Pocket Pests: How Chinese Android Smartphones Secretly Commit Cybercrime
Android smartphones are often sold with a slew of pre-installed software: messengers, social network clients, games, and sometimes even trojans. Our colleagues at Trend Micro conducted a major investigation into cases of malware being distributed through factory firmware on smartphones and shared their preliminary findings. In this article, we’ll take a detailed look at their research—and the results are quite eye-opening.
How Trojans End Up in Smartphone Firmware
First, let’s talk about how trojans get into mobile device firmware in the first place. This method of malware distribution is called a supply chain attack, meaning the infection happens during the manufacturing process. There’s been much speculation about which part of the Android device development chain is the “bad actor,” but to understand the root of the problem, we need to look at the evolution of modern Chinese smartphones.
Behind the Great Wall
Around 2010, several Chinese companies—most notably MediaTek—began mass-producing “system-on-chip” (SoC) solutions, which essentially provided a ready-made foundation for Android smartphones. This led to a boom in small factories (mainly in Shenzhen, China’s “electronics capital”) churning out their own smartphone models based on these SoCs. The market was quickly flooded with “semi-finished” phones—fully assembled devices, just without firmware. Other Chinese companies specializing in electronics import and marketplace sales would buy these and add their own firmware.
Where there’s hardware, there’s software. The influx of “smartphone raw materials” led to the rise of thousands of companies in China that produced custom firmware for these devices. These firms, known as 刷機 (shuaji), make firmware with different software packages, launchers, and “fun wallpapers” for various clients—retailers, wholesalers, and foreign companies selling these phones under their own brands. Sometimes, a smartphone would change firmware several times before reaching the end user.
Despite high demand, competition in this market was fierce. Developers and “firmware flashers” had to undercut each other’s prices. To recoup costs and make a profit, shuaji companies came up with an alternative monetization channel: charging software makers a commission for pre-installing apps on smartphones—usually 5 to 10 yuan per installation.
The next logical step: if you add a loader app to the firmware that can download and install other programs on command from a control server, you can make even more money. Around these shuaji companies, agencies specializing in mobile advertising and mass app installation emerged. In pursuit of extra profit, some phones came “from the factory” with apps containing adware partnerships.
Apps included in Android smartphone firmware by default have high execution priority, access to SMS sending and receiving, the user’s address book, the ability to download and install other apps, and can influence the device’s boot process. These apps can’t be removed unless the user has root access.
In recent years, the market has become a bit more civilized: a significant share is now held by OEM device developers in Shenzhen, as well as companies offering “white labeling”—producing batches of existing Chinese phone models under a client’s brand.
All these devices still need firmware, localization, launchers, and over-the-air update mechanisms. Chinese hardware manufacturers and assemblers don’t develop firmware themselves; they outsource it to the same shuaji companies. What a subcontractor adds to a device’s firmware is often known only to them. That’s why smartphones with “surprises” occasionally pop up on AliExpress and in retail stores.
From Adware to Full-Blown Malware
Sometimes, in addition to loaders and adware, something more serious gets into the firmware: apps for intercepting confidential data and remotely controlling the smartphone. Some infected devices (called 肉雞, or “broilers,” in China) can be combined into botnets used by criminals for DDoS attacks, for example.
Other monetization methods include automatically inflating website counters, clicking ads, subscribing users to paid services, and even taking screenshots or photos of the device owner for blackmail purposes.
Data on infected phones is openly sold on Chinese forums: programs for detecting and remotely controlling infected smartphones cost about 300 yuan. This is a thriving business: in addition to buying such programs, selling app downloads, and renting C&C servers for botnets, Chinese forums actively advertise “hacker training” services—mainly teaching people how to use trojan-infected smartphones en masse.
These script kiddies are called “xiaobai” (小白) in China, which translates to “noob” or “rookie.” Training xiaobai in the basics of using ready-made hacking tools for smartphones is a significant source of income for the regulars of these “underground” platforms.
Sometimes, infected phones are added to databases for SMS receiving and sending services (for registering on sites that require phone number verification). The owner of a Chinese phone may have no idea their number is being quietly rented out. Such services, operating not only in China but worldwide, enable mass registration of “disposable” accounts. This is widely used in a scam known in China as 薅羊毛 (“shearing the sheep”).
“Shearing the Sheep”: How Scammers Profit
In China, it’s common for online services to offer new users a certain number of bonus points upon registration, which can be spent on goods (for example, on Taobao). Sometimes, paying with bonus points gets you an extra discount. Using SMS verification services, scammers register tons of new accounts and then sell the accumulated bonus points at a discount.
For example, in 2018, Starbucks China launched a promotion: every new user of their mobile app received a coupon for a free coffee worth about 30 yuan. On the first day, using mass account registration platforms, Chinese users created over 400,000 fake accounts to get free coffee. The losses for Starbucks are easy to calculate.
Trend Micro began investigating this type of fraud, but the problem turned out to be much deeper than initially thought.
