Specialists of the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik) warned about dangerous backdoor embedded in the firmware of some Android devices sold in Germany.Malware has been detected in the Doogee BL7000, M-Horse Pure 1, Keecoo P11, and VKworld Mix Plus firmwares (malware detected but inactive). All four devices are budget smartphones running Android.
Found by malware experts, this is an Andr/Xgen2-CY Trojan. Sophos Labs first noticed it in October 2018, when researchers discovered that malware was hidden in the SoundRecorder application, which was preinstalled on uleFone S8 Pro smartphones.
Sophos Labs analysts wrote that Andr/Xgen2-CY was created specifically as a non-removable backdoor. The initial task of the malware was to spy on the user: after turning on the device, Andr/Xgen2-CY is activated, collects details about the device and sends them to a remote server, waiting for further instructions.
Malware collected the following data:
- phone number;
- location information, including longitude, latitude and address;
- IMEI and Android ID;
- screen resolution;
- manufacturer, model, brand, OS version;
- processor information;
- network type;
- MAC address;
- ROM and RAM size;
- SD card size;
- language and country;
- mobile operator.
After information was transmitted from the device to malware operators, they could order the following to their malware:
- download and install the application;
- delete the application;
- execute a shell command;
- open the URL in the browser.
In addition, the Andr/Xgen2-CY developers took care of stealth: the malware was masked as an Android library. Now experts from the Federal Information Security Administration write that the malware is securely fixed in the firmware of the devices, so that removing backdoor is almost impossible.
Fixes for their gadgets so far released only one manufacturer: the patch is available only for smartphones Keecoo P11.
Experts have determined that at least 20,000 German IP addresses address the Andr/Xgen2-CY control servers every day, which gives an idea of the number of infected devices and people who regularly use dangerous gadgets. It is emphasized that the problem may affect users from other countries of the world.
Users were warned that their devices were endangered, and malware operators could use malware at any time to spread banking Trojans, extortionate or adware, as well as other threats.