A startling revelation by Trend Micro researchers at Black Hat Asia, about how millions of Androids worldwide have been infected with malicious firmware before the devices were even shipped from their factories – https://www.theregister.com/2023/05/11/bh_asia_mobile_phones/ .
In today’s hyper- connected world where data is the new gold, protection of data whether of personal or national importance has been the primal concern that is being addressed by most Nations worldwide. It is a known fact that devices have their manufacturing outsourced to an original equipment manufacturer (OEM). The research, further revealed that infection of malicious firmware began as a result of cutthroat competition between firmware
distributors which became so frantic that eventually firmware distributors could not charge money for their product. This situation prompted firmware distributors to find a solution, as a result of which firmware distributors brought out an undesirable feature – Silent plug-ins.
Although it has always been the buzz about various techniques/attacks that have been perpetrated by various threat actors and are being perpetrated day in and day out worldwide, in the form of a ransomware attacks etc, with the intention of gaining access to data that can be further converted to money. The modes operandi i.e- various social engineering techniques, by which the threat actors manage to gain access/control of the smartphone device is also a trending issue. However, for me, it was startling and extremely intriguing and scary to understand that millions of
androids were infected with malicious firmware even before the devices were shipped from their factory. Focusing on the scenario in India, to put it more simply, millions of customers in India have shelled out money and have bought brand new androids infected with malicious firmware, and have been using it without being aware of such infection.
The above mentioned article also states that plug-ins were found to have a business model built around them, were sold on the underground and marketed in open through platforms like FB, Youtube, bogs etc. with the objective to steal data and make money from the data collected/stolen. An even more scary scenario was about one type of plug-in which allows people who planted it in the device/s to rent out device/s for a specific time, permitting the person
so renting the device, to acquire data on keystrokes, geographical location, IP address, and lots more, for a cost. In a given scenario, “A” buys and starts using a brand-new android phone which is already infected with malicious firmware. “B“is the person who has planted the malicious firmware on the brand-new android phone bought by “A”. Thereafter “B” who has access control of the phone being used by “A”, rents out this brand new phone of “A” to “C” for a specific time period, for a cost/money, to enable “C” to collect data of “A” which could range card credentials,
bank account details, IP Address, geographical location and lots more- and all of this happens without “A” having any knowledge of it, while “A” is using his phone.
What is a Plug-in ?
A plugin is a software add-on that is installed on a program, enhancing its capabilities. In other words, plugins are the extras that allow you to experience the internet in innumerable ways which include images, sound, videos, and animation.
Challenges faced by Consumers
The consumers buy the smart phones primarily looking at the Brand, features and comparative pricing. Hence the consumer buy brand new android device totally unaware of the fact that the brand-new phone is already infected with malicious firmware and there is no way the consumer is ever going to understand about this until probably he/she falls victim to an incident.
There could also run a huge risk of the android device being used by the consumer which could be used to perpetrate a cybercrime by using such infected device as a zombie to commit the crime. My thoughts wander on mulling on a situation where the consumer buys a brand-new android device, without knowing that it is infected with malicious firmware; uses the same with the bona fide belief that the device is brand- new from the factory, is safe and secure with all contemporary security features that it possesses and is totally unwary of the existing malicious firmware in the brand-new device.
Hence, the situation at hand is where a consumer is being sold a brand-new android device which is already infected with malicious firmware even before it was shipped from the factory and in other words cannot be assumed to be safe or secure despite being brand new.
Challenges faced by the Government
The rapid technological changes in smartphone industry certainly demands agility from the Government in relation to adapt and implement new law/s and regulations to protect consumers.
On 20 th Dec,2021, the Bureau of Indian Standards Act (BIS) had issued a notification bearing No. HQ- WB013/1/2020-PUB-BIS (271), establishing of certain Indian Standards from 2 nd Dec,2021, which also included-
IS 17737 (Part 3): 2021 Mobile Device Security Part 3 Security Levels The Govt. of India, Ministry of Electronics and Information Technology (MeitY) had released draft Mobile Security Guidelines on 20 th July,2020 outlining various risks or losses due to security lapses on mobile devices and thereby suggesting the responsibility of protecting the mobile device, securing the mobile users information and preserving privacy, lay with the mobile ecosystem entities such as mobile device manufacturers, mobile service providers and users.
Despite all of these visible efforts, my thoughts wander over the fact that based on the research results mentioned hereinabove, as well as based on the fact that millions of consumers might have bought brand new android devices that have been infected with malicious firmware even before being shipped from the factory, bonafidely believing it to be safe and secure, violate “consumer right” S. 2 (9) (i)& (ii) of the Consumer Protection Act, 2019 and the fact that the Central Authority has the powers under S. 18 (2) (a) to suo motu enquire or cause an enquiry or investigation into the violation of consumer rights and issue necessary guidelines to prevent unfair trade practices and protect consumers’ interest under S. 18 (2) (l) of the Consumer Protection Act, 2019.
Conclusion | In the light of the above, bearing in mind the stupendous rise in cyber crimes relating to financial frauds, identity theft, data theft etc. coupled with the fact that various brands manufacture, market and sell android smartphones in India, as the country is a huge market. Such brands which sell various models of android smart phones, bearing in mind the report mentioned hereinabove, in my opinion, the onus seems to be very high on the Central Authority, under S. 18 (1) (a) and S. 18 (2) (e), (f), (g), (j) and (l) the Consumer Protection Act, 2019 to ensure effective enforcement of consumer rights; undertake and promote research in the field of consumer rights;
spread and promote awareness on consumer rights; issue safety notices to alert consumers against dangerous or hazardous or unsafe goods or services and issue necessary guidelines to prevent unfair trade practices and protect consumers’ interest.
I am optimistic that this humble attempt would grasp the attention of the decision makers in the appropriate Authority which would timely rise and implement the provisions of the Consumer Protection Act, 2019, in letter and spirit.
Adv. D. Prem Kamath is a Lawyer practicing in the High Court of Kerala, with 2 decades plus standing at the Bar. Passionate about cybercrimes, cyber security, data privacy, e-commerce, social media, digital marketing and the allied. Has made immense impact as an expert with International exposure, in providing Workshops & Training contrived based on the targeted audience. He is a regular guest lecturer to Academic Institutions, Law Enforcement Agencies, the IT Industry and Corporates and speaker at various National & International conferences, seminars and workshops related to CYBER LAW and other allied subjects. You can mail on : [email protected]
