Researchers at the Ben-Gurion University of the Negev in Israel detailed a method of doing this in a paper presented at the 2017 Usenix Workshop on Offensive Technologies in Vancouver, Canada, in mid-August.
They said that such attacks were possible, scalable and invisible to most common means used for detection of malicious activity.
The researchers — Omer Shwartz, Amir Cohen, Asaf Shabtai, and Yossi Oren — pointed out that conservative estimates were that there were nearly two billion smartphones in use worldwide.
"An attack which compromises even a small fraction of these smartphones through malicious components will have a rank comparable to that of the largest PC-based botnets."
They tested two devices — the Huawei Nexus 6P and the LG G Pad 7.0 — and in both cases they were able to take control of the phones using the embedded malicious chip.
Exploitation was done through an app which was uploaded to the Google Play Store.
"We note that since the app is designed to exploit a vulnerability that is non-existent under normal conditions, it appears completelybenign when a malicious screen is not present. This enabled our app to overcome malware filters and detectors, including Google Play’s gatekeeper, Google Bouncer," the researchers wrote.
Once the app had gained the ability to execute commands with kernel permissions, it would disable the inbuilt SELinux protection, exfiltrate private data from applications and authentication tokens.
The data could then be sent to a command and control server after which a root shell would be created for the attacker to gain remote access.
"The threat of a malicious peripheral existing inside consumer electronics should not be taken lightly," the researchers said.
"A well-motivated adversary may be fully capable of mounting such attacks in a large scale or against specific targets. System designers should consider replacement components to be outside the phone’s trust boundary, and design their defences accordingly."