| Researchers April 11, 2014


April 11, 2014

MouaBad: When your phone comes pre-loaded with malware

By Lookout

Usually you celebrate when a family gets bigger. But when it’s a family of malware that could come pre-loaded on your phone, no one wants to party.

MouaBad is a surreptitious little bugger with a number of variants malware authors are flashing onto phones’ headed to consumers firmware. This is a unique and risky distribution model, likely executed by a criminal who has inserted himself into the distribution chain.

We’ve seen 25 different variants in the MouaBad family, four of which use this style of distribution.

MouaBad.s, spotted by Qihoo, is one of the most sophisticated of these variants. The malware is excellent at hiding its activities and focuses primarily on committing premium-rate fraud.

The quality and sophistication of MouaBad.s is higher than the average malware family, and we’ve found indications that the author(s) coded the malware to support more advanced processes in the future. Specifically, MouaBad.s can send premium SMS messages, install additional applications to extend its functionality, and obtain privileged access to make itself more difficult to remove from infected devices. Its sister pre-loaded variants, “.t,” “.ab,” and “.ad” have similar functionality.

Some variants can even prevent apps from being uninstalled and prevent anti-virus software from doing its job in order to plant deep roots in the phone. On top of that some variants encrypt their executable code to keep snoopers from knowing what it really can do. Qihoo notes that this is a variant it calls “Oldboot.b,” but we believe these functions are actually split between variants MouaBad.s and .ab.

Flashing firmware as a distribution model Much of the Android malware we see comes from third-party app stores. That is to say, criminals submit tainted applications outside of the Google Play network in the hopes that an external marketplace won’t be as strict. However, with MouaBad.s, the criminals look to be hiding somewhere in the supply chain, getting their hands on the devices themselves before they’re sold to retailers. The phones in question include:
  • MouaBad.s: HDC H9500 and the Funker R452
  • MouaBad.t: Karbonn Smart A26, Xolo A500S, and the W450 MTK6582
  • MouaBad.ab: Feiteng H80W and some Galaxy Note III devices running MocorDroid
  • MouaBad.ad: S7 R830
In MouaBad.s’ case, the HDC H9500 and the Funker R452 are both made in China. However, we’ve found a number of infections in Spain connected to the Funker R452. The Funker is available for purchase through retail providers and online in Spain. The H9500, on the other hand, is available for purchase in bulk online from the Shenzhen market in China. The criminals, however, likely didn’t intend for the malware to ever leak into Western Europe. Countries support different regulations around how premium-rate text messaging works. These differing regulations make it difficult for criminals to recycle their fraud technology from location to location, which is why criminals often concentrate their attacks to specific regions. MouaBad.ab is also interesting because it uses the same signer as the operating system creator for some of these phones. This would suggest that the malware writers are even closer to the firmware, perhaps even bundling the malware and the OS at the same time. Who is likely to be affected? Fortunately, the risk of infection from the MouaBad.s variant is minimal. Detection volumes are low and are primarily found China, India, and the Philippines. In addition to flashing the phone with malware before they arrive in the retail stores, the criminals may use this method in tandem with submitting malicious apps to third-party app stores to get the widest distribution possible. Of course, this is a big deal for equipment manufacturers, smartphone brands, and carriers because it diminishes consumer trust -- if there’s one hair in the soup, the whole bowl is tainted. It goes to show how lucrative premium-rate SMS fraud can be as well. Contaminating the supply chain is risky-business for criminals, but can pay big dividends if they get their malware out in bulk. How To Stay Safe
  • Only install apps from trusted stores.
  • Be aware of the origins of the device you’re buying.
  • Download a mobile security app like Lookout’s app that protects against malware as a first line of defense.
  • Regularly check your phone bill for any curious charges.

Author

Lookout