DeathRing

DeathRing is a Chinese Android Trojan first observed in 2014 and still active in 2017. In 2014, it came pre-installed on smartphones popular in Asian and African countries. It presents itself as a ringtone app. The malware activates after the phone is powered down and rebooted five times, and then the malicious service will start after the victim has been away and present at the device at least 50 times. It can download SMS and Wireless Access Protocol (WAP) content from its C2 server to the victim’s phone, and then used for malicious purposes. Attackers can send a fake SMS requesting sensitive data from victims and use the WAP content to coerce them into downloading additional Android Application Packages (APKs) – which could then download additional malware. Most of the infected devices came from third-party vendors selling phones to developing areas and include the following:

• Counterfeit Samsung GS4/Note II
• Various TECNO devices
• Gionee Gpad G1
• Gionee GN708W
• Gionee GN800
• Polytron Rocket S2350
• Hi-Tech Amaze Tab
• Karbonn TA-FONE A34/A37
• Jiayu G4S
• Haier H7
• i9502+ Samsung Clone

Reporting

• December 2014: Trojan came pre-loaded on smartphones. (Lookout)

Technical Details

• Lookout provides technical analysis on the DeathRing Trojan, here.