Karbonn, Gionee and Samsung clones come pre-loaded with DeathRing Trojan

Security experts at mobile security solutions provider Lookout  have found evidence of a new Chinese trojan which they have discovered pre-loaded onto low-end smartphones popular in third world countries like Vietnam, Indonesia, India, Nigeria, Taiwan, and China, in Asia and Africa. The Lookout researchers have name the trojan as “DeathRing” because the trojan is disguised as a ringtone App.

Lookout says that they have discovered the evidence of pre-loaded DeathRing trojan in Android smartphones and tablets after finding a similar pre-loaded malware called MouaBad earlier this year.


Lookout says that the DeathRing comes with your shiny Android smartphone disguised as a ringtone app but in reality it is a trojan which goes on to download SMS and WAP content from its command-and-control server to the users smartphone.  Once the trojan is in contact with the command and control server, the cybercriminals use your device to phish personal and banking information via fake texts or prompts you to download more malware disguised in APKs.

Lookout says that the malware comes pre-loaded on certain Samsung clones and other Android smartphone brands which are given below and is activated either after the phone is powered down and rebooted five times or after the victim has been ‘away and present’ 50 times.

The malware is activated in two ways — both dependent on the victim’s use of the phone. First, the malware will activate if the phone is powered down and rebooted five times. On the fifth reboot, the malware starts. Second, the malicious service will start after the victim has been away and present at the device at least fifty times.

Smartphones that may come pre-loaded with DeathRing

Lookout says that it is not tracking the supply chain of Android smartphones that have DeathRing installed but has given a list of smartphones which they say come with the pre-loaded Chinese trojan.

  • Counterfeit Samsung GS4/Note II
  • Various TECNO devices
  • Gionee Gpad G1
  • Gionee GN708W
  • Gionee GN800
  • Polytron Rocket S2350
  • Hi-Tech Amaze Tab
  • Karbonn TA-FONE A34/A37
  • Jiayu G4S – Galaxy S4 Clone
  • Haier H7
  • Unspecified Samsung S4 i9502 Clone

The DeathRing seems to come pre-loaded only in clones and low end Android smartphones as per the Lookout study.  Lookout has said that the Anti Virus vendors cant remove this malware since it comes pre-installed in the phone’s system directory however they will warn if you of the presence of the malware. Once made aware of the malware you can approach the smartphone seller for a refund.  Lookout says as a buyer, you should check the origins of the smartphones while buying.  Another indicator of malware being present is that you are running high telecom bills on account of premium SMS services and data downloads.


Please enter your comment!
Please enter your name here