[German]The German Federal Office for Information Security (German: Bundesamt für Sicherheit in der Informationstechnik – BSI) currently warns of four Android smartphone models from China in whose firmware malware has been found.
The BSI had purchased equipment from various manufacturers on various online marketplaces. These devices were then checked for a malware variant that had already been detected in February. And again, malware was found on the purchased devices. German BSI pecifically warns against the following models from China:
- Doogee BL7000
- M Horse Pure 1
- Keecoo P11
- VKworld Mix Plus
Although the Keecoo P11 was also found to have malware in firmware version V3.02 (V362HH.SHWY.HB.HJ.P3.1130.V3.02). For this device a firmware V3.04 (V362HH.SHWY.HB.HJ.P3.0315.V3.04) without this malware is available via the update function “Wireless Update” of the manufacturer.
In addition, the BSI was able to detect the same malware on the VKworld Mix Plus device. However, this malware has not (yet) become active. According to the BSI, special caution is also required for consumers in these cases. Some online shops have already removed the devices affected by the BSI warning from their product range until further notice.
Unfortunately not individual cases
I had already frequently blogged about malware found in the firmware of various China mobile phones. “Our research clearly shows that IT devices with pre-installed malware are not isolated cases. They jeopardize consumers who buy these cheap smartphones and end up paying for them with their data. A particular risk also arises if the infected smartphone is used to control the smart home, including window security or alarm system. In order to prevent such attack scenarios, we need a joint effort on the part of manufacturers and retailers in particular to prevent such unsafe devices from being sold in the first place in the future,” says BSI President Arne Schönbohm.
Backgrounds about the malware
The BSI hafd got his hands on so-called sinkhole data, which prove connection attempts to over 20,000 different German IP addresses per day with a malicious Command- & Control (C&C) server. It must therefore be assumed that devices with this malicious software variant will be more widespread in Germany.
Although the warning of German Federal Office for Information Security addresses German users, I assume, that also devices shipped to other countries are carrying firmware infected with malware.
The BSI has already informed German network operators about infected devices in their respective networks via CERT-Bund reports. The providers were asked to inform their affected customers accordingly.
The malware known as ‘Andr/Xgen2-CY’ by IT security firm Sophos, transfers various characteristic data from the device to a C&C server and also has a reload function. Other malware, such as banking Trojans, could also be loaded and executed on the devices. Manual removal of the malware is not possible because it is anchored in the internal area of the firmware. Users therefore have no way of reliably cleaning the devices and operating them without malicious functionality as long as no corresponding firmware update is available.
Android devices with pre-installed Adware