Behind the Scenes: How Criminal Enterprises Pre-infect Millions of Mobile Devices

Conference:  Black Hat Asia 2023


Authors:   Fyodor Yarochkin, Zhengyu Dong, Vladimir Kropotov, Paul Pajares


Mobile phones may come pre-infected with malicious firmware before they are even delivered to the customers. This is a growing problem for regular users and enterprises. Many businesses produce mobile devices by outsourcing the manufacturing process. The process comes with risks. The supply chain of the outsourced manufacturing can be easily infiltrated by third-party threat actors.In this presentation, we will dive into the criminal operations of a criminal enterprise that targets mobile phones. The criminal group has infected millions of android devices, mainly mobile phones, but also smart watches, smart TVs and more. The infection turns these devices into mobile proxies, tools for stealing and selling SMS messages, social media and online messaging accounts and monetization via advertisements and click fraud. Our data shows that this is a continuously growing problem. We manually analyzed dozens of the stock-firmware images to confirm the presence of malicious software in these models. Further, through our telemetry data, we confirmed that there are millions of infected devices operated globally. The main cluster of these devices is in South-East Asia and Eastern Europe, however, this is a truly global problem.In this presentation, we will share our insights on the scope and scale of the problem, discuss how these criminal enterprises operate and monetize infected devices and share techniques we used to identify and further analyze a large number of stock firmware images. We will also share some insights on the ecosystem of supply-chain targeting criminal groups and their modus operandi.