The abundance and variety of low cost Android phones is one of the reasons that Android has become so popular around the world. Unfortunately, low priced phones could also mean less operating revenue and thus possibly a lower quality control. Such is the case with a cheap Android phone that costs $110 USD and has a remote access trojan (RAT) preinstalled.

In 2017, researchers at Sophos saw a post on xda-developers.com where a user stated that their security software was constantly complaining about an app called Sound Recorder that was preinstalled on the phone.

To investigate further, Sophos purchased the reported uleFone S8 Pro. When they analyzed the phone it was discovered that the preinstalled Sound Recorder app was actually a malicious variant that had capabilities similar to a remote access trojan (RAT) and a backdoor.

While it is not uncommon for phone manufacturers to include and generate revenue from preinstalling software, in this case the quality control was not adequate enough to spot that the Sound Recoder app that was installed was not the legitimate version.

As can be shown from the image above, the malicious version had extra code added to it compared to the legitimate version.

Malicious Sound Recorder and Legitimate Version Comparison

While the RAT was running, Sophos stated that it would transmit information to a remote server that includes:

The device’s phone number

Location information, including longitude, latitude, and a street address

IMEI identifier and Android ID

Screen resolution

Manufacturer, model, brand, OS version

CPU information

Network type

MAC address

RAM and ROM size

SD Card size

Language and country

Mobile phone service provider

The app also had the ability to perform backdoor functions such as

Download and install apps

Uninstall apps

Execute shell commands

Open URL in browser (though this function appeared to be a work in progress in the sample we analyzed)

According to a report by Avast, this is not the first time low cost Android phones had malware preinstalled on them. In 2016, it was reported that numerous Android phones were shipping with malware, but even after this was reported to the manufacturers, nothing was done.

Similarly, Sophos has tried to contact MediaTek, the CPU and firmware manufacturer for the phone, but never heard back.

"We’ve spent the past several weeks trying to reach the company to alert them to these issues, but haven’t recieved a response despite using multiple methods, repeatedly, to try to contact them."

While this does not mean that people shouldn't buy inexpensive phones, it does mean that buyers need to do more research and know what you are getting into.