
Preinstalled Malware Targeting Mobile Users - tambourine_man
http://blog.checkpoint.com/2017/03/10/preinstalled-malware-targeting-mobile-users/
======
pdog
If you care at all about security, use an iPhone. Make sure the latest version
of iOS is installed. Set up a difficult passcode.

Android security is a joke. Seriously. Don't use an Android phone.

~~~
chrisper
Yes at the cost of not allowing you do to many things.

In that sense, a prison is safer than being outside, too. Should I live in a
prison instead then?

I am not trying to bash iOS here, but it is very clear that security in iOS
comes at the cost of freedom and not being able to do a lot of things. For
example, you can only install apps through the App Store. You cannot mount USB
drives and so on.

Security is always a tradeoff.

~~~
ubernostrum
One person's prison is another person's comfortable home. Many people do not
perceive iOS as a prison, and would take issue with your choice of words to
describe it as such. If you feel that it _is_ , then of course there are
alternatives available. You just also know what you're giving up and the risks
you're taking.

(and, of course, Android is not so nice either without the magic non-Free bits
from Google...)

------
Animats
Now what? Will there be more action than a blog post? This is a major criminal
operation. If this has been found on multiple phones, tracing back the supply
chain should reveal the common insertion point. That's a routine law
enforcement job. The FBI has a "Cyber Division", and once in a while they
catch somebody.

------
mattsouth
"To protect themselves from regular and pre-installed malware, users should
implement advanced security measures capable of identifying and blocking any
abnormality in the device’s behavior.". Aside from reflashing the device
before first use, and I suppose on a reasonably regular basis, are there any
other suggestions for implementing this suggestion?

~~~
Ensorceled
"Why yes! The authors just happen to work at a company that provides excellent
products that do just that!"

Not saying this isn't an important finding, but that part was a bit self-
serving.

~~~
bramblerose
Well, let's say they provide products. Let's not say they provide 'excellent
products'. After all, Check Point is one of those companies that suggests to
do SSL MITM 'to provide security'. They sniff your SNI to make sure you don't
look at XKCD. They randomly cut your connection if you try to download the
SHAttered pdf's over http. They are what makes corporate life tiring.

------
JohnTHaller
tl;dr: Don't by used Android phones from third party resellers.

Every one of these was bought used from a third party that installed malware
prior to reselling. If you buy a new phone from a manufacturer, major
retailer, or major carrier, this doesn't apply to you. If you buy a used phone
from a trustworthy friend or family member and reset it for use, you're
probably cool. If you buy a used phone from someone you don't know/trust
online or off, flash it back to factory condition before you use it.

~~~
matt_wulfeck
Your handwavy fix is almost completely unrelated to the research. These were
large companies. They generally always buy phones through third parties. And
when work gives you a phone how will you figure out who touched it?

Rather than giving people a lengthy and arbitrary list of purchase caveats,
why not ask why it's so difficult to secure an android phone through the
supply chain? And what, if anything, are other phone manufacturers doing that
might be making the problem much more secure?

------
rahimnathwani
"The malicious apps weren't part of the official ROM firmware supplied by the
phone manufacturers but were added later somewhere along the supply chain."

I'm not sure how they consider that 'pre-installed'.

~~~
empath75
They were installed before they opened the box. I think that counts.

~~~
rahimnathwani
The article makes no mention of the phones being received in the original
boxes, or in any boxes at all.

A more appropriate headline might be 'wholesalers install malware on phones
before sale'.

~~~
omginternets
That's _exactly_ what "preinstalled" means.

~~~
privong
> That's exactly what "preinstalled" means.

Eh, "preinstalled" isn't specific enough. I interpreted it similarly to some
of the other folks in the thread, that it meant installed by my mfgs. But
whether "preinstalled" is that specific or not is mostly a moot point, since
it's apparent that the wording of the title isn't sufficiently precise.

~~~
omginternets
Christ, the pedantry is reaching unprecedented levels.

The wording of the title is just fine. This is just a case of someone trying
to show how smart they are by nitpicking on insignificant details and feigning
non-comprehension.

In doing so, the discussion is no longer on the substance of the article, but
rather on insignificant semantics.

------
srinathrajaram
This presents a completely new kind of threat. I wonder how the industry would
respond to this. When you do a fresh install, perform some kind of
checksumming to verify the integrity of the OS with all its installed
software. This cannot possibly be implemented by Google because each
manufacturer has its own bloatware that it needs to pre-install. I wonder if
Samsung and LG will wake up to this and create a security module?

~~~
ikeboy
If the ROM isn't signed by the manufacturer, or is unlocked and modified,
display a warning on each boot. Chrome book does this, as does my moto x.

You can change whatever you like, but if it's not stock there's a clear
warning. I'm fine with that.

