The latest findings, from German cybersecurity company G DATA, add to a growing list of similar spying software found on smartphones from Chinese companies.
“This is happening on a lot of phones,” said Andy Hayter, G DATA’s security evangelist, in a phone interview.
In March, researchers with BlueBox found similar malware on the Xiaomi Mi 4 LTE, which they obtained during a trip to China.
Prior to that, in June 2014, G Data found malware pre-installed on the Chinese Star N9500. In July 2014, a researcher at Hong Kong forum IMA Mobile found spy software installed on the the Xiaomi Redmi Note.
The spy software found on all these devices is similar, in that it was pre-installed on the devices before reaching consumers. According to Hayter, the malware found by G Data has a unique trait: it cannot be removed.
“You can’t get it off,” Hayter said, noting that if anyone finds the malware on their phone, their only option is to buy a new one.
This doesn’t just speak to the complexity of the malware, but also the amount of work behind it. The group or individual behind the spy software would need to unlock each phone, install the malware, then lock each phone up again.
Researchers have not been able to find at which stage of the supply chain the malware is being installed. Hayter said it has the telltale signs of being a large operation. He noted, “it’s an increasing number of phones we’re seeing.”
Alongside the phones from Huawei, Lenovo, and Xiaomi, researchers at G Data found similar spy software on phones from Alps, ConCorde, DJC, SESONN, and Xido. In a report about their findings, they named 26 phone models with the malware.
All of the phones are manufactured in China, with the exception of the ConCorde, according to technology news website Softpedia.
G Data contacted the companies to let them know about the malware, and only two responded. Huawei told them the security breaches must have taken place further down the supply chain, outside the manufacturing process. Lenovo said they’d look into it.
Hayter suspects the malware is being installed by a middleman, somewhere between the manufacturers and the phone shops.
The researchers weren’t able to give information on how each infected phone was obtained. Hayter noted that details on the infections came from users who installed G Data mobile security software on their smartphones.
The phones may have come from the manufacturers, or they may have been purchased from Amazon or a side-street phone store.
Of course, state spying can’t be ruled out either. The Chinese regime has a track record of using similar smartphone malware to spy on people.
Researchers at Lacoon Mobile Security uncovered a spy campaign aimed at Hong Kong democracy protesters on Sept. 30, 2014. The software would give the hackers full control over the phones.
Michael Shaulov, CEO of Lacoon Mobile Security, told Epoch Times at the time that when it comes to smartphones, which can track user locations, listen to calls, and often contain user passwords, “for the purpose of spying it’s probably the perfect tool.”
In the recent cases, however, two factors suggest this is the work of cybercriminals and not government spies.
First off, if the infected devices are being sold in stores, it’s unlikely they’re being targeted at individual users. For Chinese authorities, this would be an unnecessary step, since they already have broad-brush domestic spy programs in place to locate dissidents.
Also, as Hayter notes, the malware is targeted at the “less sophisticated customer who is looking for a phone on the street corner.” He believes the malware is being installed by phone distributors, who are using it for cybercrime.
What the findings do point to, however, is the poor security standards for Chinese smartphones, which often market themselves as cheap alternatives to larger brands.
Hayter noted that while installing malware of this type is “not a trivial operation,” when there’s money to be made, crime is sure to follow, “and it looks like this is the route the criminals are taking.”