SUPRA M729G tablet
SUPRA M729G tablet

Security researchers have found malware hidden in the firmware of several low-end Android smartphones and tablets, malware which is used to show ads and install unwanted apps on the devices of unsuspecting users.

According to a report, the following 26 Android device models are affected:

    MegaFon Login 4 LTE
    Irbis TZ85
    Irbis TX97
    Irbis TZ43
    Bravis NB85
    Bravis NB105
    SUPRA M72KG
    SUPRA M729G
    SUPRA V2N10
    Pixus Touch 7.85 3G
    Itell K3300
    General Satellite GS700
    Digma Plane 9.7 3G
    Nomi C07000
    Prestigio MultiPad Wize 3021 3G
    Prestigio MultiPad PMT5001 3G
    Optima 10.1 3G TT1040MG
    Marshal ME-711
    7 MID
    Explay Imperium 8
    Perfeo 9032_3G
    Ritmix RMD-1121
    Oysters T72HM 3G
    Irbis tz70
    Irbis tz56
    Jeka JK103

The common link between all these devices is that all are low-cost devices, mostly marketed in Russia, and which run on MediaTek chipsets.

Device resellers suspected of adding the malware

According to security researchers from Dr.Web, a Russian antivirus vendor, the malware appears to have been added to the firmware of these devices by "dishonest outsourcers who took part in [the] creation of Android system images decided to make money on users."

The security firm has informed MediaTek and the device vendors about this issue so the affected companies can inspect their distribution chain and find the possible culprits.

Malware used to push aggressive and unwanted apps

The malware found on these devices is codenamed Android.DownLoader.473.origin. According to Dr.Web, this malware will collect data about the infected devices, contact a C&C server, and download and install other apps based on the instructions it receives from this server.

Currently, this malware is forcibly downloading and installing the H5GameCenter app. This application is a Play Store-like app catalog that allows users to install other apps. The app is considered extremely intrusive because it shows its icon (an open blue box) floating above other apps non-stop, such as in the image below, and without an option to disable this behavior.

H5GameCenter icon floating on top of the Angry Birds Android game
H5GameCenter icon floating on top of the Angry Birds Android game [Source: Dr.Web]

If users remove the H5GameCenter app, the firmware malware will reinstall it at a later point.

Last month, in the period of one week, security researchers from Kryptowire and Anubis Networks found backdoors in the firmware provided by two Chinese software vendors, Shanghai Adups Technology Co. Ltd. and Ragentek Group.

The firmware provided by these two companies had been embedded in a large number of low-end Android smartphones and granted attackers complete control over the affected phones.

Related Articles:

New Wpeeper Android malware hides behind hacked WordPress sites

Android 15, Google Play Protect get new anti-malware and anti-fraud features

Finland warns of Android malware attacks breaching bank accounts

New Latrodectus malware attacks use Microsoft, Cloudflare themes

New Brokewell malware takes over Android devices, steals data