Germany: Backdoor found in four smartphone models; 20,000 users infected
11 Jun 2019
The German Federal Office for Information Security (or the Bundesamt für Sicherheit in der Informationstechnik -- BSI) has issued security alerts today warning about dangerous backdoor malware found embedded in the firmware of at least four smartphone models sold in the country.
Impacted models include the Doogee BL7000, the M-Horse Pure 1, the Keecoo P11, and the VKworld Mix Plus (malware present in the firmware, but inactive). All four are low-end Android smartphones.
PHONES INFECTED WITH BACKDOOR TROJAN
The BSI said the phones' firmware contained .
UK cyber-security firm Sophos Labs first spotted this
malware strain in October 2018. In a report it published at the time, Sophos
said the malware was embedded inside an app named SoundRecorder, included by
default on uleFone S8 Pro smartphones.
Sophos said Andr/Xgen2-CY was designed to work as an
unremovable backdoor on infected phones.
The malware's basic design was to start running once the
phone was turned on, collect details about an infected phone, ping back its
command-and-control server, and wait for future instructions.
According to Sophos, Andr/Xgen2-CY could collect data such
- The device's phone number
- Location information, including longitude, latitude, and a street address
- IMEI identifier and Android ID
- Screen resolution
- Manufacturer, model, brand, OS version
- CPU information
- Network type
- MAC address
- RAM and ROM size
- SD Card size
- Language and country
- Mobile phone service provider
Once a profile of an infected phone was registered on the attacker's server, they could use the malware to:
- Download and install apps
- Uninstall apps
- Execute shell commands
- Open URL in browser (though this function appeared to be a work in progress in the sample we analyzed)
MALWARE REMOVAL "IS NOT POSSIBLE"
The malware isn't just some either.
Sophos said its author tried to hide the malicious code, and the backdoor was
disguised as part of an Android support library, in a way meant to hide it from
"Manual removal of the malware is not possible due to
its anchoring in the internal area of the firmware," the BSI said today.
The malware can be removed just via a firmware update issued
by the phone makers. Unfortunately, firmware updates without the malicious
backdoor are only available for the Keecoo P11 model, but not the others.
The German cyber-security agency said it's seeing at least
20,000 German-based IP addresses connecting to the Andr/Xgen2-CY's command and
control servers on a daily basis, suggesting that there are still many German
users who use the infected phones for daily tasks. Users in other countries are
most likely impacted as well.
The BSI warns that users of these devices are now at risk of
having other malware pushed to their devices from the malware's control
servers, such as ransomware, banking trojans, or adware.
A LONG LIST OF PREVIOUS INCIDENTS
This is not the first incident of its kind. In November
2016, two reports, from Kryptowireand , found two Chinese companies that
were making firmware components for larger Chinese phone makers were embedding
a backdoor-like functionality inside their code.
In December 2016, security researchers from Dr.Web found an
downloader for Android malware embedded in .
In July 2017, Dr.Web found versions of the Triada
banking trojan hidden in the firmware of several Android smartphones.
In March 2018, the same Dr.Web found the same Triada trojan
In May 2018, Avast researchers found the Cosiloon backdoor
In all incidents, all the smartphone models were from
little-known vendors selling low-end class Android devices.