German authorities found preinstalled Malware on 4 China phones (June 2019)

[German]The German Federal Office for Information Security (German: Bundesamt für Sicherheit in der Informationstechnik – BSI) currently warns of four Android smartphone models from China in whose firmware malware has been found.


The BSI had purchased equipment from various manufacturers on various online marketplaces. These devices were then checked for a malware variant that had already been detected in February. And again, malware was found on the purchased devices. German BSI pecifically warns against the following models from China:

  • Doogee BL7000
  • M Horse Pure 1
  • Keecoo P11
  • VKworld Mix Plus

The BSI therefore explicitly warns against the use of the Doogee BL7000 and M Horse Pure 1. The BSI advises all users to exercise particular caution.

Although the Keecoo P11 was also found to have malware in firmware version V3.02 (V362HH.SHWY.HB.HJ.P3.1130.V3.02). For this device a firmware V3.04 (V362HH.SHWY.HB.HJ.P3.0315.V3.04) without this malware is available via the update function "Wireless Update" of the manufacturer. 

Malware on Android(symbol image)

In addition, the BSI was able to detect the same malware on the VKworld Mix Plus device. However, this malware has not (yet) become active. According to the BSI, special caution is also required for consumers in these cases. Some online shops have already removed the devices affected by the BSI warning from their product range until further notice.


Unfortunately not individual cases

I had already frequently blogged about malware found in the firmware of various China mobile phones. "Our research clearly shows that IT devices with pre-installed malware are not isolated cases. They jeopardize consumers who buy these cheap smartphones and end up paying for them with their data. A particular risk also arises if the infected smartphone is used to control the smart home, including window security or alarm system. In order to prevent such attack scenarios, we need a joint effort on the part of manufacturers and retailers in particular to prevent such unsafe devices from being sold in the first place in the future," says BSI President Arne Schönbohm.

Backgrounds about the malware

The BSI hafd got his hands on so-called sinkhole data, which prove connection attempts to over 20,000 different German IP addresses per day with a malicious Command- & Control (C&C) server. It must therefore be assumed that devices with this malicious software variant will be more widespread in Germany. 

Although the warning of German Federal Office for Information Security addresses German users, I assume, that also devices shipped to other countries are carrying firmware infected with malware.

The BSI has already informed German network operators about infected devices in their respective networks via CERT-Bund reports. The providers were asked to inform their affected customers accordingly.

The malware known as 'Andr/Xgen2-CY' by IT security firm Sophos, transfers various characteristic data from the device to a C&C server and also has a reload function. Other malware, such as banking Trojans, could also be loaded and executed on the devices. Manual removal of the malware is not possible because it is anchored in the internal area of the firmware. Users therefore have no way of reliably cleaning the devices and operating them without malicious functionality as long as no corresponding firmware update is available.

Similar articles
Android devices with pre-installed Adware

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , , . Bookmark the permalink.

One Response to German authorities found preinstalled Malware on 4 China phones (June 2019)

  1. Shirley A. Ball says:

    I have a Android phone 7.1.2 RC555L and it has System updates version 4.7.8 and Malware was found Android/PUP.Riskware.Autoins .Forta.INS which was found by my Malwarebyte app I installed recently, it cannot be removed because it is part of the system updates which is a system app but when I disable it as requested it just keeps coming back because my phone is hacked it is sickening and I paid money for this phone. Verizon is my carrier. My computer is hacked also and the people who made it could not get in to repair it. I am denied access to many apps like device manager, task manager, trouble shooter and so many more.

Leave a Reply

Your email address will not be published. Required fields are marked *