Update: Tuesday, 3/14/2017: Check Point originally listed 38 devices, but later dropped the number to 36. Nexus 5 and Nexus 5x were originally on the list of infected phones, but Check Point removed those models without explanation in an update of its blog post.
SophosLabs cited a rising tide of Android-based attacks in its 2017 Malware Forecast last month, and the problem was further illustrated last week in a report that Windows-based malware was making its way into Android apps during development. And now researchers have discovered another security issue: devices shipping with pre-installed malware.
Check Point’s Mobile Threat Prevention team says it detected malware in 36 Android devices belonging to a large telecommunications company and a multinational technology company.
The team said malicious code was already present on the devices even before they were issued to users. Just as the Windows-based malware cited above was introduced during the development process, so were the malicious apps Check Point discovered. Six infections were apparently added to the device’s ROM by bad actors using system privileges.
Most of the sinister apps steal information and display unwanted ads. The malware discovered is well-known to SophosLabs researchers. One is Loki, used by attackers to gain device system privileges. Another is a piece of ransomware known as Slocker, which relies on Tor to conceal the bad guys’ identities.
Check Point didn’t name the affected companies, but it did list the infected devices, which include:
- A Xiaomi Mi 4i and Redmi
- A Galaxy A5, S4 and S7
- A Galaxy Note 2, 3, 4, 5 and 8
- A ZTE x500
- A Galaxy Note Edge
- A Galaxy Tab 2 and S2
- An Oppo N3
- An Asus Zenfone 2
- A Lenovo S90 and A850
- An OppoR7 plus
- An LG G4
The growing threat to Android users was explained in detail last month in Sophos’ malware forecast. SophosLabs analysis systems processed more than 8.5m suspicious Android applications in 2016. More than half of them were either malware or potentially unwanted applications (PUA), including poorly behaved adware.
When the lab reviewed the top 10 malware families targeting Android, Andr/PornClk was the biggest, accounting for more than 20% of the cases reviewed in 2016. Andr/CNSMS, an SMS sender with Chinese origins, was the second largest (13% of cases), followed by Andr/ DroidRT, an Android rootkit (10%), and Andr/SmsSend (8%).
In addition to malware, Android has been found vulnerable to a variety of hacking techniques. In one such case, researchers found that attackers can crack Pattern Lock within five attempts by using video and computer vision algorithm software.
Last week, researchers at Palo Alto Networks discovered 132 Android apps on Google Play tainted with hidden IFrames linking to malicious domains in their local HTML pages. Interestingly, the malware was Windows-based. SophosLabs showed additional research tracing that malware back to a developer who goes by the name Nandarok.
Defensive measures
Though Android security risks remain pervasive, there’s plenty users can do to minimize their exposure.
In the case of the malware discovered by Check Point, a simple piece of advice is to scan a new phone for malware. Though it can make sense for small companies with limited budgets to purchase the devices through cheaper resellers, it’s important to research the sellers to see if they’ve sold problematic technology in the past. Trusted websites and stores remain the safest route of purchase.
In a more general sense and outside of this specific problem, there are some best practices users can follow when buying and using Android apps:
- Stick to Google Play. It isn’t perfect, but Google does put plenty of effort into preventing malware arriving in the first place, or purging it from the Play Store if it shows up. In contrast, many alternative markets are little more than a free-for-all where app creators can upload anything they want, and frequently do.
- Consider using an Android anti-virus. By blocking the install of malicious and unwanted apps, even if they come from Google Play, you can spare yourself lots of trouble.
- Avoid apps with a low reputation. If no one knows anything about a new app yet, don’t install it on a work phone, because your IT department won’t thank you if something goes wrong.
- Patch early, patch often. When buying a new phone model, check the vendor’s attitude to updates and the speed that patches arrive. Why not put “faster, more effective patching” on your list of desirable features, alongside or ahead of hardware advances such as “cooler camera” and “funkier screen”?
Darryl Gittins
“In the case of the malware discovered by Check Point, a simple piece of advice is to scan a new phone for malware. ”
With what? Any recommendations?
Bill Brenner
Hi, Darryl. Speaking for Sophos, we do have a mobile security tool for Android: https://www.sophos.com/en-us/products/free-tools/sophos-mobile-security-free-edition.aspx
It scans apps as you install them, though I’m going to dig a bit deeper and see what your best bet it for scanning a phone out of the box.
charlie@gmail.com
If you really want deep scanning, you can get phone ROM , most popular versions of phone roms are available for download online or on developer sites, scan with multiple scanners or you can inspect binaries manually.
secgauntlet
I hope this is not a “Ta Da” moment for people. I get that the OS may have issues but the Android and iOS apps (approx 70%) have some code issues be it malware or just bad coding. If you are not running one or more AV products on you Smartphone you are just waiting to infect the rest of you computers when you get on your home net or corp net.
rberteig
To use Amazon’s app store, you have to enable installation from everywhere. It is a shame there isn’t a mechanism to provide a limited white-list of allowed stores rather than the existing binary choice between “only Google” and “anywhere at all”.
Robin Tanswell
“attackers can crack Pattern Lock” – by watching the user!!
So what we really mean is that someone shoulder surfing can record you authentication, Think is a rather old vulnerability that effects every device, not just Android, since passwords were invented..
JustUG
article updated for 36 devices, nexus 5 were removed..
Bill Brenner
Thanks, JustUG. I’ll keep updating the story as more fixes come in.
LAS786
Free AVG and Malwarebytes combo been keeping all our personal Apple, Android, Windows and Linux devices clean.
Excellent combo for first (out of the box) scans
Ended up with this combo after years and many vendors getting us infected.
BUT there is no fix or app for stupid actions :-)