Chinese CCTV reported cases of pre-installed malware on Android mobile

Chinese TV station, CCTV, has reported some cases where smartphone were compromised by pre-installed malware before selling them on to unwitting customers.

What’s about to pay a mobile phone with Malware pre-installed? Of course the malware is free! It is not a joke, Chinese TV station CCTV, during a show for the World Consumer Rights Day on March 15th, has reported the case of a Smartphone supply chain compromised due the presence of a pre-install malware into Android mobiles.

The pre-installed malware is called DataService, the Chinese television also provided its md5 digest. 

Researchers at Kaspersky identified the pre-installed malware as Trojan.AndroidOS.Uupay.a, an insidious agent that interacts with other resident Android apps to steal mobile info, push ads and download the specific web content, including other apps from unofficial stores.

Analyzing the AndroidManifest.xml it is possible to note that the pre-installed malware  gains numerous permissions to operate:

The DataService code also includes malicious packages that are silently installed and that contain “Google” and “Android” words in their names. The experts at Kaspersky discovered that it uses the push service provided by Airpush to run a service to fetch and display the pushed advertisement.

The code in the pre-installed malware was designed to download malicious apps, also infected with DataService, from an unofficial store at the address http://******mall1.plat96.com/.

How is it possible that DataService was pre-installed in such a large number of brand new mobile phones?

The reporter at CCTV has discovered that Goohi company provides an android application pre-installation service using a product called “Datang fairy artifact”, a device like the one in the following picture.

“Up to now, Goohi has more than 4,600 members in its pre-installation alliance. This alliance has installed more than 46 million applications and more than one million mobile phones are pre-installed with various applications every month. It is claimed that this device can automatically install every application it holds onto an Android mobile in just a few minutes. This menu of applications comes with a price tag, ranging from 10-50 US cents per installation.”

The mechanism is simple, members of the Goohi alliance can earn money simply pre-installing one of the above applications. More applications, more money … no matter is the applications collect user’s data as admitted by Goohi.

The situation is embarrassing considering that Kaspersky experts have discovered that the applications were trojanized with malware like Trojan-Spy.AndroidOS.Agent.k which is a known data stealer.

To confirm the reporter’s thesis experts analyzed the IP address contacted by the app twice in 30 seconds to upload mobile call logs:

 61.160.242.35

www.goohi.cn

“Although CCTV exposed that DataService malware can be pre-installed into mobile phones and Goohi’s “Datang fairy artifact” can be used for this aim it could not provide a clear link between them. But from the name “uucun” and a piece of news about uucun we can read that it has pre-installation channels that can pre-install onto more than 100 million mobile phones” added Kaspersky expert Dong Yan.

Truly a sad story.

Pierluigi Paganini

(Security Affairs –  pre-installed malware, Android)