How does malware find its way on to Android smartphones and tablets?
By some margin, it’s by way of Google’s Play Store, which despite repeated efforts to clean it up remains a recurring source of dodgy apps that sit somewhere between suspiciously misleading and downright malicious.
But according to a Black Hat presentation by Google Project Zero researcher Maddie Stone, there’s another route that’s nearly impossible for users to defend themselves against – malicious apps that have been factory pre-installed.
It starts with the sheer number of apps that now come with Android devices out of the box – somewhere between 100 and 400.
Criminals only need to subvert one of those, which has become a particular problem for cheaper smartphones using the Android Open Source Platform (AOSP) as opposed to the licensed ‘stock’ Google version that powers better-known brands.
Chamois botnet
She cited several instances encountered while doing her old job on Google’s Android Security team, including an SMS and click fraud botnet called Chamois which managed to infect at least 21 million devices from 2016 onwards.
The malware behind it proved harder to defeat than anticipated, in part because the company realised in March 2018 that in the case of 7.4 million devices the infection had been pre-installed in the supply chain.
Google was able to reduce pre-installed Chamois to a tenth of that level by 2019 but, unfortunately, Chamois was only one of several supply chain security issues it uncovered.
Others included 225 device makers either leaving diagnostic software on devices offering backdoor remote access, modified Android Framework code allowing spyware-level logging, or installing apps that had been programmed to bypass Google Play Protect (GPP) security.
Some of this was inadvertent, a case of OEMs messing around with settings to make their lives easier, but it was dangerous enough for Google to assign the issue a CVE number and software fix that outlawed the bypass in early 2019.
Supply chain complexity
The issue of supply chain malware has been rumbling away at a low level for some time, but this is the first time someone from Google has drawn attention to the issue in so much detail.
As Stone admits, stopping the problem is tougher than achieving the same thing for rogue apps that make it on to the Google Play Store, because detection must happen at a lower level beyond the knowledge of traditional security apps.
It’s also an inherent part of the complex OEM Android supply chain – contrast that with Apple, which controls the entire process for its iPhone.
With the cat now out of the bag regarding supply chain attacks on Android, Stone would like to see more third-party research into this software layer.
While a useful suggestion, this shouldn’t distract us from the fact that most users are still more likely to encounter bad apps in the one place many assume they won’t – Google’s Play Store.
joe hall
My phone was ruined with these stupid “software” updated which have NEVER ever improved any phone I’ve ever had in fact quite the opposite and there exists NO customer service on any level anymore either this forces us to keep buying new phones.
Laurence Marks
Just replace the software in your phone with Lineage. Lineage is available, free, for most popular phones. Lineage actually fixes bugs, rather than introducing them. If you report a reproduceable bug, it will likely be fixed promptly.
Paul Ducklin
I am myself a happy LineageOS user. It’s definitely worth a look.
Assuming that your phone is supported and that the firmware can readily be unlocked… that’s why I mentioned checking out the unlockability status of the exact model you are thinking of getting. You might also want to look it up on the official LineageOS list too.
For example, I have two research phones: a Samsung Galaxy SIII GT-I9300 (International) – a mouthful of a model specifier – and it’s easy to unlock but is no longer officially supported by LineageOS. I have Android 9 on it but have to use an “unofficial” build from the Lineage source code. And I have a Nokia One, for which a special trick is needed to unlock and which needs a modified firmware file to fit its limited disk space. If I were going shopping now for a cheap (read: second hand) phone I wouldn’t pick either of those, even though they run Android 9 fine after a bit of fussing around.
For those readers who may have heard of Cyanogenmod in the past (it used to be a very popular alternative free version of Android)… that project is now known as LineageOS so it has a solid history.
Anonymous
It is not always easy. I am using LG G6 and Huawei P10, both have locked bootloader. Huawei have stopped bootlock unlock back in 2018. And my LG G6 is also not on list of supported devices to be unlocked. I personally like custom firmware like MIUI, ColourOS or FlymeOS. But I can’t install, unless I pay to unlock bootloader.
cvnk
I’d love to but it doesn’t run on the very popular Note 4 for some reason
Robert Eamonn Sherman
I hope you update your security patches more frequently that your artwork…what is that supposed to be an HTC Dream? What modern Android even remotely resembles that? In today’s 2 second attention span world, I would imagine tons of readers look at that and think ‘outdated’ and move on without reading. Today every image matters.
Robert Eamonn Sherman
My bad…It’s a rendering of a Nexus 1
Paul Ducklin
Actually, it’s a generic mobile device of a generic age. One important thing to remember is that an enormous number of Android users out there *aren’t* using the latest and greatest hardware, even if they bought it recently, because they’re living in the developed world where disposable incomes are typically much lower than they are “in the West.”
Anyway, that image looks nothing like a Nexus 1 – the curves are in the wrong place. Looks more like an iPhone 6, to me. I say that because I still have one and it is still working just fine.
Robert Eamonn Sherman
I agree it does resemble an iPhone, nice to know it still works for you. It doesn’t resemble any Androids in recent or distant memory. Googling generic Android comes up with dozens of better, rights released options… While it is refreshing to read a book that actually isn’t grammatically impared, the idea was to point out a lack of attention to detail in a humorous way. Being just as not literal and in the general ballpark as the image I’m lampooning in the comment… If that makes sense.
