WARNING: Chinese Smartphones Contain Built-In Android Malware

There is a Chinese clone of the Samsung smartphone that steals personal data using a virus disguised as Google Play!


A Chinese Android smartphone that is selling on Amazon, eBay and other online stores have been found to contain a virus that pretends to be the Google Play Store.

This virus steals the user’s data when logged onto the bogus store.

The Star N9500, is resemblance to the Samsung’s Galaxy S4 Android smartphone.  It is manufactured in China but the phone is sold through resellers located in Belfast and Hong Kong.

The Trojan is known  as “Uupay.D“, its disguised as the Google Play Store.  It is pre-installed on the Android smartphone with no way to be removed by the user, according to German security company G Data.

G Data has analyzed one of the smartphones purchased directly from the factory in China and verified its vulnerability.

The scary aspect of this, is that online criminals have full access to these smartphones.

All Access

The malware attached to these Androids, steal personal data from the phone and sends it to an anonymous server located in China.  This Android malware is also capable of installing additional applications or viruses without the user’s knowledge.








The only thing users see is an app with the Google Play Store icon in the running process.  The virus enables criminals to track the location of the smartphone, intercept and record phone calls, make purchases and send premium text messages without the user’s permission.  All completely discrete and disguised.

The authentic phone usually costs £500 while the Chinese smartphones are going for £120.  Users are noticing reviews on this product range from one to five stars.  Although, they are complaining about the poor quality and noticing the phone starts to break down after a couple of months.

The device is offered with an extensive list of accessories which includes a second battery, car charging adapter and second cover.

The low price of a smartphone with such a wide range of features is a criminal tactic, according to Geschkat, a product manager at G Data.

Buyers Beware:  Cheap offers online that seem tempting should make buyers suspicious.  There is no such thing as free.

Android accounted for 97% of the malware targeted at mobile devices last year.  This is an increase of 20% a year, according to data from a security firm F-Secure.

Even though this malware is already installed onto these devices from the Google Play store, it accounts for only 0.1% of malware.

Malware from these Android’s can’t be blamed for all accounts.

The majority of all malware is downloaded from third-party app stores including the Chinese stores Baidu and Anzhi, where access to Google Play is restricted.

Have you come across these phones?  We’d love to hear from you, please leave your comments below!

References:

Gibbs, Samuel
Chinese smartphone on sale on Amazon and eBay contains built-in malware – TheGuardian
http://www.theguardian.com/technology/2014/jun/18/chinese-smartphone-samsung-amazon-ebay-malware-google-play
Published: June 18, 2014

Related posts:

Compromised Sites Serving Android Malware via Drive-by-Downloads 

Researchers Find More Android Malware: Some Send Expensive SMS, Others Steal Data

  Android Trojan Can Partake in DDoS Attacks, Send SMS Spam

  Watch Out for Mobile Adware

Android gets Attacked: Breaking Cryptographic Singnatures

The weakened Android apps allow hackers to break signatures

Android's vulnerability has affected more than a million devices allowing attackers to turn reliable apps into Trojan programs.   The Android app records digital signatures of applications and installs it into a sandbox when created.  The updates for the app are cryptographically signed by the same author in order to verify that they haven't been adjusted.  Researchers from the mobile security association Bluebox Security released the threat of the vulnerability that verifies digital signatures from the Android and allows attackers to modify them without breaking the signature code.  This has apparently been going on for the past four years!

Tricky Tricky

Android's record digital signatures to match other signatures so it can verify that they came from the same author.  The Android security model ensures sensitive data is being stored by an application in its sandbox can be accessed by the latest versions of that application that are signed with the primary author's key.  So the attackers add malicious code to the already signed APKs and it doesn't break their signatures.

The Android security model safeguards the susceptible data stored by one application in its sandbox and can only be viewed by new versions of that application that are signed with the author's archetypal key.  The transparency of the Bluebox allows assailants to gain full access and manipulate signatures then using them for distributing Trojan apps, sending them via email, uploading them to a third-party app store, hosting them on any website, and copying them to the intended devises via USBs.

Pau Oliva Fora, a mobile security engineer who works at security firm ViaForensics, developed a proof-of concept Linux shell script that can be benefited by modifying an app in a way that exploits the flaw. This code operates with the APKTool program and was released this past Monday on Github.

"It's a problem in the way Android handles APKs that have duplicate file names inside," Oliva Fora said Tuesday via email. "The entry which is verified for signature is the second one inside the APK, and the entry which ends up being installed is the first one inside the APK -- the injected one that can contain the malicious payload and is not checked for signature at all."

Response from Google

Google made changes to Google Play to make sure it detects apps modified and patches it up, sharing the information with device manufacturers.  Users who install applications from sources other than Google Play is known as sideloading, this is an action potentially vulnerable to being tampered with.  However, if an adversary manually installs malicious updates for an app, it will be replaced and the new version will no longer interact with the app store.

It's confirmed that the third party device,  Samsung Galaxy S4, has the solution at bay.   Google is now working on arranging the Nexus devices, although nothing is completed.

The gradual distribution of patches in the Android ecosystem has been criticized by both security researchers and Android users.  Duo Security reported, the statics gathered through it's X-Ray Android  poor assessment app, more than half of Android devices are vulnerable to at least one of the known Android security flaws.

It's good to check the apps before you install them, do some research and look at the reviews.

Please visit http://www.hyphenet.com/blog/ for more blog posts on the latest technology and IT security news.

References:

Vulnerability allows attackers to modify Android apps without breaking their signatures - C World
http://www.pcworld.com/article/2043610/vulnerability-allows-attackers-to-modify-android-apps-without-breaking-their-signatures.html
July 3, 2013

Proof-of-concept exploit available for Android app signature check vulnerability - ComputerWorld
http://www.computerworld.com/s/article/9240645/Proof_of_concept_exploit_available_for_Android_app_signature_check_vulnerability
July 9, 2013

Researchers find another Android attack that can get past signature checks - InfoWorld
http://www.infoworld.com/d/mobile-technology/researchers-find-another-android-attack-can-get-past-signature-checks-222532
July 11, 2013

Quick & dirty PoC for Android bug 8219321 discovered by BlueboxSec - GitHub
https://gist.github.com/poliva/36b0795ab79ad6f14fd8
July 8, 2013



Image courtesy of [emptyglass] / FreeDigitalPhotos.net

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.