Google Search

Custom Search

Sunday, 7 December 2014

Android Preloaded Malware - Deathring malware found in Asian and African countries

Lookout, a security reasearch company recently release a report on the second Malware found on Androids phone in some Asian and African country as a preloaded system. These malware masquarade as a harmless application within a user phone and will capture user's information and download other malware without the owner knowledge. As of now, the detection of these Malware are still low and still moderate. This because those malware will only be localized within the infected system without propagating to other phones.

Earlier this year in April, Lookout release a report of known malware named " Mouabad " was found preloaded on android devices in some countries such as China, India and the Philippines. This week, another preloaded malware " Deathring " was also found but this time it was also found in few African country in addition to Asian countries.

Below is the report from Lookout for Deathring

Deathring Malware

DeathRing is a Chinese Trojan that is pre-installed on a number of smartphones most popular in Asian and African countries. Detection volumes are moderate, though we consider this a concerning threat given its pre-loaded nature and the fact that we are actively seeing detections of it around the world.

The Trojan masquerades as a ringtone app, but instead can download SMS and WAP content from its command and control server to the victim’s phone. It can then use this content for malicious means. For example, DeathRing might use SMS content to phish victim’s personal information by fake text messages requesting the desired data. It may also use WAP, or browser, content to prompt victims to download further APKs — concerning given that the malware authors could be tricking people into downloading further malware that extends the adversary’s reach into the victim’s device and data. The malware is activated in two ways — both dependent on the victim’s use of the phone. First, the malware will activate if the phone is powered down and rebooted five times. On the fifth reboot, the malware starts. Second, the malicious service will start after the victim has been away and present at the device at least fifty times.

We are not currently aware of where in the supply chain DeathRing is installed, we know DeathRing is loaded in the system directory of a number of devices. These devices are mostly from third-tier manufacturers selling phones to the developing world. They include:
Counterfeit Samsung GS4/Note II

  • Various TECNO devices 
  • Gionee Gpad G1 
  • Gionee GN708W 
  • Gionee GN800 
  • Polytron Rocket S2350 
  • Hi-Tech Amaze Tab 
  • Karbonn TA-FONE A34/A37 
  • Jiayu G4S – Galaxy S4 Clone 
  • Haier H7 
  • No manufacturer specified i9502+ Samsung Clone 

The main countries of concern are Vietnam, Indonesia, India, Nigeria, Taiwan, and China.

"Unfortunately, it is impossible for security vendors to remove this malware because it’s pre-installed in the phone’s system directory. You can, however, use the following tips in order to stay safe:
Be aware of the origins of the device you’re buying.
Download a mobile security app like Lookout’s app that protects against malware as a first line of defense — if you are alerted to malware like this on the device, you may want to get a refund. Regularly check your phone bill for any curious charges."
Read more: DeathRing: Pre-loaded malware hits smartphones for the second time in 2014 (

The researcher in Lookout noted that it is impossible for antivirus to remove this infection so user must be aware and be safe when buying or installing application from an untrustworthy source

So please be careful guys

Source : Lookout

No comments:

Post a Comment