Star N9500 firmware shipped Uupay.D
G DATA found Star N9500 smartphones shipping with Android.Trojan.Uupay.D hidden in firmware as a fake Google Play Store app.
Story
The Star N9500 was sold as a cheap Android smartphone resembling a premium device. G DATA bought and analyzed the phone after customer reports, then found Android.Trojan.Uupay.D already integrated into the firmware.
The malware masqueraded as Google Play Store. Because it lived in preinstalled firmware, ordinary users could not remove it. It ran in the background, deleted traces, blocked security updates, and sent personal data to a server in China.
G DATA described broad spyware capability: access to personal data, calls, online banking data, emails, SMS messages, camera and microphone control, and silent installation of additional apps. The distribution path was the device itself, sold through online retailers before the buyer ever installed software.
That makes the Star N9500 record different from a bad app-store download. The compromise was already below the user's normal control plane at first boot, hidden under the identity of a trusted Google component and tied to firmware that buyers could not easily inspect or replace.
Affected Artifacts
Star N9500 firmware
- Observed
- 2014-06-16
- Compromised Versions
- Unknown
- Fixed
- Not listed
- Evidence
- mirror: gdatasoftware.com/blog/2014/06/23951-android-smartphone-shipped-with-spyware, malware: Android.Trojan.Uupay.D, observable: Malware disguised itself as the Google Play Store app., observable: Spyware was integrated into firmware and could not be removed like a normal app.
- G DATA named Star N9500 as the confirmed affected model and said it was sold through online retailers in Europe.
Incident Context
- Motive
- Data Theft
- Cause
- Firmware Supply Chain Compromise
- Transitive
- No
External References
- Android smartphone shipped with spywaregdatasoftware.com
Source record: proprietary/star-n9500/meta.yaml