Smartphone malware planted in popular apps pre-sale
Tue 1 Sep 2015

Over 20 popular smartphone models have been pre-installed with malware and marketed as brand new, according to a report from cybersecurity firm G Data.
The handsets had been sold by third-party vendors across Asia and Europe, and included devices from big players such as Lenovo, Xiaomi and Huawei. They were infected prior to sale with intelligent malware disguised in popular apps such as Facebook.
G Data had been notified about the problem after users had complained of a quarantined file that could not be removed.
The researchers suspect that the illegal software was used to collect private metadata, among other personal information stored on the device. According to the research report, in some cases the malware was reading and sending messages, installing other apps, collecting and modifying call data, gathering location details, and recording phone conversations.
“Somebody is unlocking the phone and putting the malware on there and relocking the phone,” explained G Data security expert Andy Hayter. He added that even if a user discovers the malware, it is extremely difficult to remove it without returning the smartphone to the manufacturer – “You can’t take it off there unless you unlock the phone.”
Ray Gorman, Lenovo executive director of external communications, commented in an email response: “We always recommend customers transact with authorized distribution channels and only accept merchandise that comes in an official box with original factory seals.”
Earlier this year, G Data contemporary Marble Security found a fake, pre-installed version of Netflix had been stealing personal data from several smartphone models, including the Samsung Galaxy range and the LG Nexus, and transmitting its swag to a server in Russia.
David Jevans, CTO and founder at Marble, advised that an application’s hash, which calculates the precise size of the software, should be flagged against the legitimate programme before installation at the factory.
In addition, he suggested that the app’s security certificate should be verified to ensure legitimacy – “People aren’t checking the apps that are on these things.”