Two downloader Trojans are in the firmware of a series of Android-powered devices.
The Trojans are capable of contacting their C&C servers, updating themselves, receiving instructions on which apps to covertly download and run, and start running each time the device ends up turned on or restarted, said researchers at Doctor Web.
One of them – the Android.Sprovider.7 Trojan, inserted into the firmware of Lenovo A319 and Lenovo A6000 smartphones – can also open specified links in a browser, make phone calls to a certain number through the standard system application, and show ads on top of apps and in the status bar.
A partial list of tablets and smartphones containing the other Trojan (Android.DownLoader.473.origin) is as follows: MegaFon Login 4 LTE, Irbis TZ85, Irbis TX97, Irbis TZ43, Irbis tz70, Irbis tz56, Bravis NB85, Bravis NB105, SUPRA M72KG, SUPRA M729G, SUPRA V2N10, Pixus Touch 7.85 3G, Itell K3300, General Satellite GS700, Digma Plane 9.7 3G, Nomi C07000, Prestigio, MultiPad Wize 3021 3G, Prestigio MultiPad PMT5001 3G, Optima 10.1 3G, TT1040MG, Marshal ME-711, 7 MID, Explay Imperium 8m, Perfeo 9032_3G, Ritmix RMD-1121, Oysters T72HM 3G, and Jeka JK103.
The Trojans deliver ad-showing apps, pushing users to download additional apps.
“It is known that cybercriminals generate their income by increasing application download statistics and by distributing advertising software. Therefore, Android.DownLoader.473.origin and Android.Sprovider.7 were incorporated into Android firmware because dishonest outsourcers who took part in creation of Android system images decided to make money on users,” Dr.Web researchers said in a blog post.
Researchers informed the makers of these devices of the information.