The first smartphone was created over a quarter of a century ago, in 1993 IBM launched a device called Simon. It was a cell phone with a touch screen and a personal digital assistant (PDA) function, which between 1993 and 1995 was owned by more than 50,000 customers. Over the next decade the smartphone market has changed significantly. In 2007 alone customers from all over the world bought over 120 million of these devices. Over the next five years (2008-2012), more than 1.7 billion customers decided to buy a new smartphone. Only slightly fewer people replaced or bought their first smartphone in 2019 alone.
The market for this part of electronics, which has become permanently integrated into our private and professional lives, is enormous. In the last few years, smartphone sales have fluctuated in the range of 1.5 billion annually. This means that statistically every fifth person buys a new phone in a given year. Samsung, Apple, Huawei and Xiaomi have consistently led a battle for customers for a long time, sharing about 60% of the market share year to year. The remaining 40% are often other well-known companies from the IT market that manage to break through in a given year with an innovative or affordable product. All these companies share a long-term plan, which assumes keeping the customer in addition to taking care of their own brand and reputation. Naturally, every producer makes its own mistakes. One of the examples could be the security gap detected by the engineers of Project Zero – a group of analysts belonging to Google that specialize in finding bugs in every type of software (including the ones created by companies other than Google). In May 2020, Samsung published an update, which fixed the bug detected by Project Zero. It was located in the Skia graphic engine, which was modified by Samsung and has been used in all smartphones manufactured by the company between 2014 and 2020. By means of specially prepared MMS messages using .qmg graphic files hackers could bypass the ASLR security features present in the Android system and execute any code on it, in practice leading to taking control over the device. However, this process was not trivial and required sending tens if not hundreds of MMS messages. Nevertheless, it is worth noting that after a successful attack, the messages on the infiltrated device could be removed immediately and the victim would remain completely unaware of the hacking. After being informed about the vulnerability, Samsung published an update for its devices [1].
Unfortunately, such problems are nothing special. In the Common Vulnerabilities and Exposures (CVE) online database, for Android alone there are more than 6,000 reported bugs, which could be exploited by the hackers in varying degrees. Technological companies taking care of their customers and brand routinely publish updates to prevent the detected security vulnerabilities from being exploited. Unfortunately, not all of them. Let us recall that the smartphone market in about 40% belongs to smaller companies, in the vast majority – companies offering users good quality devices without hidden defects. Players with little experience, using untested subcontractors as a source of hardware and software also take part in the fight for the customer. They offer cheap devices which lack support in the form of regular updates.
There are also known cases of hardware suppliers, whose products reached the end user already with a pre-installed malware [2]. In January 2020, Malwarebytes specialists reported that they found preinstalled malware on Unimax UMX U686CL devices. They were manufactured in China and later distributed to American users of the Assurance Wireless program, which offered mobile device surcharges and mobile network access to those most in need. The devices were infected with a HiddenAds malware (Android/Trojan.HiddenAds.WRACT) and Android/PUP.Riskware.Autoins.Fota.fbcvd software, which is associated with the Chinese company Adups, caught [4] in the illegal process of collecting user data, creating backdoors for mobile devices and auto-installers – programs that enable automatic installation of other applications on clients’ devices. Technical details could be found in the report of Malwarebytes [3], along with the following position of the device manufacturer:
“After investigating this issue, Unimax Communications has determined that the applications described in the posting are not malware…In reviewing these applications, however, Unimax Communications has determined that there may be a potential vulnerability in the Settings App library. Because of this, Unimax Communications has updated software to correct the potential vulnerability.”
At the end of July, the same problem was found in low-end ANS L51 devices offered mainly in the US market [5]. The current investigation is to prove whether the malware was installed by the supplier or whether it was installed in the operating system later on through the supply chain.
- Read also: USA sanctions Chinese companies involved in building artificial islands on South China Sea
Pre-installed tracking applications are of course a big problem – uninformed users pay an unreasonable amount of money for the hardware that steals their privacy in an uncontrolled way. However, an even bigger problem are the devices that rob them not only of their privacy but also of money. At the end of August 2020 there were reports about devices offered mainly in Africa. Cheap Chinese Tecno W2 smartphones, offered to customers in South Africa, Egypt, Ethiopia, Ghana and Cameroon, among others, were sold with previously installed Triada backdoor and xHelper Trojan. The former allowed to install any software without the owner’s knowledge – using its capabilities it installed the xHelper Trojan. The malware nested in the system in a way that made it impossible to remove it easily. Resetting the device to the factory settings did not help in this case. The owner of the new phone was notoriously flooded with unwanted ads displayed on the smartphone screen and was involuntarily subscribed to paid services. A spokesman for Transsion admitted that Tecno W2 phones were actually infected, blaming an unnamed subcontractor. It was not revealed how many “defective” devices had been placed on the market. At the same time, he stressed that the company did not benefit from the procedure of generating automatic subscriptions.
The opinions presented by the author belong exclusively to him/her. They are in no way related to the opinion and position of his/her employer.
Wiktor Sędkowski graduated in Teleinformatics at the Wrocław University of Science and Technology, specialized in cybersecurity field. He is an expert on cyber threats. CISSP, OSCP and MCTS certificates holder. Worked as an engineer and solution architect for leading IT companies.