back to article Malware infecting Androids somewhere in the supply chain

Smartphones from Samsung, LG, Xiaomi, ZTE, Oppo, Vivo, Asus and Lenovo have been spotted sporting malware they apparently carried when they were shipped. The malware discovered by Check Point Software Technologies included info-stealers, ransomware like Slocker; Loki, which shows “illegitimate advertisements” to generate …

  1. Syntax Error

    Flake

    The Android platform just got a bit flakier. Google don't seem to be doing very much about protecting their platform. Being "open source" looks pretty dumb and insecure for its users.

    I guess the security services and the government like it that way.

    1. Anonymous Coward
      Anonymous Coward

      Re: Flake

      Not sure how Google is supposed to prevent malware being deliberately added to the phone somewhere in the supply chain.

      1. Anonymous Coward
        Anonymous Coward

        Re: Flake

        "Not sure how Google is supposed to prevent malware being deliberately added to the phone somewhere in the supply chain."

        It's called a chain of trust. A say Windows Phone wont boot if it's been tampered with.

    2. PeterGriffin

      Re: Flake

      Let's not forget that when Apple declined to assist the FBI in unlocking that infamous iPhone the FBI was able to do so anyway with help from elsewhere. My point being that irrespective the device there will always be a method for the determined to gain access and don't be fooled by claims to the contrary from the manufacturer...

      1. Anonymous Coward
        Anonymous Coward

        @PeterGriffin

        What the heck does Android phones for sale with built in malware have to do with the FBI paying an Israeli firm a million bucks to break into an iPhone running a older version of iOS and older less secure hardware?

        No one broke into these Android phones to install malware on them. They were brand new, and had no passcode or any other security enabled. That's one advantage Apple has, they have much tighter control of the retail chain than any Android OEM. Not that this sort of thing would be impossible, someone could unbox them, jailbreak them, and pre-install crap for you, but the bar is a lot higher.

        1. AMBxx Silver badge
          Facepalm

          Cure advert from Blackberry

          Nope - their marketing department is far too dumb to take advantage of stuff like this.

    3. Anonymous Coward
      Thumb Down

      Re: Flake

      I have had a few iphones and a few android phones. I like Android better.

      I develop for both platforms and so try and keep them in pretty much factory standard mode to be as similar as possible to target devices.

      However, the fact that Android is open source is the opposite of dumb, because i can (if i choose to) root my phone and install android from scratch and be sure that it is secure. I am more and more tempted to do that despite mostly just using my phone for email and games on the move.

      I'm not sure how giving me the opportunity to look after my own security and not have to rely on Apple's lawyers is a dumb thing.

      1. Michael Thibault

        Re: Flake

        It isn't about you. Sure, _you_ can root and re-install Android from scratch, and be secure thereby, but there's a common expectation, among the billions of purchasers of consumer goods that what they get on opening the package is what was put there--exactly, deliberately--by the manufacturer. And, let's not pretend that even single-digit percentages of those consumers are anything but completely copeless (and kept so) with regard to the words "appropriate technology". Which seems to be what has been applied here. Shame on the manufacturers for not having seen it coming and done something to prevent it, but that is the ever-devouring markets in operation...

      2. Sil

        Re: Flake

        That's the theory.

        In practice, do you have the time and the know how to check hundreds of thousand of files for integrity and hidden malevolent code?

        Even being a formidable programmer doesn't mean you can spot highly technical security fails and/or devious code written by people with time and means to not appear as suspect.

        Assuming you do, can you spare the time, each and every time a file has been changed in the Android repository ?

    4. Anonymous Coward
      Anonymous Coward

      Re: Flake

      "The Android platform just got a bit flakier"

      Linux + Java is pretty much the worst combination imaginable, so not exactly surprising. The worst OS for security vulnerability counts + the crappest middleware....

      1. Anonymous Coward
        Anonymous Coward

        Re: Flake

        You know that iOS is worse than Android for security vulnerabilities right? Have you looked at the stats recently? 2015 - iOS, Flash, MacOS, Windows all higher than Android. 2016 ditto...

