For the first time ever, the experts at the German security vendor have discovered a smartphone that comes with extensive spyware straight from the factory. The malware is disguised as the Google Play Store and is part of the pre-installed Android apps. The spyware runs in the background and cannot be detected by users. Unbeknownst to the user, the smartphone sends personal data to a server located in China and is able to covertly install additional applications.
This makes it possible to retrieve personal data, intercept calls and online banking data, read emails and text messages or control the camera and microphone remotely. The affected model "N9500" is produced by the Chinese manufacturer Star and looks very similar to a smartphone from a well-known manufacturer. It is not possible to remove the manipulated app and the spyware since they are integrated into the firmware. Large online retailers are still selling the Android device at prices ranging from 130 to 165 euros and distributing it across Europe.
"The options with this spy program are nearly unlimited. Online criminals have full access to the smartphone," notes Christian Geschkat, Product Manager Mobile Solutions. "G DATA customers reported a detection by our security solution and thus alerted us to this criminal tactic."
After receiving tip-offs from customers, the G DATA security experts purchased and analysed the device. This is how they found out that the firmware contained theTrojan Android.Trojan.Uupay.D, disguised as the Google Play Store. The spy function is invisible to the user and cannot be deactivated. This means that online criminals have full access to the smartphone and all personal data. Logs that could make an access visible to the users are deleted directly. The program also blocks the installation of security updates.
"The only thing users see is an app with the Google Play Store icon in the running processes; other than that, the application is completely disguised," reports Christian Geschkat. "Unfortunately, removing the Trojan is not possible as it is part of the device's firmware and apps that fall into this category cannot be deleted. This includes the fake Google Play Store app of the N9500." Users can use G DATA Internet Security for Android, which detects the malware as Android.Trojan.Uupay.D, to find out whether their own device is affected. The expert advises affected customers to contact the respective online shop to return the device.
The smartphone represents a serious risk to users. The spy program enables criminals to secretly install apps, which enables the whole spectrum of abuse: localisation, interception & recording, purchases, banking fraud such as theft of mobile TANs, and sending of premium SMSs.
It is impossible to find out where the data is sent. "The intercepted data is sent to an anonymous server in China," says Christian Geschkat. "It is not possible to find out who ends up receiving and using the data."
The cheap price ranging from 130 to 165 euros comes as a surprise, considering the high technological standard of the device. The quad-core smartphone is supplied with extensive accessories, such as a second battery, car charging adapter and second cover. Comparable devices from well-known brands cost almost three times that much.
The security experts at G DATA think that the low price of the mobile device is made possible by the subsequent selling of data records stolen from the smartphone owner. "In general, particularly cheap offers online that seem tempting should make buyers suspicious. There’s no such thing as a free lunch," advises Christian Geschkat.
The increasing popularity of smartphones and tablets has not gone unnoticed by online criminals. There are about 40 million smartphone users in Germany alone. More than 1.2 million new malware programs for Android appeared last year and this number is expected to rise sharply. All the more reason for users to use a comprehensive security solution for their mobile devices.