Trojans capable of installing additional malware are currently affecting the stock firmware of at least 26 Android smartphone models.
Russian anti-malware company Dr Web found that the Pixus Touch 7.85 3G, the Marshal ME-711, and more than 20 other smartphones for Android currently ship with stock firmware that is infected with malware.
Android.DownLoader.473.origin is one of those trojans. It's a downloader program that starts up every time an affected device turns on, monitors the Wi-Fi signal, and communicates with its command-and-control (C&C) server in order to load up additional malware like Adware.AdBox.1.origin.
Doctor Web provides some insight on this secondary threat in a blog post:
"Once installed, it displays a small box image on top of running applications. The image cannot be removed from the screen. It is a shortcut clicking on which opens a catalog integrated into Adware.AdBox.1.origin. In addition, the Trojan shows advertisements."
Showing advertisements, you say? Sounds a lot like some of the other Android trojans Dr Web's researchers have come across.
Even so, Adware.AdBox.1.origin is more persistent than other types of malware. That's because Android.DownLoader.473.origin will download and install Adware.AdBox.1.origin if and when the user should choose to delete it.
Android.DownLoader.473.origin isn't the only downloader trojan affecting these smartphones. Doctor Web also detected Android.Sprovider.7 embedded in the stock firmware of Lenovo A319 and Lenovo A6000. This malware loads up Android.Sprovider.12.origin, a payload which is capable of downloading APKs and displaying advertisements.
Both of those capabilities help generate income for the attackers. As Dr Web explains:
"It is known that cybercriminals generate their income by increasing application download statistics and by distributing advertising software. Therefore, Android.DownLoader.473.origin and Android.Sprovider.7 were incorporated into Android firmware because dishonest outsourcers who took part in creation of Android system images decided to make money on users."
At this time, users of the following smartphone models identified by Doctor Web should assume they're affected:
- MegaFon Login 4 LTE
- Irbis TZ85
- Irbis TX97
- Irbis TZ43
- Bravis NB85
- Bravis NB105
- SUPRA M72KG
- SUPRA M729G
- SUPRA V2N10
- Pixus Touch 7.85 3G
- Itell K3300
- General Satellite GS700
- Digma Plane 9.7 3G
- Nomi C07000
- Prestigio MultiPad Wize 3021 3G
- Prestigio MultiPad PMT5001 3G
- Optima 10.1 3G TT1040MG
- Marshal ME-711
- 7 MID
- Explay Imperium 8
- Perfeo 9032_3G
- Ritmix RMD-1121
- Oysters T72HM 3G
- Irbis tz70
- Irbis tz56
- Jeka JK103
I would recommend customers contact their company's technical support specialists as soon as possible. Most of those companies are working on a fix at the Russian anti-virus company's prompting, but they might have some mitigation steps users can implement while they await clean firmware.