While the premium manufacturers are once again presenting their new flagship smartphones at the Mobile World Congress with prices well above the €1,000 threshold, competition and price wars are becoming increasingly fierce in the lower price segment. Numerous manufacturers are already offering devices for just over 100 euros with features that were reserved for the upper class just two to three years ago. However, some of these supposed bargains also bring uninvited guests into the home, as the German Federal Office for Information Security (BSI) has now discovered. The security experts have discovered malware in the firmware of several devices sold primarily via online platforms.

For example, according to the BSI, it has discovered malware pre-installed on a Krüger&Matz 'Eagle 804' tablet purchased via Amazon, which connects to a known command & control server as soon as the device is activated. This gives attackers access to content and control functions on the device, which they can use to access data and download further malware. Amazon has told the BSI that it has currently removed the three devices mentioned from its range after being contacted by the BSI.

The firmware provided by the manufacturers of the 'Ulefone S8 Pro' and 'Blackview A10' smartphones also comes with similar unwanted baggage. It is true that a newer firmware version without the malware is installed on the devices currently being delivered. However, the BSI assumes that numerous older devices from last year were still sold with the malware. As the new version is not available individually, those affected cannot update their devices. It is also not possible to remove the malware at a later date as it is firmly embedded in the firmware. In view of these findings, the BSI warns against continuing to use the affected devices with infected firmware and advises all users to exercise particular caution.

Trade has a duty

The BSI's research also suggests that there are probably numerous other devices with pre-installed malware. The security experts are primarily referring to so-called sinkhole data submitted to the BSI. These show more than 20,000 connections per day between various IP addresses and the malicious Command&Control server. The BSI has therefore informed the German network operators about the infected devices in their networks by means of the CERT-Bund report and asked them to inform their users affected by the security gaps. In addition, the BSI has compiled information and recommendations on the Internet on how buyers of the affected devices should behave and how customers can reduce the risk of falling into similar traps.

"Once again, this case clearly shows that price or technical features alone should not be a criterion for a purchase decision. Otherwise, users may end up paying a significant price with their data or through fraudulent activities," warns BSI President Arne Schönbohm. In addition to manufacturers and customers, he also believes that retailers have a duty: "They must also ensure that such devices do not enter the market in the first place."

A more detailed description of the 'Andr/Xgen2-CY' malware found in all three cases described by the BSI and its dangers is provided by security provider Sophos, which had already reported corresponding infections on Ulephone devices last year. According to the report, the malware immediately transmits various identifying data from the device to the C&C server. According to Sophos, further malware such as banking Trojans can then be placed and executed on the respective devices.