Chinese Cell Phones Ship Preloaded with Malware

September 24, 2020 | 2 min read


“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.

Software embedded in phones manufactured in China have once again been found to contain preloaded malware. In BuzzFeed news and Secure-D reporting from late August, the Chinese made smartphones were outed for stealing data and money from users across the African continent. Follow-on reporting revealed the phones were being sold in the Australian market as well.

As it turns out, several Tecno brand phones from the mobile manufacturer Transsion were discovered preloaded with xHelper and Triada malware. The malware is used to download unwanted applications and subscribe to paid services automatically, draining the pockets of the victims who may be some of the poorest in the world. Furthermore, victims routinely complain about all the pop-ups that affect their usability.

Because the malware is preloaded, a factory reset on the device does not resolve the issue and permissions to make changes have been hidden. Secure-D operates a service for mobile carriers to protect their networks and customers from fraud; the company reported blocking +840K transactions from the preinstalled malware on Transsion phones from March to December 2019.

In response to the article, a Transsion spokesperson cast blame on an unidentified vendor along the supply chain. Transsion is the fourth-largest mobile phone manufacturer in the world and is the lone company among the top four to market exclusively to low-income markets.

The tactic is not new. Previous reporting in January 2019 by Secure-D uncovered preinstalled malware built by TCL Communication (another Chinese handset maker) on Alcatel phones sold in Brazil, Malaysia, and Nigeria. In mid-2018, Chinese-associated technology built into low-cost

smartphones in Brazil and Myanmar plagued victims with phony purchases.

Research by Malwarebytes Labs reported in January and July 2020 showed pre-installed malware was loaded on mobile devices used in the US Lifeline Assistance Program via Assurance Wireless by Virgin Mobile. In their January article, the analysts focused on UMX (Unimax Communications) branded phones under the program that arrived with two malicious applications. The malware loaded on the phones was of Chinese origin and the UMX mobile device was manufactured by a Chinese company as well.

Following the trail still, the researchers found an ANS (American Network Solutions) branded phone running different, but related malicious applications in July 2020. The ANS application responsible for the trouble was signed with a digital certificate associated with the Chinese based company TeleEpoch Ltd, which manages the registered brand UMX in the US.

The low price-tag on these phones contribute to their popularity, but that comes with a cost. Michael Kwet, visiting fellow of the Information Security Project at Yale Law, believes taking advantage of the poor through outright theft of data and money could be labeled “digital colonialism.”

In addition to cell phones, there are a wide variety of software/hardware solution alternatives produced and intended for use in enterprise environments. Security practitioners must consider supply-chain attack factors as they assess risks to their organizations and seek to draw out the true price of opting for those less-expensive alternatives.