Hidden Malware Preying on Millions of Android Phones Out of the Box

A concerning incident of a supply chain attack targeting Android devices has been uncovered by cybersecurity researchers at Trend Micro. They have discovered that millions of Android devices, including budget smartphones, smartwatches, smart TVs, and other smart devices, are being infected with infostealer malware even before leaving the factory.

During a conference in Singapore, Trend Micro researchers Fyodor Yarochkin and Zhengyu Dong shed light on the root cause of this issue, attributing it to fierce competition among original equipment manufacturers (OEMs). While smartphone makers outsource certain components, such as firmware, to third-party suppliers, the dwindling prices of mobile phone firmware have led these suppliers to struggle in monetizing their products.

Consequently, Yarochkin explained that these products started to come pre-installed with "silent plugins" that were unwanted extras. Trend Micro's investigation revealed numerous firmware images scanning for malicious software and identified around 80 different plugins. Some of these plugins were part of a wider "business model" and were being sold on underground forums as well as advertised on mainstream social media platforms and blogs.

These plugins possess various capabilities, including the theft of sensitive information, SMS messages, social media account takeover, ad and click fraud, traffic abuse, and more. The Register highlighted one particularly serious problem wherein a plugin allows the buyer to gain complete control of a device for periods of up to five minutes and use it as an "exit node."

According to Trend Micro, the data indicates that nearly nine million devices worldwide have fallen victim to this supply chain attack, with the majority located in Southeast Asia and Eastern Europe. While the researchers did not explicitly name the culprits, they did mention China multiple times in their discussion.

What is a Supply Chain Attack?

A supply chain attack is a malicious tactic employed by cybercriminals to target and exploit vulnerabilities within the interconnected network of suppliers, vendors, and service providers that contribute to the production and distribution of goods or services. Rather than attacking a specific target directly, the attackers infiltrate and compromise a trusted entity within the supply chain to gain unauthorized access or introduce malicious elements into the final product or service.

The objective of a supply chain attack is to exploit the trust placed in the compromised entity and use it as a stepping stone to reach the ultimate target. By compromising a trusted link in the supply chain, the attackers can gain access to sensitive information, introduce malware, tamper with products, or manipulate processes, leading to various detrimental outcomes.

There are different methods employed in supply chain attacks, including:

Software or Firmware Manipulation: Attackers target the software or firmware of products, inserting malicious code or vulnerabilities during the development or manufacturing process.

Vendor Compromise: Cybercriminals compromise a vendor or supplier's infrastructure to gain unauthorized access to sensitive data or systems and use them as a launching pad for further attacks.

Third-Party Component Exploitation: Attackers exploit vulnerabilities in third-party components integrated into products or services, leveraging these weaknesses to compromise the overall system.

Counterfeit Components: Malicious actors introduce counterfeit or compromised components into the supply chain, which can lead to security breaches or performance issues in the final product.