| Researchers December 4, 2014

December 4, 2014

DeathRing: Pre-loaded malware hits smartphones for the second time in 2014

By Jeremy Linden

When you walk out of a retailer with a shiny new phone, you trust that it’s clean and safe to use. But this might not always be the case, as evidenced by the latest pre-loaded malware Lookout identified called DeathRing. DeathRing is a Chinese Trojan that is pre-installed on a number of smartphones most popular in Asian and African countries. Detection volumes are moderate, though we consider this a concerning threat given its pre-loaded nature and the fact that we are actively seeing detections of it around the world.
What does it do?
The Trojan masquerades as a ringtone app, but instead can download SMS and WAP content from its command and control server to the victim’s phone. It can then use this content for malicious means. For example, DeathRing might use SMS content to phish victim’s personal information by fake text messages requesting the desired data. It may also use WAP, or browser, content to prompt victims to download further APKs -- concerning given that the malware authors could be tricking people into downloading further malware that extends the adversary’s reach into the victim’s device and data. The malware is activated in two ways -- both dependent on the victim’s use of the phone. First, the malware will activate if the phone is powered down and rebooted five times. On the fifth reboot, the malware starts. Second, the malicious service will start after the victim has been away and present at the device at least fifty times.
Which phones are affected?
We are not currently aware of where in the supply chain DeathRing is installed, we know DeathRing is loaded in the system directory of a number of devices. These devices are mostly from third-tier manufacturers selling phones to the developing world. They include:
  • Counterfeit Samsung GS4/Note II
  • Various TECNO devices
  • Gionee Gpad G1
  • Gionee GN708W
  • Gionee GN800
  • Polytron Rocket S2350
  • Hi-Tech Amaze Tab
  • Karbonn TA-FONE A34/A37
  • Jiayu G4S - Galaxy S4 Clone
  • Haier H7
  • No manufacturer specified i9502+ Samsung Clone
The main countries of concern are Vietnam, Indonesia, India, Nigeria, Taiwan, and China.
Doesn’t this sound familiar?
Earlier this year, Lookout started detecting another pre-loaded piece of malware called Mouabad. Very similarly to DeathRing, Mouabad is also pre-installed somewhere in the supply chain and affected predominantly Asian countries, though we did see some detections in Spain. Unfortunately, it is impossible for security vendors to remove this malware because it’s pre-installed in the phone’s system directory. You can, however, use the following tips in order to stay safe:
  • Be aware of the origins of the device you’re buying.
  • Download a mobile security app like Lookout’s app that protects against malware as a first line of defense -- if you are alerted to malware like this on the device, you may want to get a refund.
  • Regularly check your phone bill for any curious charges.


Jeremy Linden

Leave a comment



dziekan_tek says:

January 23, 2015 at 3:22 pm

Please also add Omega Phobos S60 - it also has trojans on board... Luckily, it's easy to remove by build-in Root Explorer. Simply... search by Eset all spyware/malware and then remove, before clicking on Mount R/W. I found 3 pieces of shit... Uupay.D, moboplayer.apk and cube_cjia01.apk. My advice - GET RID OF THEM !!!

Gionee says:

December 09, 2014 at 8:06 pm

Dear Sir or Madam Recently we saw an article from your site stating " DeathRing: Pre-loaded malware hits smartphones for the second time in 2014" and mentioned Gionee has pre-installed relative application. Please kindly tell us where did the source come from for our right of legal protection Please do not ignore this enquiry otherwise we will consider further action on Gionee reputation. Regards Gionee Global Team

Robert says:

December 09, 2014 at 10:03 am

Jiayu G4s a Galaxy S4 clone? Please take a new look... And could you specify what apps so they could be removed by the custom rom communities?

Olumide says:

December 07, 2014 at 7:59 am

Very insighful post. Please I'd like you to help us check out stuffs on Silex. Been using the phone for a while now and I must say, I'm actually getting d value for my money! But then, you never can tell. Good job

gnasher says:

December 06, 2014 at 5:21 am

Please share your sample to the other vendors so everyone will benefit.

Meghan Kelly says:

January 22, 2015 at 12:02 pm

Hi there, please email malware [at] lookout [dot] com