The folks over at Lookout Security have an interesting blog piece on “DeathRing,” a Chinese Trojan that comes pre-installed on a number of smartphones most popular in Asian and African countries.
According to the bulletin, the Trojan masquerades as a ringtone app, but downloads an SMS and WAP (or “wireless access protocol” ) content from a command and control server to the victim’s phone once it is installed.
That downloaded content can be used for various malicious, money-making schemes, according to Lookout. For example, DeathRing can use the SMS content to send phishing text messages to the phone to elicit sensitive information from the user. The WAP content to manipulate a mobile user’s web browsing session. For example: the attackers might prompt victims to download additional mobile applications or add-ons, potentially extending their reach over the victim’s device and data.
[Read more Security Ledger coverage of supply chain risks.]
Lookout said that DeathRing has been found only in low numbers and outside of Western markets. Copies of the mobile malware have turned up in Vietnam, Indonesia, India, Nigeria, Taiwan, and China. The malware has been identified running on off-market counterfeit phones posing as Samsung devices including the Galaxy S4, the GS4/Note II and others. Other affected platforms include devices by Gionee (Gpad G1, GN708W, GN800) Polytron Rocket S2350, Hi-Tech Amaze Tab Karbonn TA-FONE A34/A37, the Jiayu G4S (another Galaxy S4 Clone) and the Haier H7.
The pattern and features of DeathRing are similar to another piece of mobile malware that was also linked to corrupted supply chains: Mouabad, which Lookout warned of in April. Like DeathRing, that malware also used premium SMS and asked victims to install added modules that extended the malware’s functionality.
Mobile handset makers are particularly vulnerable to corrupt- or corrupted supply chain partners, given the intense price pressure and the myriad of components that make up even a low-end smart phone.
Legal and information security experts say that attacks that come by way of suppliers and other third-party business partners are one of the biggest threats that modern organizations face. However, few firms prioritize scrutiny of third-party contractors and components.
At an expert panel on supply chain security that met in Boston in November, companies were encouraged to beef up auditing of internal- and partner assets and to seek contractual protections that will indemnify them in the event that a breach at a supplier or business partner exposes data that materially affects their firm.