14 DAY TRIAL // Earlier this month, to mark the World’s Consumer Rights Day, China’s leading TV station CCTV demonstrated how companies could easily pre-install malware on millions of Android smartphones.
Kaspersky’s Dong Yan has detailed the TV station and the security firm’s findings in a blog post. One piece of malware that’s been pre-installed on a large number of Android devices has been dubbed “DataService” (Trojan.AndroidOS.Uupay.a).
The threat is capable of collecting information on the infected device – such as IMEI, MAC, phone model and a list of installed apps –, it can push ads, and download and install additional applications onto the smartphone.
When it’s installed, it requests permission to access a lot of services, including access to the network, the Internet, SMSs, location, Wi-Fi, and contacts.
One of the servers with which DataService communicates with is associated with an unofficial Chinese Android market website. The site in question has been found to distribute numerous applications that hide the malware.
But how does the malware end up being pre-installed on brand new phones? Experts say that a company called Goohi, which is affiliated with the Datang Telecom Technology & Industry Group, is responsible.
The company has a service that enables its over 4,600 members to pre-install Android applications on the phones they sell. Each time one of these members installs an application, it is paid between 10 and 50 cents.
More than 46 million apps are installed on over 1 million phones every month with the aid of a product called Datang Fairy Artifact. The device, which looks something like an old iPod, is capable of installing every application stored on it on an Android phone in just minutes.
Goohi has admitted collecting information through the applications it distributes, but the company claims they’re not harvesting anything sensitive, only statistical data. On the other hand, experts have found a connection between Goohi’s app pre-installation service and an Android Trojan (Trojan-Spy.AndroidOS.Agent.k) that does collect sensitive data.
This particular threat uploads call logs to a remote server. The IP address of the server is related to goohi.cn.
Malware designed to target Android phones is becoming more and more common. Last week, experts revealed the existence of a piece of malware that can use infected devices to mine for virtual currencies, such as Litecoin, Dogecoin and Casinocoin.
Additional technical details on malware pre-installed on Android phones are available on Kaspersky’s Securelist blog.