SMS PVA: The Role of Infected Phones in Account Verification
Registering SMS-verified accounts is called phone-verified account (PVA) registration. Previously, SMS PVA services used IP telephony and SMS gateways, but now the process is hidden: verification codes are transmitted to the service via API. Trend Micro analysts found that at least one such service operated on top of a botnet of thousands of infected Android smartphones.
Infected smartphones are used to receive, analyze, and forward SMS verification codes without the owners’ knowledge or consent. Experts found that the malware was either pre-installed in the phone’s firmware or downloaded by a hidden loader app.
Setting up such a service doesn’t require significant investment. Owners don’t need to buy expensive equipment, lots of SIM cards, or pay for mobile service. All that’s needed is access to a database of infected smartphones that can send, receive, and forward messages, as well as provide geolocation data (so the service can select the region for SMS reception and account registration).
Investigation: How the Scam Works
In August 2020, Trend Micro specialists noticed an SMS PVA service running an active ad campaign on Facebook. The service offered SMS registration for platforms like Facebook, Instagram, Google, Hotmail, Yahoo, VKontakte, TikTok, Amazon, Alibaba, Uber, Twitter, YouTube, and LinkedIn, with phone numbers available in over 100 countries. Users could try the service for free at receivecode.com.
For “wholesale buyers,” a separate site at smspva.net offered a full-featured API. Users could rent a pool of phone numbers from a chosen country or region, manage them, and set up SMS forwarding to apps or online services. Supported apps included Amazon, Twitter, Facebook, QQ (a popular Chinese messenger), TikTok, and more. Customers could even request support to add new apps by providing a sample SMS.
When a client selected a phone number, it was reserved for them for a set time (default: five minutes), after which it became available to others. Once released, the same number couldn’t be used to register on the same app again, but could be used for other apps.
All this raised red flags for cybersecurity experts. The service limited repeated use of the same number to hide malicious activity from the real owner. It only worked with a limited set of apps, mainly for new account registration—not for two-factor authentication. Most importantly, it didn’t forward the entire SMS to the client, but parsed out the one-time code and sent only that. If the SMS was obtained legally, why not forward the whole message? Finally, the number of phone numbers offered in various countries didn’t match the cost of the service—maintaining that many SIM cards officially would be expensive.
Upon further investigation, Trend Micro found an almost identical service in the Chinese .cn domain at enjoynut.cn, using the same logo, similar login page, nearly identical API, and, crucially, linked to several domains known from Android trojan research.
For example, enjoynut.cn was used as a C&C server in a DEX file of the AndroidOS_Guerilla trojan, which intercepts and parses SMS for carders. Another C&C, sublemontree.com, was also found in this trojan. Using these code fragments and C&C traffic as samples, experts identified two more DEX files with similar functions, indicating active malware development. These trojans don’t intercept all SMS, only those sent by certain services and matching a regular expression from the C&C. In other words, the trojans’ capabilities match the APIs of enjoynut.cn and smspva.net.
It appears the malware authors limited message forwarding for two reasons: first, to avoid interfering with SMS requested by the phone’s real user, and second, to prevent two-factor authentication attempts that could lead to theft of funds from infected device owners—since that would likely raise alarms and cause services like SmsPVA to lose their most valuable asset: a large pool of infected smartphones.
National Peculiarities and Global Impact
When registering accounts with SMS, many services perform additional checks, such as whether the phone number matches the client’s geographic location and IP address. This is to ensure, for example, that certain content is only available in specific countries, or that some services aren’t provided to users from certain regions. By using proxies and VPNs, users of SMS PVA services can bypass these restrictions.
Meanwhile, the real phone owner may lose the ability to register on some sites, messengers, or social networks, since their number has already been used by criminals. The reasons for this could be spam, fraud, drug trafficking, illegal purchases, money laundering—anything. For example, fake accounts are registered in car-sharing services using these numbers, allowing dishonest people to rent expensive cars. If something goes wrong, it’s almost impossible to identify the real cybercriminal, but law enforcement can easily trace the compromised phone number back to its real owner. If a car rented with a fake account is involved in an accident, the real phone owner will be held responsible.
Statistics on the use of such services and the number of phone numbers they offer show the problem is global. These platforms have pools of hundreds of thousands of phone numbers used on trojan-infected devices. Most of these devices were likely infected during firmware installation by Chinese companies. Typically, these are cheap smartphones from little-known brands bought on marketplaces. Here’s the number of available phone numbers in one SMS PVA service by country as of December 2021:
- Countries range from Indonesia and South Africa to Russia and even the USA.
Trend Micro specialists also found which services most often register accounts using infected phones via smspva.net:
- Top messengers: LINE, WeChat, WhatsApp
- Also popular: TikTok, PayPal
- Social networks: Twitter, Facebook
- Payment tools: Alipay, MoneyLion
Fake registrations in messengers are likely used for spam and scams, while social network accounts are used for boosting followers and likes.
Conclusions
The conclusions are grim: SMS registration using one-time codes is no longer an effective way to prevent fake accounts. Yet, this method remains one of the most common authorization mechanisms, and many services continue to suffer from bot attacks as a result.
As for the root of the problem—infection of phones—the only truly effective protection is to avoid buying cheap devices made by unknown manufacturers in unknown locations.