SHARED INTEL: Malware-ridden counterfeit phones place consumers, companies in harm’s way

By Byron V. Acohido

A faked Rolex or Prada handbag is easy enough to acquire on the street in certain cities, and you can certainly hunt one down online.

Now add high-end counterfeit smartphones to the list of luxury consumer items that are being aggressively marketed to bargain-hungry consumers.

Related: Most companies ignorant about rising mobile attacks

While it might be tempting to dismiss the potential revenue lost by Apple, Samsung, HTC and other suppliers of authentic phones, this counterfeit wave is particularly worrisome. The faked phones flooding  the market today are slicker than ever. And, increasingly, they come riddled with some of the most  invasive types of malware.

This is putting consumers and companies in harm’s way through yet another attack vector – one which gives professional hacking collectives another means to compromise online accounts and break into company networks.

“These devices are not safe to do anything on, and they impact everything they touch,” says Ronan Cremin, chief technology officer at Afilias Technologies, a Dublin-based tech vendor that has a unique view of mobile device usage patterns.

I visited with Cremin at Black Hat USA 2019. For a full drill down of our discussion, give a listen to the accompanying podcast.  My takeaways:

Cutting corners

Knock-off smartphones are a much bigger problem than most folks realize. An estimated 180 million counterfeit mobile phones are sold globally each year, representing a potential loss of $50 billion to device manufacturers, according to a study by the EU’s Intellectual Property Office.

Such phones have been around for a few ears, and the latest iterations are getting nearly impossible to distinguish from the genuine article, Cremin told me. Packaging is spot on: all expected accessories, including headphones, chargers, cables and user guides are typically included. Outwardly, the look-and-fell is amazing: fit and finish and the user interface are indistinguishable from the genuine article. The big clue that it’s a fake is the asking price, which is typically a tenth or less of what you’d expect to pay.

Ah, but on the inside, that is where all the corners get cut. A favorite sleigh-of-hand is to display bogus specs for the make, model, RAM, storage and CPU core. Under the covers, the main components typically will be several generations old.

Afilias has acquired a number of  faked phones for research purposes. It found that where there should be a 2019 8-core Snapdragon CPU, the counterfeit device might have a 2015-era 4-core CPU running at a lower frequency coupled with a feeble GPU. As for the operating systems, many of the faked phones on the market today run very old Android distributions, typically versions of Android 4.

Afilias researchers also found that counterfeiters will skin an old Android OS to look exactly like the latest version of Apple’s iOS, complete with a full suite of Apple apps, the control center and notifications panel. Cremin, for instance, recently bought an exact replica of a new, $1,300 iPhone XS Max set up this way for $80, including shipping.

“The motive is profit,” Cremin told me. “These devices can be purchased in batches of 50 by a guy in the states and sold locally on Craigslist or eBay. They’re often sold as an unwanted upgrade for some percentage of the full price, but still enough to allow for a significant profit to be made. That’s what’s driving it; there’s money to be made here.”

Saturated with malware

So what’s the big security concern? Cremin explained it to me this way: The margin for whoever is assembling these faked devices is razor thin, judging from the street cost of $80 for a counterfeit iPhone XS Max. So to pad their profit margin, the counterfeiters have gone into the paid placement malware business. It’s akin to when Windows PC manufacturers cut deals with anti-virus vendors to pre-install AV software on new desktops and laptops.

Afilias is in a prime position to observe all of this unfolding. The company originally started life as dotMobi, the operator of the .mobi top-level domain, which it still operates, along with other prominent TLDs. Along the way, Afilias has also built out a thriving device intelligence business supplying tools and services under the brand name DeviceAtlas. DeviceAtlas is used by the likes of Netflix, Amazon, Flipkart, eBay, PayPal and others to gather intel about the mobile devices their customers use to access their web services.

Counterfeit phones have started regularly turning up in the pool of 65,000 different makes and models of phones Afilias tracks for its customers. And the counterfeit phones Afilias is seeing out in the wild are turning up uniformly riddled with malware.

“We’re not security experts so we asked a security company to examine some devices,” Cremin says.  “Their conclusion was if you used one of these phones, you’d already be hacked . . . Every single counterfeit device they examined has had essentially every version of malware you can think of pre-installed, onboard and unremovable, out of the box.

Play it smart

Usage of counterfeit phones is climbing. Although usage in the U.S., for the moment, is comparatively low, the drivers are in place to accelerate U.S distribution, Cremin says. The smartphone industry knows this. Smartphone manufacturers have formed a task force under the Mobile and Wireless Forum to counter faked devices, and the International Telecommunications Union (ITU) has a study group dedicated to the threat.

Afilias recently made a new service available to its customers, called DeviceAssure, to to enable companies and to detect counterfeit phones and take appropriate action . It runs a check to see if a counterfeit device is being used to attempt to access a service, say a banking app. If it is determined to be a counterfeit phone, access is denied and the user is warned that he or she is using an unsafe device and that it should be checked. This is both for the user’s own protection and the bank’s back end servers

Kudos to Afilias for sharing intel on this and providing its DeviceAtlas customers with a stopgap solution. “I often say that your work colleague’s bargain find on Craigslist, over the weekend, is the beginning of your CSO’s nightmare,” Cremin told me.

It’s clear the exposure we’re talking about here is huge – for anyone buying and using a counterfeit phone, as well as for any of the organizations that person happens to transact with, using that device.

“It’s definitely going to get worse before it gets better,” Cremin told me. “And our advice is to at least equip yourself with the knowledge to make the right decisions.”

He’s right. The solution, at an individual level, is simple: don’t do it. Don’t buy a counterfeit phone. Talk more soon.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone