Researchers find 36 Android devices shipping with pre-installed malware

Update: Tuesday, 3/14/2017: Check Point originally listed 38 devices, but later dropped the number to 36. Nexus 5 and Nexus 5x were originally on the list of infected phones, but Check Point removed those models without explanation in an update of its blog post.

SophosLabs cited a rising tide of Android-based attacks in its 2017 Malware Forecast last month, and the problem was further illustrated last week in a report that Windows-based malware was making its way into Android apps during development. And now researchers have discovered another security issue: devices shipping with pre-installed malware.

Check Point’s Mobile Threat Prevention team says it detected malware in 36 Android devices belonging to a large telecommunications company and a multinational technology company.

The team said malicious code was already present on the devices even before they were issued to users. Just as the Windows-based malware cited above was introduced during the development process, so were the malicious apps Check Point discovered. Six infections were apparently added to the device’s ROM by bad actors using system privileges.

Most of the sinister apps steal information and display unwanted ads. The malware discovered is well-known to SophosLabs researchers. One is Loki, used by attackers to gain device system privileges. Another is a piece of ransomware known as Slocker, which relies on Tor to conceal the bad guys’ identities.

Check Point didn’t name the affected companies, but it did list the infected devices, which include:

• A Xiaomi Mi 4i and Redmi
• A Galaxy A5, S4 and S7
• A Galaxy Note 2, 3, 4, 5 and 8
• A ZTE x500
• A Galaxy Note Edge
• A Galaxy Tab 2 and S2
• An Oppo N3
• An Asus Zenfone 2
• A Lenovo S90 and A850
• An OppoR7 plus
• An LG G4

The growing threat to Android users was explained in detail last month in Sophos’ malware forecast. SophosLabs analysis systems processed more than 8.5m suspicious Android applications in 2016. More than half of them were either malware or potentially unwanted applications (PUA), including poorly behaved adware.

When the lab reviewed the top 10 malware families targeting Android, Andr/PornClk was the biggest, accounting for more than 20% of the cases reviewed in 2016. Andr/CNSMS, an SMS sender with Chinese origins, was the second largest (13% of cases), followed by Andr/ DroidRT, an Android rootkit (10%), and Andr/SmsSend (8%).

In addition to malware, Android has been found vulnerable to a variety of hacking techniques. In one such case, researchers found that attackers can crack Pattern Lock within five attempts by using video and computer vision algorithm software.

Last week, researchers at Palo Alto Networks discovered 132 Android apps on Google Play tainted with hidden IFrames linking to malicious domains in their local HTML pages. Interestingly, the malware was Windows-based. SophosLabs showed additional research tracing that malware back to a developer who goes by the name Nandarok.

Defensive measures

Though Android security risks remain pervasive, there’s plenty users can do to minimize their exposure.

In the case of the malware discovered by Check Point, a simple piece of advice is to scan a new phone for malware. Though it can make sense for small companies with limited budgets to purchase the devices through cheaper resellers, it’s important to research the sellers to see if they’ve sold problematic technology in the past. Trusted websites and stores remain the safest route of purchase.

In a more general sense and outside of this specific problem, there are some best practices users can follow when buying and using Android apps:

• Stick to Google Play. It isn’t perfect, but Google does put plenty of effort into preventing malware arriving in the first place, or purging it from the Play Store if it shows up. In contrast, many alternative markets are little more than a free-for-all where app creators can upload anything they want, and frequently do.
• Consider using an Android anti-virus. By blocking the install of malicious and unwanted apps, even if they come from Google Play, you can spare yourself lots of trouble.
• Avoid apps with a low reputation. If no one knows anything about a new app yet, don’t install it on a work phone, because your IT department won’t thank you if something goes wrong.
• Patch early, patch often. When buying a new phone model, check the vendor’s attitude to updates and the speed that patches arrive. Why not put “faster, more effective patching” on your list of desirable features, alongside or ahead of hardware advances such as “cooler camera” and “funkier screen”?