Does Your Smartphone Come Contaminated With Malware Out of the Box?

The report from security company G DATA has to frighten you: the company claimed it has found malware pre-installed on new smartphones.  Some 24 phones were found to be contaminated or were strongly suspected of infection. Included were phones from Xiaomi, Huawei, and Lenovo.

What that means is a user could have practiced absolutely safe mobile phone ownership. Indeed, maybe the user never added a single app to the phone. But still the device packs a toxic payload, out of the box.

The payload is nasty. According to G DATA, “The secret add-on functions are wide-ranging….The app can access the Internet, read and send SMS, subsequently install apps, see, store and amend call data and data about the smartphone, access the contact list, obtain location data and monitor app updates. These permissions enable extensive misuse: location detection, listening to and recording telephone calls or conversations, making purchases, bank fraud or sending premium SMS. The possibilities are almost endless.”

Read that again.  What G DATA is saying is that whoever the control is – and control is not identified in this report – owns that user.  The user’s money can be stolen. His contacts harassed. His privacy shredded.

This really is a worst case scenario and – again – what’s cruelest is that the user essentially had no possible defense against it. Just buying the phone – new, in the box – was mistake enough.

“It happens somewhere in the supply chain,” said Andy Hayter, security evangelist for G DATA.  “There’s not a lot of security in that supply chain.”

In every case the phones were made by Chinese manufacturers, none of which is widely distributed outside Asia. But that is slim comfort because of course the iPhone is made in China. So are many Samsung Galaxy S6s.

G DATA loudly stressed that it does not believe the manufacturer whose name is on the phone has anything to do with loading the device with bad software.  The report noted: “The G DATA security experts are certain that the manufacturers are not the perpetrators in the majority of cases. Renowned companies will not risk their reputation by distributing malware in the firmware.”

It becomes a whodunit with no obvious answer.  Said G DATA: “The G DATA experts therefore suspect middlemen of being the perpetrators. In addition to the revenue gained from selling on the mobile device, they try to make additional financial gains from stolen user data and enforced advertising.”

Phones, as they are manufactured and then routed to consumers, pass through a complex, multi-layered supply chain. It apparently is not easy to pinpoint where the malware was installed.

Hayter, in an interview, added that – mainly – the infected phones are sold in Asia, often from street stalls. They are not the pricey, shrink-wrapped phones sold at name-brand mobile carriers.

Even if you don’t have a phone infected out of the box, don’t breathe easily. G DATA, in its report, said it expects to log over two million new Android malware samples for 2015, a new record, it said.

But the real game changer is the brand new – but infected – phone.

It’s not the only affected device. Earlier this year, Lenovo won headlines for shipping computers with Superfish installed.  That’s a browser add-on that makes it easier to serve ads but it also raises vulnerability to many malware attacks.

You have to wonder – paranoid as it may sound – just how many kinds of devices are now shipped with malware already installed.

The worst part: “The average consumer could not detect this malware on the phones,” said Hayter.

The first sign you are a victim likely will be some unexplained bank charges, or bills for premium SMS that you did not send.  At that point, it is already too late: Your credentials have been seized and the criminals are busy making money.

What more can you do to protect yourself? Two things: don’t buy bargain phones through non-traditional channels and that means street vendors, pawn shops, and most online retailers; monitor your bank account activity, also charges for SMS.

When you see something wrong, don’t wait: Blow the whistle, loud.  Delay will cost you. Take quick action – that’s the self-defense must do.