The Lookout Blog

Pre-pwned Android Phones

A major mobile operator has recently distributed about 3,000 Android devices pre-loaded with Windows malware.  HTC Magic Devices from Vodaphone Spain have come preloaded with no less than 3 pieces of malware, the most severe of which (a “Mariposa” bot client) is configured to automatically run when a phone is connected to PCs running certain versions of Windows.  As soon as a PC connects to the phone via USB, the malware uses Windows AutoRun functionality to automatically infect the PC.  While it is important to note that the presence of this malware does not affect the operation of the phone, the phone is unsafe for users given how easily it can infect a PC.

This not the first instance, nor will it be the last, where products have come “pre-pwned” from the factory.  In the past, manufacturers have unknowingly distributed devices such as computer mice, digital photo frames, and even USB battery chargers that contain malware in their drivers or on the device itself.  In the future, phones distributed with preloaded malware present a significant threat, especially if the malware were to infect the phone instead of only infecting PCs.

When you plug an Android phone into your computer, the phone may act like a removable USB drive, allowing you to access data stored on the phone’s memory card (e.g. pictures, videos).  Windows has a mechanism, called AutoRun, for automatically running a program stored on a removable USB drive when it is connected (just like a CD or DVD).  While AutoRun is ordinarily a convenience feature to help automatically start an installation process or launch a game, it can be used by attackers to infect a PC with malware.  Before Vista, Windows will perform AutoRun functionality without user intervention.  In Windows Vista, inserting a removable drive displays a dialog giving options of whether or not to automatically run a program from the removable drive while earlier versions.  Some forms of malware have taken advantage of the dialog in Vista by making the AutoRun option seem like a legitimate windows operation.  See this blog post from Microsoft for more details on AutoRun in Windows Vista and Windows 7.

At Lookout, when we encounter new security issues, we ask ourselves, “Is this something our users would want to be protected from?”  In this case, the answer is absolutely yes.  The current version of Lookout (a free download in the Android Market) warns you if there is a suspicious file on your memory card that tries to run a program when your phone is connected to a PC.  Lookout can easily disable the AutoRun capability so that you will still be able to access your memory card and all of the data on it, but no programs stored on the memory card will automatically run when you connect your phone to your computer.  Because not all AutoRun programs on memory cards are malicious, Lookout allows you to ignore the suspicious file and keep the AutoRun functionality.  If you are unsure, we recommend choosing to quarantine any suspicious AutoRun files because you can still manually run programs stored on the memory card from your PC.

Unlike defenseless digital photo frames of the world, your mobile phone can now protect itself.

Details on the scope of the malware
First details on the malware distributed on Android phones

As always, if you see anything suspicious on your mobile adventures, be sure to let us know by contacting security /at/ mylookout /dot/ com