Closing the backdoor on mobile malware


Trevor Reschke Head of Threat Intelligence

A dangerous form of backdoor malware was found in the firmware of at least four low-end smartphone models sold in Germany recently.

Das Bundesamt für Sicherheit in der Informationstechnik (BSI), the German government’s cyber security agency, alerted users to the threat in early June. It later reported that at least 20,000 phones in Germany had been affected, and that – potentially – more users outside the country had also fallen victim.

The malware – a backdoor trojan known as Andr/Xgen2-CY – was designed to work as an unremovable backdoor on infected phones. Embedded inside an app named SoundRecorder, it begins running the moment the phone is switched on, collecting a host of details about the device including its IMEI number, its precise location, and even the user’s phone number.

If this wasn’t bad enough, once registered on an attacker’s server, the profile of an infected phone could be used to remotely download, install and uninstall apps, and execute shell commands; effectively taking command of the device. What’s more, the BSI warned of the risk that the malware’s C&C servers could push further malware, such as ransomware, adware or banking trojans, to the already infected devices.


Insufficient due diligence

Worryingly, the way in which the malware is anchored within the handsets means that it can only be removed via a firmware update issued by the phone manufacturers. Unfortunately, the manufacturers of three of the handsets in question do not issue the necessary firmware updates. To all intents and purposes, the majority of those users unlucky enough to have fallen victim to this malware are stuck with it. It simply can’t be removed.

And this is far from being the first instance of attackers employing such an insidious technique. In the last three years alone, hundreds of Android devices have been found to contain various forms of malicious software embedded in their firmware.

What each of these had in common, however, was that they were all low-end devices, from little known manufacturers. While it’s certainly not true in every case, there are occasions when phone manufacturers – particularly those at the budget end of the scale – might not carry out the necessary due diligence on the third-party code and components they use. As a result, their devices can end up containing compromised firmware.


Protection, rather than prevention

With so many moving parts, the supply chain will always be especially vulnerable to attack. Mobile devices are clearly no exception, and stories like this coming out of Germany will do little to instil confidence in users – instead raising further concerns around the privacy and security of their personal information.

Organisations such as online merchants and financial service providers, whose business involves mobile transactions, should therefore operate under the assumption that a determined attacker will always find a way. After all, it will not be possible to prevent every mobile device from being infected with malware. As we’ve seen, this one technique alone is prevalent – and potent.

Rather than trying to eradicate the malware itself, they should instead focus on preventing it from carrying out its job. By protecting every online transaction session – the point where merchants and their customers meet – they can stop users’ credentials from being taken in any useful form.

Trusted Knight’s Protector Air allows you to do just that. A cloud-based solution, invisible to the end-user, it’s injected seamlessly into every transaction request, defeating customer-side malware and thwarting any attempt to steal their information. Click below to find out how we can help you protect your customers even when faced with the inevitable.


Want to find out more? Click here to request a free trial. Click here