Security researchers have found malware hidden in the firmware of several low-end Android smartphones and tablets, malware which is used to show ads and install unwanted apps on the devices of unsuspecting users.
According to a report, the following 26 Android device models are affected:
The common link between all these devices is that all are low-cost devices, mostly marketed in Russia, and which run on MediaTek chipsets.
According to security researchers from Dr.Web, a Russian antivirus vendor, the malware appears to have been added to the firmware of these devices by "dishonest outsourcers who took part in [the] creation of Android system images decided to make money on users."
The security firm has informed MediaTek and the device vendors about this issue so the affected companies can inspect their distribution chain and find the possible culprits.
The malware found on these devices is codenamed Android.DownLoader.473.origin. According to Dr.Web, this malware will collect data about the infected devices, contact a C&C server, and download and install other apps based on the instructions it receives from this server.
Currently, this malware is forcibly downloading and installing the H5GameCenter app. This application is a Play Store-like app catalog that allows users to install other apps. The app is considered extremely intrusive because it shows its icon (an open blue box) floating above other apps non-stop, such as in the image below, and without an option to disable this behavior.
If users remove the H5GameCenter app, the firmware malware will reinstall it at a later point.
Last month, in the period of one week, security researchers from Kryptowire and Anubis Networks found backdoors in the firmware provided by two Chinese software vendors, Shanghai Adups Technology Co. Ltd. and Ragentek Group.
The firmware provided by these two companies had been embedded in a large number of low-end Android smartphones and granted attackers complete control over the affected phones.