An increasing number of my acquaintances seem to be in the habit of buying cheap Android smartphones when in China on business and, increasingly, from online auction sites. More often than not these will be clones of flagship models but without the flagship price tag; however, cheap is not always cheerful. I've seen some of these devices with their look-alike operating systems and their flimsy construction, and given a quick once over have to say I wouldn't trust them with my calls, texts and data. That level of mistrust appears to be well founded, not least because it would seem that some of these cheap clone phones are coming pre-loaded with malware called DeathRing.
According to mobile security outfit Lookout this is the second time this year that an outbreak of DeathRing has been spotted. The Chinese Trojan, Lookout says, is coming pre-installed on a whole bunch of cheap Chinese phones which are most popular in the Asian and African regions. The company does admit, it has to be said, that the volume when it comes to DeathRing detection is 'moderate' although it doesn't give any actual numbers. Lookout does insist that active detections are being picked up globally though, which makes the threat both viable and concerning.
DeathRing, as the name suggests, pretends to be a pre-loaded ringtone app but in actual fact is actually a malware conduit for content downloaded from a central command and control server. SMS content can be pushed to the handset, for example, which takes the form of a fake operator text message asking for data. DeathRing can also use browser (WAP) content to initiate further malicious downloads. Interestingly, DeathRing is activated in an unusual manner considering it is already pre-loaded onto the infected devices. Either it requires the user to have used the phone (been 'away and then present') at least 50 times or for the device to have been powered down 5 times; after which the malicious service itself will activate automatically.
Lookout says it does not know where in the supply chain the malware is being introduced, although the most likely suspects have to be the distributors of these third-tier manufactured devices I would imagine. The following is a list of handsets known to have been pre-loaded with DeathRing so far:
Counterfeit Samsung GS4/Note II
Various TECNO devices
Gionee Gpad G1
Polytron Rocket S2350
Hi-Tech Amaze Tab
Karbonn TA-FONE A34/A37
Jiayu G4S – Galaxy S4 Clone
No manufacturer specified i9502+ Samsung Clone