Malware in the form of info-stealers, rough ad networks, and even ransomware came pre-installed on more than three dozen different models of Android devices.
Researchers with Check Point spotted the malware on 38 Android devices owned by a telecommunications company and a multinational technology company.
The affected devices were as follows:
- Galaxy A5
- Galaxy Note 2
- LG G4
- Galaxy S7
- Galaxy S4
- Galaxy Note 4
- Galaxy Note 5
- Galaxy Note 8
- Xiaomi Mi 4i
- ZTE x500
- Galaxy Note 3
- Galaxy Note Edge
- Galaxy Tab S2
- Galaxy Tab 2
- Oppo N3
- vivo X6 plus
- Nexus 5
- Nexus 5X
- Asus Zenfone 2
- OppoR7 plus
- Xiaomi Redmi
- Lenovo A850
Vendors of electronic devices like smartphones and computers ship out their products with data stored in the ROM. Short for "read-only memory," ROM is a storage medium that keeps its data even when the power is off. It's therefore used to contain important information like basic input and output instructions (BIOS) and firmware updates.
For malware to come pre-installed, the malicious software usually ships out on ROM. But that doesn't mean the vendor is always responsible. Check Point's team elaborates on that point in a blog post:
"The malicious apps were not part of the official ROM supplied by the vendor, and were added somewhere along the supply chain. Six of the malware instances were added by a malicious actor to the device’s ROM using system privileges, meaning they couldn’t be removed by the user and the device had to be re-flashed."
So what does the pre-installed malware do?
Most of the unwanted software is either info-stealers or malicious adnets. For example, one Loki malware variant exploits infected devices by displaying illegitimate advertisements to try to generate revenue for their owners. It also steals information and installs itself on the system, allowing it to achieve persistence.
There were a few notable exceptions among the herd, however. In particular, researchers spotted at least one instance of Slocker. It's a mobile ransomware that employs AES encryption to encrypt all a device's files and demand a ransom for the decryption key.
The short answer: not really. Their best bet is to research a device and vendor thoroughly before they finalize a purchase. Once they've settled on the device, they should purchase it directly from the vendor and not go through a third-party seller.
Instead the onus of protecting against pre-installed malware rests with vendors. Organizations need to secure their supply chains by conducting compliance audits of their suppliers. Using least-privileged models and segregating contractors' roles aren't bad ideas, either.