When I worked for a company that distributed malware (mostly desktop, but trying to break into mobile), we had relationships with a few people who would buy up android devices in bulk and then charge money to companies like ours to have our apps pre-installed. You could pay extra to have the app baked into a custom rom to make it non-removable.
The business model from our end is we'd find app developers who are willing to pay X amount per install (a conversion was usually tracked by the first time an end user opens the app), and then we pay Y amount per install to a shady phone re-seller to bake that app into the rom of their latest batch of phones. As long as X is sufficiently higher than Y to account for whatever our conversion rate is, we make our money back plus profits as the app developer pays us for conversions.
The shady re-sellers would take their phones with new roms and either sell direct to consumer or, in the case of the bigger guys, move those phones on to a big-box retailer.
instead of paying 10? 30% of your sleazy revenue to the middle man, why not offer one payment to QA manager at the factory?
ironically, the same economics that make it worthwhile to manufacture in country X, also makes it very cheap to bribe in country X (e.g. the guy that would drive to eastern europe to buy pez dispensers at the factory for collectors)
That's the kind of suggestion that would get you ahead quickly at a company like that (assuming you were also willing to personally follow through with it).
"The G DATA security experts are certain that the manufacturers are not the perpetrators in the majority of cases. Renowned companies will not risk their reputation by distributing malware in the firmware."
Manufacturers have no qualms about installing bloatware and even spyware onto laptops. It would be interesting to know what standards, if any are used to sift out the malware from potential bloatware candidates.
While SuperFish was a security risk it wasn't a "malware", there is a difference between various really stupid and blatant backdoors and other security risks and actual malware.
Lenovo didn't use it to steal user's data they could care less about it, but some one could abuse it to compromise users both through compromising SuperFish it self and by exploiting the fact that SuperFish will issue certificates to SSL websites even if the original certificate isn't really valid which will allow attackers to MITM SSL connections.
Sony also had distributed software that could be classified as backdoors or rootkits in it's CD's as DRM, many other companies also had similar incidents.
While it's a stupid practice and quite unfair to your customers you can't really call it malicious since they didn't really used it for that just never thought it quite true or didn't care enough in the first place.
The packages in this case seem to be actual malware and not some adware/unwanted software installed by the vendors which while might be a security risk wasn't intended to actually compromise the user.
This is mostly false report because at least Xiaomi don't have any Facebook app pre-installed. Just bunch of MIUI crapware.
Affected models are Huawei G510, Lenovo S860, Xiaomi MI3 (and 18 other ignored models not mentioned in title) which dates back to as early as 2012, in Android 4.0 age I assume. Pretty good craigslist deal to get there second hand phones tested for a 2015 security report. Hey their "security expert" might even did a double wipe and factory reset in recovery!
Different phones, different regions, different vendors.
Could just as easily be a supply chain issue where a reseller decided to make some money on the side, could censorship relted crap mandated by the Chinese government for local usage leaking into exports phones, could be some one on craigs list, could be completely fabricated.
However the fact that some phones didn't come with it doesn't mean much either.
Seems that the original code name for the facebook app was Katana so using katama instead is akin to registering www.worldofworcraft.com for you phishing domain.
So while this whitepaper might be overblown and pure marketing it seems that there's some truth behind this.
Well, this is a whitepaper from a company that wants to sell you mobile AV software... so IMO some independent verification (or better proof than what's in this PDF) would be good. Not that I doubt this goes on.
In most cases it is most certainly the vendors who install custom roms before shipping to overseas customers. Any one who have ever bought grey imported chinese phones should be familiar with this; flashing official, custom roms yourself is a necessity.
The business model from our end is we'd find app developers who are willing to pay X amount per install (a conversion was usually tracked by the first time an end user opens the app), and then we pay Y amount per install to a shady phone re-seller to bake that app into the rom of their latest batch of phones. As long as X is sufficiently higher than Y to account for whatever our conversion rate is, we make our money back plus profits as the app developer pays us for conversions.
The shady re-sellers would take their phones with new roms and either sell direct to consumer or, in the case of the bigger guys, move those phones on to a big-box retailer.