Security Week 24: factory backdoors on Android smartphones

Last week was rich in news about the safety of Android smartphones. In many media outlets (for example, in ArsTechnica ) they wrote that Google “confirmed” the fact of selling smartphones with a backdoor pre-installed at the factory. The reason for such headlines was quite technical article by Google expert Lukasz Siverski with analysis of Triada mobile malware family.

Triada has been known to researchers (including, of course, the Google team) since 2016. For the first time, backdoor was described by Kaspersky Lab specialists ( here and here ). These two materials describe in detail the introduction of malicious code into the operating system (still in Android 4.x), collecting and sending data about the user, as well as modifying several browsers to show advertising banners.

What really is of interest in the post of the representative of the Android Security Team is the answer to the question of how exactly the malicious code got into the firmware of the phones. The developers of Chinese budget devices turned to contractors to develop additional features. Through such a contractor, a backdoor was built into the system.

A study by Kaspersky Lab 2016 describes a variant of Triada, which could be pre-installed on the phones of Chinese manufacturers, but was also able to attack any other smartphones. Triada exploited vulnerabilities in the current version of Android 4.x. A unique feature of the backdoor was the ability to embed a key Android process, known as Zygote.
')

This approach provided the Trojan with almost complete control over the device. The Android Security Team article describes in detail one more detail: Triada used a modified su binary to gain control over system processes. He gave applications superuser privileges only if they made a request with the correct password.
Also in the post of Lukasz Siverski describes how the backdoor tracked what application the user opened. If it was a browser, ads were displayed on top of it. If you opened the Google Play store, Triada in the background downloaded and installed applications from its own command server.

In 2017, Dr.Web in its study provided examples of smartphones infected with the “factory” backdoor: Leagoo M5 Plus, Leagoo M8, Nomu S10 and S20. Inexpensive (about $ 100) devices were sold both in China and in the West, some of which can still be found in Chinese online stores.


In a recent article, Google reveals the implementation scheme of the “factory” version of Triada (see image above). Apparently, the suppliers of smartphones appealed to third-party companies to include additional functionality in the firmware of the device, which is absent in the Android Open Source project. To do this, the contractor (mentioned by Yehuo and Blazefire) sent the image of the system. He returned with an appendage - both legitimate (unlocking on the face of the owner) and malicious. Google said that, together with the device developers, they removed traces of the backdoor from the firmware.

But, apparently, only this backdoor. On June 7, representatives of the Information Security Administration (BSI) of Germany reported ( news ) about the discovery of the Xgen2-CY backdoor in four budget smartphones. The Doogee BL7000, M-Horse Pure 1, Keecoo P11 and VKworld Mix Plus models collect user information and send it to the command server, and are able to install applications and open browser pages without the user's knowledge. Only for the Keecoo P11 model (5.7 inches, 4 cores, 2 gigabytes of memory, $ 110 on GearBest) an updated version of the firmware without a backdoor is available. According to BSI, up to 20 thousand devices access the C & C servers of attackers from German IP.

In general, the problem is not completely solved, and the recommendation for consumers will probably be this: think twice before buying a cheap smartphone of a dubious brand. Last July, we quoted the Motherboard publication article, which described a cheap replica of the iPhone X from China. The device sent user information to the right and left. Such crafts outside of China usually do not fall, but some "international" devices are no better. While we are discussing privacy issues and the practice of collecting user data by all market participants, tens of thousands of people around the world are victims of overt cybercrime.

Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend to treat any opinions with healthy skepticism.