36 Android phones distributed by a "large telecommunications company" and a multinational tech firm contained the "severe infection," according to cybersecurity company Check Point Security
. They all had malware installed before they even reached the user, enabling the apps to start surreptitiously siphoning off data from the moment the phone's set up.
The majority of the malware was based around personal
information catchers and ad network manipulators designed to make money. The most notable of these was Loki, an app that can illegally display adverts to generate revenue. It installs itself deep inside Android to ensure it's always loaded on startup and can't be removed.
The second significant malicious app was Slocker, a mobile ransomware utility. It encrypts personal files found on the target phone using the AES standard. A payment is then demanded before the decryption key is issued. To trace its tracks, the app uses identity obfuscator Tor for all connections to its server.
Popular devices including the Samsung Galaxy Note 3, Note 4, Note Edge and S4, Asus ZenFone, Xiaomi Redmi and Oppo N3 were found with the malware installed. Given the repute of the manufacturers, it's clear the apps weren't installed from the factory. Check Point confirmed that they were added afterwards and are not part of the official software image distributed by the phone companies.
In six cases, the malware was injected https://arstechnica.com/security/2017/03/preinstalled-malware-targets-android-users-of-two-companies/ t=_blank]later on by a third-party before the phone was sold. System privileges were used to embed the executable inside Android and prevent the user removing it. Because the user has insufficient privileges to delete the files, the only option is to wipe the phone's storage and reinstall Android from scratch.
Even this path is only viable if the malware is actually spotted though. The most dangerous element of preinstalled malware is its exact nature. Even the most careful user who only downloads apps from the Play Store and deletes dodgy emails could be caught out by this kind of technique. With no reason to suspect a new phone from the world's leading brands to be infected, the malware could operate for the device's lifetime if it hides itself well enough.
"Pre-installed malware compromise the security even of the most careful user," said Check Point Security
. "In addition, a user who receives a device already containing malware will not be able to notice any change in the device’s activity which often occur once a malware is installed. The discovery of the pre-installed malware raises some alarming issues regarding mobile security."
There is little that can be done to guard against the emerging threat of preinstalled malware. Besides installing a reputable security suite after receiving a new device, the only option is to manually re-flash the operating system before using the phone.
Although many enthusiasts already follow this route, it's not a path suitable for general consumers. Straying too far from official retail channels could become even more hazardous in the next few years if preinstalled malware continues to grow.