~~~
Cyph0n
My question then becomes: where is the manufacturer's certificate stored on
the phone/laptop? Because if it isn't stored in a secure manner, an attacker
could still modify the ROM and replace the certificate, and you would be none
the wiser ;)

~~~
ikeboy
In literal ROM, as in read-only burn once memory.

~~~
Cyph0n
You are aware that e.g. Android ROM is flashable? So it's not a ROM in the
literal sense -- probably EEPROM or something. I'd imagine an _actual_ ROM
(non-erasable) would only contain the bootloader and/or BIOS. So the
manfacturer could sign those and check them, but everything afterwards would
be modifiable.

Let's assume that the manufacturer places its cert in ROM so nobody can change
it. Great! We are totally secure! Actually, not at all. Where does the
signature check take place? In software? Then an attacker could man-in-the-
middle and feed the signature check function with a malicious cert. Even if
this was not a problem somehow, how would the manufacturer handle key
revocation? The cert is burned in, so if their key is compromised, every
single device out there is broken.

In summary, unless every single step of the signature check is performed in an
isolated environment (e.g., TPM), an attacker will always be able to
circumvent the process. Solid crypto is not enough; you need to also ensure
that the crypto implementation is tamper-resistant!

~~~
ikeboy
>You are aware that e.g. Android ROM is flashable?

Yes, I was poking fun at the name :)

Apparently moto messages can be deleted [http://www.droidviews.com/remove-
unlocked-bootloader-warning...](http://www.droidviews.com/remove-unlocked-
bootloader-warning-on-moto-g-moto-x-purestyle-using-fastboot/) so it's not
handled in read only memory.

Chromebooks do this properly, though. See
[http://dhanus.mit.edu/docs/ChromeOSSecurity.pdf](http://dhanus.mit.edu/docs/ChromeOSSecurity.pdf).
Section 3.1.1 talks about the specifics, root keys, etc.

~~~
Cyph0n
> Yes, I was poking fun at the name :)

You got me haha :P

> Chromebooks do this properly, though. See
> [http://dhanus.mit.edu/docs/ChromeOSSecurity.pdf](http://dhanus.mit.edu/docs/ChromeOSSecurity.pdf).
> Section 3.1.1 talks about the specifics, root keys, etc.

Looks interesting, I'll check it out.

------
ebbv
This is clearly just an ad post. Can we stop allowing this stuff on HN? This
is like Burger King posting an article "Hunger affecting 100% of living people
up to several times a day has only one solution."

From my perspective there's been a drastic rise in these kinds of ad posts
appearing on the HN front page lately. I dunno if it's vote manipulation via
paid viral marketing or something else but it sucks.

~~~
tarr11
The HN guidelines say that you should just flag the post and avoid comments
like this:

"Please don't submit comments complaining that a submission is inappropriate
for the site"

~~~
ebbv
Dude come on. Don't quote the guidelines at people unless they're new users
who might not actually be aware.

I think it's pretty clear from my comment why I'm saying something; it's not
just about this one article, there's been a rise in these obvious ads on the
site in general (from my point of view), and I feel something needs to be done
about it. I've obviously flagged every one of them but that's not enough.

The point of me making a comment about it is to see if other people feel the
same way. If you don't agree, you can reply and say "I don't agree, I think
these ads are good / I don't see many of them / whatever."

Replying and quoting the guidelines like that is trying to just shut down the
discussion and/or just being pedantic.

------
bitmapbrother
If you look at the list of phones you'll quickly notice that 1/2 of the phones
aren't even manufactured anymore. There is even a Nexus 5 in that list. What
does this tell us? These 2 companies purchased these phones from a re-seller
that clearly modified the phones by installing malware on them.

------
patgenzler
If you care about security, use iPhone or Google Android phone (pixel).
They're not bullet proof, but they're 5x more secure by virtue of being able
to react to issues like this immediately. Third party integrations like rest
of Android phones are messy by design security wise.

------
khedoros1
So, it's an ad for their product/services/whatever. I'd be a lot more
interested in a discussion of practical things that phone owners can do to
detect malware, avoid infection, etc on their own.

------
marze
If I were a spy, I'd certainly make my "malware" look like a common adnet or
ransomware app.

Surprised this possibility wasn't discussed in the article.

------
rdiddly
Tell you what else is plaguing mobile users: the staunchly non-responsive
design of the linked article's page. Is it a mobile article aimed at desktop
users?

