Infected Android

The abundance and variety of low cost Android phones is one of the reasons that Android has become so popular around the world. Unfortunately, low priced phones could also mean less operating revenue and thus possibly a lower quality control. Such is the case with a cheap Android phone that costs $110 USD and has a remote access trojan (RAT) preinstalled.

In 2017, researchers at Sophos saw a post on where a user stated that their security software was constantly complaining about an app called Sound Recorder that was preinstalled on the phone.

To investigate further, Sophos purchased the reported uleFone S8 Pro. When they analyzed the phone it was discovered that the preinstalled Sound Recorder app was actually a malicious variant that had capabilities similar to a remote access trojan (RAT) and a backdoor.

While it is not uncommon for phone manufacturers to include and generate revenue from preinstalling software, in this case the quality control was not adequate enough to spot that the Sound Recoder app that was installed was not the legitimate version.

As can be shown from the image above, the malicious version had extra code added to it compared to the legitimate version.

Malicious Sound Recorder and Legitimate Version Comparison
Malicious Sound Recorder and Legitimate Version Comparison

While the RAT was running, Sophos stated that it would transmit information to a remote server that includes:

  • The device’s phone number
  • Location information, including longitude, latitude, and a street address
  • IMEI identifier and Android ID
  • Screen resolution
  • Manufacturer, model, brand, OS version
  • CPU information
  • Network type
  • MAC address
  • RAM and ROM size
  • SD Card size
  • Language and country
  • Mobile phone service provider

The app also had the ability to perform backdoor functions such as 

  • Download and install apps
  • Uninstall apps
  • Execute shell commands
  • Open URL in browser (though this function appeared to be a work in progress in the sample we analyzed)

According to a report by Avast, this is not the first time low cost Android phones had malware preinstalled on them. In 2016, it was reported that numerous Android phones were shipping with malware, but even after this was reported to the manufacturers, nothing was done.

Similarly, Sophos has tried to contact MediaTek, the CPU and firmware manufacturer for the phone, but never heard back.

"We’ve spent the past several weeks trying to reach the company to alert them to these issues, but haven’t recieved a response despite using multiple methods, repeatedly, to try to contact them."

While this does not mean that people shouldn't buy inexpensive phones, it does mean that buyers need to do more research and know what you are getting into.

Related Articles:

New LamePyre macOS Malware Sends Screenshots to Attacker

Android Malware Tricks User to Log into PayPal to Steal Funds

Microsoft Launches AI Malware Prediction Competition with $25K Prize

Op 'Sharpshooter' Uses Lazarus Group Tactics, Techniques, and Procedures

Google Maps Users are Receiving Notification Spam and No One Knows Why