Android devices coming with preinstalled malware

Android devices were infected with malware at some point after leaving the manufacturers, but before landing in the hands of companies' employees.

android studio plugins and extensions
Credit: Family O'Abé

The phone, given to you by your company, could be targeted at some point and end up with a malware infection, but you wouldn’t expect the malware to be preinstalled “somewhere along the supply chain.” Yet preinstalled malware is precisely what one security vendor found on 38 Android devices.

Check Point Software Technologies did not name the affected companies, saying only that the phones belonged to “a large telecommunications company” and “a multination technology company.” A good chunk of the infected phones were Samsung models, but phones by Lenovo, LG, Asus, ZTE, Vivo, Oppo and Xiaomi were also preinstalled with malware after leaving the manufacturers but before landing in the hands of the companies’ employees.

Check Point explained that the malware was “already present on the devices even before the users received them. The malicious apps were not part of the official ROM supplied by the vendor, and were added somewhere along the supply chain. Six of the malware instances were added by a malicious actor to the device’s ROM using system privileges, meaning they couldn’t be removed by the user and the device had to be re-flashed.”

The infected Android devices were tainted with various types of malware, with most being info-stealers and malicious ad networks; Check Point called Loki the most notable malware. One device came preinstalled with the mobile ransomware Slocker which encrypts all the files on a phone, demands a ransom in exchange for the decryption key, and communicates with its C&C server via Tor.

The malware was not always found in the same app. Check Point included the full list of malware, SHA hashes and affected devices. The list originally included 38 Android devices, but Check Point removed Nexus 5 and Nexus 5X without giving a detailed explanation.

The 36 remaining malware-tainted devices included these models:

  • Galaxy Note 2
  • LG G4
  • Galaxy S7
  • Galaxy S4
  • Galaxy Note 8.0
  • Xiaomi Mi 4i
  • Galaxy A5
  • Galaxy S4
  • ZTE x500
  • Galaxy Note 3
  • Galaxy Note Edge
  • Galaxy Note 4
  • Galaxy Tab S2
  • Galaxy Tab 2
  • Oppo N3
  • vivo X6 plus
  • Asus Zenfone 2
  • LenovoS90
  • OppoR7 plus
  • Xiaomi Redmi
  • Galaxy Note 5
  • Lenovo A850

Even if users are careful by avoiding risky sites and install apps only from trusted sources like the Play Store, Check Point said that is not enough to guarantee their security. “Pre-installed malware compromise the security even of the most careful users. In addition, a user who receives a device already containing malware will not be able to notice any change in the device’s activity which often occur once a malware is installed.”

Hopefully you do use a malware scanner on your mobile devices. Keep in mind that not all mobile security apps are created equal.

This last little nugget has nothing to do with Check Point and malware coming preinstalled on Android, but it struck me as funny. ESET malware researcher Lukas Stefanko tweeted:

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
4 high-growth tech fields with top pay
Shop Tech Products at Amazon