Another mobile-phone manufacturer has fallen victim to an increasingly common attack in which phones’ memory cards are infected with malware during the manufacturing process and then shipped out to customers. The latest victim is Samsung, which has acknowledged that the microSD cards in a batch of its S8500 Wave mobile phones sold in Germany were infected with an autorun Trojan.
The Samsung incident comes just three months after a similar attack in which the memory cards on a group of HTC Magic handsets distributed in Spain by Vodafone were found to be pre-loaded with the client for the Mariposa botnet. As in the Vodafone incident, the malware pre-loaded on the Samsung phones is generally detected by most anti-malware suites.
The malware loaded on the microSD cards in the S8500 Wave handsets is an autoRun virus that executes automatically if the card is inserted into a PC that has the autoRun feature enabled, according to an analysis by Michael Oryl of MobileBurn.com, who received one of the infected handsets.
It appears that Samsung has accidentally allowed a malware program
called slmvsrv.exe onto the 1GB microSD memory card that is shipping
with the new bada-powered Samsung S8500 Wave smartphone. This
Windows-based application, known as Win32/Heur, appears with an
Autorun.inf file in the root of the memory card and will install itself
when it is inserted into any Windows PC that has the autorun feature
Oryl notified Samsung of the infection, and the company responded that only the first production run of S8500 Waves shipped to Germany was infected with the malware. However, the company didn’t specify exactly how many handsets that initial production run included.
Malware targeted at specific smartphone platforms is still a relatively rare phenomenon, but attacks such as those against the HTC and Samsung handsets, in which the malware is pre-loaded on memory cards, are increasingly common. There have been other incidents in which other pieces of malware have been found pre-loaded on USB memory sticks, digital photo frames and other devices not typically thought of as targets for attackers.
For attackers, these types of attack vectors can be an efficient way of getting malware on a large number of devices with a minimum effort. Security experts say these attacks often are executed by attackers paying an employee working in the factory that manufacturers the device or memory card, who installs the malware on the devices during the production process. It’s a pay once, infect many business model.