Smartphone Backdoor found in Four models in Germany
Almost all mobile phones make two serious mistakes for their users: following their movements and listening to their conversations. That’s why we call it “Stalin’s dream”.
Almost all phone processors have a universal back door that phones often use to transmit all the calls they hear.
The back door is the result of 20-year-old mistakes still not fixed. The ability to leave vulnerabilities is morally equivalent to writing a backdoor.
The back door is located in the “modem processor” responsible for communicating with the radio network. For most phones, the modem processor controls the microphone. On most phones, it is also possible to rewrite the software for the main processor.
Some phone models are specially designed so that the modem processor cannot control the microphone and you cannot change the software in the main processor. They still have the back door, but at least they cannot turn the phone into a listening device.
The universal backdoor also seems to be used to send phones even when they are off. This means that your movements will be recorded and that you can activate the hearing function.
ZDNet reports that backdoor found in four smartphone models, and 20,000 users infected.
German cyber-security agency warns against buying or using four low-end smartphone models.
Impacted models include the Doogee BL7000, the M-Horse Pure 1, the Keecoo P11, and the VKworld Mix Plus (malware present in the firmware, but inactive). All four are low-end Android smartphones.
Phones infected with backdoor Trojan
The BSI said the phones’ firmware contained a backdoor trojan named Andr/Xgen2-CY.
UK cyber-security firm Sophos Labs first spotted this malware strain in October 2018. In a report it published at the time, Sophos said the malware was embedded inside an app named SoundRecorder, included by default on uleFone S8 Pro smartphones.
Sophos said Andr/Xgen2-CY was designed to work as an unremovable backdoor on infected phones.
The malware’s basic design was to start running once the phone was turned on, collect details about an infected phone, ping back its command-and-control server, and wait for future instructions.
According to Sophos, Andr/Xgen2-CY could collect data such as:
The device’s phone number
Location information, including longitude, latitude, and a street address
IMEI identifier and Android ID
Manufacturer, model, brand, OS version
RAM and ROM size
SD Card size
Language and country
Mobile phone service provider
Once a profile of an infected phone was registered on the attacker’s server, they could use the malware to:
- Download and install apps
- Uninstall apps
- Execute shell commands
- Open URL in a browser (though this function appeared to be a work in progress in the sample we analyzed)
Malware removal is not possible
The malware isn’t just some overly-aggressive advertising module either. Sophos said its author tried to hide the malicious code, and the backdoor was disguised as part of an Android support library, in a way meant to hide it from view.
“Manual removal of the malware is not possible due to its anchoring in the internal area of the firmware,” the BSI said today.
The malware can be removed just via a firmware update issued by the phone makers. Unfortunately, firmware updates without the malicious backdoor are only available for the Keecoo P11 model, but not the others.
The German cyber-security agency said it’s seeing at least 20,000 German-based IP addresses connecting to the Andr/Xgen2-CY’s command and control servers on a daily basis, suggesting that there are still many German users who use the infected phones for daily tasks. Users in other countries are most likely impacted as well.
The BSI warns that users of these devices are now at risk of having other malware pushed to their devices from the malware’s control servers, such as ransomware, banking trojans, or adware.
This is not the first incident of its kind. In November 2016, two reports, from Kryptowire and Anubis Networks, found two Chinese companies that were making firmware components for larger Chinese phone makers were embedding a backdoor-like functionality inside their code.
In December 2016, security researchers from Dr.Web found a downloader for Android malware embedded in the firmware of 26 Android smartphone models.
- In July 2017, Dr.Web found versions of the Triada banking trojan hidden in the firmware of several Android smartphones.
- In March 2018, the same Dr.Web found the same Triada trojan embedded in the firmware of 42 other Android smartphone models.
- In May 2018, Avast researchers found the Cosiloon backdoor trojan in the firmware of 141 Android smartphones.
In all incidents, all the smartphone models were from little-known vendors selling low-end class Android devices.