    5. Anonymous Coward
      Anonymous Coward

      Re: Flake

      Google do alot to protect their platform. You need to stop listening to scareware vendors on the Internet. Seriously, would you trust these companies to provide any security products, given their marketing tactics? I wouldn't,,,,

      https://i.kinja-img.com/gawker-media/image/upload/s--DCQ3tMp2--/c_scale,fl_progressive,q_80,w_800/193dtvab4yyfmjpg.jpg

      1. Anonymous Coward
        Anonymous Coward

        Vulnerability counts

        Jesus what is it with you idiots thinking vulnerability counts mean anything? Linux distributions include a far wider range of software than Windows does, so of course they will have more security issues. Plus there are multiple distributions, so the same issue will be reported multiple times. You would need to include Windows with Windows Server, IIS, SQL Server, Exchange, Office, Outlook, Skype plus a bunch of third party software to equal all the things that ship as part of RHEL.

        As for iOS, Apple is the ONLY company that reports every single security issue they fix to get a CVE number assigned - even issues they discover internally. Read Android's release notes next time and note all the security issues that get fixed without a CVE number. All of Apple's security fixes include a CVE number, so their count is artificially much higher.

        Even without that, there are plenty of ways to count things. You could discover 12 bugs in a single component, and if they are reported all at once, get a single CVE that covers them all. Or you could file them all separately either deliberately or because they weren't all discovered at the same time, and end up with a lot of CVEs assigned for the same component that has a common fix.

        1. Anonymous Coward
          Anonymous Coward

          Re: Vulnerability counts

          "Linux distributions include a far wider range of software than Windows does, so of course they will have more security issues"

          Enterprise Linux has historically still had far more than Windows Server in a package matched install though.

  2. G R Goslin

    Why?

    Why is it that only the bad guys seem to have system privileges? It puts the user (owner) in a totally helpless position, even if he knows that there is a problem

  3. Anonymous Coward
    Anonymous Coward

    Another day, another Android clusterfuck...

    Used to love smartphones had many early HTC XDA's - no complaints. Now though, I just use a $20 disposable phone. Amazed more people haven't rebelled against the tech that's selling them out. For example, if the phones are used for something standard like online banking etc, who will be liable?

    1. Anonymous Coward
      Anonymous Coward

      Re: Another day, another Android clusterfuck...

      Yep, smartphones are beyond help. They're like the web but without the sandbox.

    2. wayward4now
      Mushroom

      Re: Another day, another Android clusterfuck...

      Flip phones and BBS's. To hell with the Internet!

    3. Flywheel
      Facepalm

      Re: Another day, another Android clusterfuck...

      Amazed more people haven't rebelled against the tech that's selling them out

      "More people" would be the people that don't give a fsck about anything as long as their social network and fruit-bursting games still work. These'll be the same people that also don't give a fsck about Vault 7 and the Snoopers Charter.

  4. Anonymous Coward
    Gimp

    New Xiaomi on the way

    (SWMBO managed to get my last one crushed - dont ask).

    At least reflashing the ROM is easy, and usually the first thing I do when a new phone arrives, as they never seem to update the ROMS they install at the factory - so it can be several patched versions behind when I get my sweaty hands on it.

    Xiaomi Fanboi - that's me.

    1. Anonymous Coward
      Anonymous Coward

      Re: New Xiaomi on the way

      Presumably no hope of repair then?

      I did find that one vendor has consistent issues with cracked flash chips, can you guess which?

      The MB is fine apart from that one part, every other components looks fine.

      1. Anonymous Coward
        Anonymous Coward

        Re: New Xiaomi on the way

        I managed to not notice it dropping from my pocket into the office waste paper bin - on bin collection day; and she managed to not notice when changing the nearly empty bin bag 10 minutes later.

        By the time I realised my phone was not in my pocket - and tried to ring it and follow the ring tone, it was already crushed and dead in the back of the rubbish lorry.

        Gutted, it was my Christmas present to myself, and I had a few photos of my daughter being really cute that I hadnt uploaded to my NAS that day.

        REALLY gutted; it was only a few days outside of the cover you get for Credit Card purchases.

  5. Anonymous Coward
    Black Helicopters

    NSA, CIA, GCHQ all like to brag about their access to the supply chain, right?

    No, probably not them, considering the rather commercial nature of the malware concerned. Instead, it is probably some corrupt SOBs who are involved in moving the phones from the OEM to the carrier's store, and some scammer/spammer scum who agreed to slip them a little on the side in return for placing the desired malware on the devices in transit.

    But if it were a sigint operation...

    1. NonSSL-Login
      Big Brother

      Re: NSA, CIA, GCHQ all like to brag about their access to the supply chain, right?

      "NSA, CIA, GCHQ all like to brag about their access to the supply chain, right?

      No, probably not them, considering the rather commercial nature of the malware concerned."

