So just how big a problem is the introduction of malware via the supply chain, in the smartphone market specifically and within IT hardware generally?
Speaking exclusively to SCMagazineUK.com, Chris Boyd, the senior malware intelligence analyst at Malwarebytes, said that there are still very few reports of mobile malware turning up pre-installed on phones, and the biggest threat is always going to come from purchases at markets and places off the beaten track – especially where the seller has physical access to an unboxed device.
"Counterfeit phones would also be at risk from unauthorised programs being installed, so it pays to purchase from verified vendors or the phone maker themselves," he said.
Boyd went on to suggest that while there are too few instances of this happening to be able to spot any real pattern in favoured malware types, "anything with the ability to send premium rate SMS, install additional apps or listen to calls is going to present a serious threat to your privacy and overall security".
Loucif Kharouni, senior threat researcher at Damballa, isn't overly concerned that there is some kind of grand criminal enterprise at work here. "This seems to be the work of some groups who happened to have access to the devices at some point in the chain," he told us, adding that while there is no evidence of organised criminal gangs, "we do not believe it is the work of one-off chancers" either.
Meanwhile, Simon Mullis, global technical lead at FireEye, reckons that the fact that this can occur at all is significant and it could be "as a result of deliberate action by the manufacturer or by allowing third-parties to have access to the systems through a failure or lack of process".
Mullis warns that the fact the bad guys seem to have been able to insert themselves in the supply-chain in between the manufacturer and the end user "suggests a degree of sophistication to their operations."
Whether or not they are opportunistically looking for simple ways to generate revenue does not dictate what they might want in the future. "You cannot estimate risk based on what you think might be the motivations of the attackers in a week's time," he explains, adding: "Certainly, as we see regularly, it's very common for sophisticated – possibly nation-state – threat actors to use whatever tricks they can to hide attribution."
Jim Black, head of product management at Bloxx, wonders whether "gaining access to modify pre-installed apps is most likely to be done by employees who may or may not be willing participants".
If they are willing participants, then they could be acting alone or more likely in collaboration with organised criminal gangs who may be paying them to compromise the apps, or may be acting under duress.
Professor Steven Furnell, a senior member of the IEEE, says there has been growing concern voiced over deliberate spiking in the supply chain, with suspected motivations most commonly linked to data theft.
"In the particular case of smartphones, one would hope that the risk could be mitigated in the way that the G DATA study itself describes – by ensuring that an appropriate security solution is installed to scan the device," he says.
"While one would equally hope that such scanning would already take place at the manufacturer end of things, if there is a bogus intervention later in the supply chain then the user can still end up at risk. Unfortunately, as the G DATA study again observes, if the malicious code is lodged in the firmware then users may initially find themselves rather stuck with it."
This article originally appeared at scmagazineus.com
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
