Security experts are warning of a new Chinese trojan which they have discovered pre-loaded onto low-end smartphones popular in Asia and Africa.
DeathRing is disguised as a ringtone app but in reality downloads SMS and WAP content from its command-and-control server to the victim’s phone, according to mobile security vendor Lookout.
This enables the attackers to phish personal information via fake texts or prompt the victim to download more malware disguised in APKs, the firm claimed.
The malware itself is activated either after the phone is powered down and rebooted five times or after the victim has been ‘away and present’ 50 times.
The devices affected – from the likes of Samsung, Karbonn and others – are typically popular in developing countries.
The discovery is similar to the pre-loaded MouaBad campaign spotted by Lookout earlier this year.
However, it’s extremely unlikely the two are connected as the code is very different, senior security product manager, Jeremy Linden, told Infosecurity.
“The malware authors are flashing the malware variants onto the firmware of phones headed to consumers. This is a unique and risky distribution model, likely to be executed by someone who has inserted himself into the distribution chain,” he added.
“With MouaBad, we know that the bad guys were using the same signer as the operating system creator for some of the phones. This would suggest that the malware writers are even closer to the firmware, perhaps even bundling the malware and the OS at the same time.”
The likelihood of a similar attack affecting higher-end devices is unlikely given that manufacturers for these phones have stricter control over supply chains, Linden argued.
“However, like all malware, where the money is, the malware technology follows. If authors find this distribution method to be lucrative, they may evolve to attack the bigger fish.”