scheme detected by G DATA, the rogue retailers apparently opened boxes of new Android phones and upgraded the firmware with a malicious version of a standard program—in this case, Facebook’s mobile app.
The Trojan application collects information and can take a variety of privacy-invading actions. These include leaking the phone’s location, “listening to and recording telephone calls or conversations, making purchases, bank fraud or sending premium SMS messages,” G DATA stated.
The result? Potentially stolen data and a large phone bill for the user; additional profits for the operator behind the malicious code.
G DATA recognized the first infections in Android mobile phones early last year. Since then, the number of incidents has increased, Hayter said.
While the problems mainly affect China, a small number of phones have appeared in Europe. Some compromised devices have been sold online through eBay and other auction sites, Hayter said.
While security technology can detect malware on a phone, some surveillance programs can sneak by such defenses.
Earlier this year, documents leaked by the offensive-security firm Hacking Team revealed that the company had extensive tools for compromising mobile devices with programs designed to collect information on the user and their communications. While security firms had some ability to detect the programs, Hacking Team found ways to evade detection.
For many users, that means the first line of defense is to verify the security of the retailers from whom you or your company buys mobile technology, says Hayter. A trusted and vetted supply chain will not guarantee security, but it at least assures users and companies that the provider takes cyber-security seriously.
“Go through a trusted provider, not the street corner,” Hayter said.
Issues, such as bloatware, may be more minor, but still represent a failure to secure the supply chain, Veracode’s Titonis said. By installing bloatware on their products, the manufacturer shows they are willing to work against their customers’ interest to turn a more significant profit by trading consumers’ privacy for a little more revenue.
Such tactics leave consumers vulnerable to third-party applications that the device manufacturer has likely not vetted very well.”
I don’t know how many people ask me, after they buy a phone, how to get rid of bloatware,” Titonis said. “And that’s the stuff the consumer can see, but there is a lot more that they can’t see.”
With an estimated 50 billion devices connected to the Internet by 2020, making sure that those devices are secured from the manufacturer to the consumer is important. Equally important is making sure that manufacturers are not putting distrusted software on the devices, risking consumers’ privacy.
Are you a security pro? Try our quiz!
Originally published on eWeek.
Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…
Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…
Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…
Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…
Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…
Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…