      --------

      'Lets make it look like ad-revenue stealing malware so we have plausible deniability' - NSA and CIA manual page 125

      Jokes aside, we know from document leaks that they will use foreign language in code and make fake username/Desktop directories in such a way as to avoid attribution. As much as you might think this is not state sponsored, this would be the perfect way to disguise the fact if it was.

      1. rtb61

        Re: NSA, CIA, GCHQ all like to brag about their access to the supply chain, right?

        Probably is them. Consider all the corrupt law enforcers that have been arrested for criminal actions. Now consider the dick perves who get an ego rush out of spying on people. So whilst they are corruptly hacking phones for thei corrupt government would they hack some phones for themselves, hmm, let me think, YES.

        Especially considering the cover they would get from their own government because they can not exactly publicly prosecute them, without prosecuting themselves. Now add contractors into that toxic mix and it will and likely does spread pretty widely.

    2. John Brown (no body) Silver badge

      Re: NSA, CIA, GCHQ all like to brag about their access to the supply chain, right?

      "Instead, it is probably some corrupt SOBs who are involved in moving the phones from the OEM to the carrier's store, and some scammer/spammer scum who agreed to slip them a little on the side in return for placing the desired malware on the devices in transit."

      I'd have thought it more likely someone in the telco/retailer responsible for localising/branding the phone from factory defaults. They have the tools and the access and it's probably outsourced to a 3rd party in China/Thailand/Taiwan/India etc.

  6. a_yank_lurker

    Source?

    Any ideas of when it got slipped in? Also, any specific carriers affected?

  7. Anonymous Coward
    Anonymous Coward

    It shouldn't be that hard to track down the guilty party. That's a lot of devices, there must be a common source or we'd see this popping up everywhere.

    It sounds like they were targeting a specific company, probably for corp. espionage.

    (Collecting personal information from the phones, for a password hack on the corp. network)

  8. Zog_but_not_the_first
    Devil

    For starters...

    My phone came with Farcebook installed, which cannot be uninstalled. That fits the malware description all right.

    1. wayward4now
      Paris Hilton

      Re: For starters...

      Just tell "farcebook" that you are a registered sex offender. They will uninstall you so quick it would make your head spin.

  9. Conundrum1885

    My data point

    Alcatel Onetouch POP2 45, defective out of the box.

    Had endless trouble with popups, excessive bandwidth use etc, even put Kaspersky on it but all that did is slow the phone down even more.

    This particular unit seemed to have fakeflash as well, as it only let you use 1GB of the internal memory

    yet it had "2.97GB free".. yeah right.

    LCD later failed for good measure so I gave it up as a lost cause.

    Hint: if anyone wants it for forensics purposes and has a somewhat working screen unit with good cable feel free to send it in my general direction!

  10. This post has been deleted by its author

  11. Alpc

    I wonder...

    ...if Blackberry's DTEK app would pick these infections up. Has anyone tried it on a pre-infected Android phone?

  12. RyokuMas
    Trollface

    "Smartphones from Samsung, LG, Xiaomi, ZTE, Oppo, Vivo, Asus and Lenovo have been spotted sporting malware they apparently carried when they were shipped."

    Yup - it's called "Google's version of the Android OS"

  13. JimmyPage Silver badge
    FAIL

    TBH, I wouldn't even bother to try and hide malware ...

    The amount of shite that network/operator supplied devices come with pre-installed (uninstallable and in some cases undisable-able) you could smuggle a forest of malware past the average user.

    "What's this app for ?"

    "What's that app for ?"

    Oh look, there's an app with the operators logo. What's that for ?"

    In years to come, one of the sever ages of man will be when he gets fed up of network/operator locks and cruft, and buys a plain unlocked phone as standard.

  14. Terry 6 Silver badge

    Deliberate cynical flaw

    The Android OS comes designed so that the user has no control of the software that has been preloaded on their own machines, whether they like or want it or not. This is overtly cynical. The software sits on your device without your having any choice in the decision.( A model that MS seem to like enough to have emulated BTW). This is, and always was wrong in principle. It takes choice away from they consumer and forces software on them. There are big leaps from just having a pre-installed inbuilt unremovable OS that users choose to buy into, to preinstalled OS with unwanted and undeclared software bloat to inbuilt OS with unremovable software bloat.

    Making it unremovable is no different from saying that "we're going to make you have it, whether you like it or not." Because, if we wanted it we wouldn't want to remove it.

  15. Nano nano

    Modular

    I just wish you could replace/update the components in Android rather than having to update the whole distro

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like