Paul Ducklin
It resembles one of my Android research phones very closely indeed – a Samsung Galaxy SIII GT-I9300, currently running LineageOS Android 9.0 (July 2019) just fine.
The idea of a generic image of the sort we used here is that it’s supposed to look generic, lest someone jump to the conclusion that it is meant to denote a specific model. There is no “lack of attention to detail” at all. If we intended to depict a specific, current device we would have… well, we’d have specified it.
Think of it like the railway train you see on road signs – it doesn’t mean “the train”, or even really “a train”. It actually stands for, “Trains, wow they are BIG and HEAVY and will CRUSH your car with ease; you know perfectly well what we are conveying here.” (The UK road sign still depicts a 4-6-0 steam locomotive with a big puff of smoke trailing from its chimney. Think of it as a message that is perfectly clear – timeless, entirely clear, and immune from being anachronistic.)
Peggy Armstrong
Not everyone can afford the new phones.
Burnt before
Some time back, and possibly still now, this was a problem with 3rd party tablets from China. The malware was dubbed Cloudsota, and managed to slip under the radar as far as media coverage went, but attracted a lot of attention from affected users since the tablets were plagued with issues (including constant injection / bombardment of ads) baked into the customised OS.
I bought one of the affected tablets from eBay, played with it for a while (not realising the problem at first, and then struggling to find any info on it) and finally lodged a complaint with the seller. That was ignored. So I complained to eBay about it, and shortly after the seller contacted me to say hey, here’s your money back, not admitting any fault just feel bad that you’re unhappy, basically. When I checked the tablet again, the malware had self-destructed and very little of it was left.
I raised it as an issue with eBay’s Trust and Safety Team; no idea what happened after that.
Ginny Staubach
What can we, the end-users, do about this?
Paul Ducklin
Dig around on your favourite search engine for a bit – see what other people think of the models you have in mind. Try before you buy in a mobile phone shop – see how many built-in apps there are. Go to Settings → Apps and notifications → See all N apps and check how many apps there are that can’t be removed. (When you drill down into an app’s App info page you will see buttons something like [Uninstall] [Force stop] for apps that you aren’t forced to keep, or [Disable] [Force stop] for “non-uninstallable” built-ins that can be temporarily turned off but not actually uninstalled. The more apps you can uninstall without hackerish tricks, the less bloatware you will need to live with forever.)
If you’re really keen, and a bit technical (or know someone whos is) you could visit one of the popular Android developer forums (e.g. XDA) to see if there are unofficial firmware ROMs for the model you’re interested in buying.
I’m not directly advocating or even suggesting that you buy a phone specifically to rip out the vendor’s firmware and replace it with a home-made version – that can end in security disaster all by itself if you aren’t careful – but if the model you buy can be unlocked, reflashed and rooted easily then at least you know that there is *some* way to get rid of vendor content you don’t like, even if it needs a bit of, ahem, hacking. (As long as you have permission – and if the phone is yours, you can give it to yourself – and are willing to take the risk that your phone might end up it with a bricked phone, i.e. ruined and non-functional, Android hacking can be both easier and more fun that you might first think. But you need to check the unlock/reflash/rootability status for the exact model you want to buy. Try Settings → About or look on the barcode label on the box the phone ships in if you can access one.)
Anonymous
Thanks for your helpful response, Paul.
Paul Ducklin
No problem. Glad you found it useful, even though it’s more of a technical hand-waving comment than a step-by-step guide.
Ronin
Thanks for the informative and helpful write-up! You did a good job defining your acronyms, except perhaps for the most important one. “OEM” occurs twice in this article without being associated with “original equipment manufacturer”, which, after a Google search, I’m pretty sure must be what you meant.
Jeff
Any thoughts on international versions of stock firmwares and any intentional preinstalled malware and back-doors varying by the country it’s made for? China vs. the USA vs. Greece for example.
cvnk
What exactly is preventing cell phones (or more accurately: pocket computers) from evolving the way PCs did in the 80’s? As completely open platforms that device owners have total control over to install whatever OS they like?
Is it the phone manufacturers? Are they doing everything they can to avoid IBM’s “mistake” that cost them their exclusive dominance in the PC market? Is it the service providers’ fault?
Paul Ducklin
“All of the above”, I guess. IBM famously published the source code of its PC ROM (I bought a copy of the assembler language printout for the PC-AT, and very helpful it was for understanding malware of the day) in the hope that it would let them pursue copycats more easily… “you must have copied it and, look, it’s copyrighted as you see right here.”
When the PS/2 came out it had a different approach – notably that IBM tried to control carefully what addon hardware boards you could use in its Microchannel bus architecture – but it made the product less flexible, more expensive and harder to use. So the PS/2 was as much of a failure as the PC-XT and PC-AT were runaway successes.
That was then…
By now, hardware technology has advanced to make low-cost tamper protection and anti-reversing protection much stronger to the point that even commodity devices like phones can be locked down firmly (e.g. that notorious “San Bernardino” iPhone), so its actually worth trying to build a consumer businesss around a “jail-style” model.
Lastly, there are some strict regulatory issues in the telecommunications market that make some parts of the system more controversial for vendors to make easily modifiable.
So the jail-style/firmware-locked model of modern consumer computing devices – such as phones, set-top boxes, satnavs and so no – longer seems to hurt the vendor’s commercial results (as it did when IBM tried the PS/2), while actually having some security advantages (phones do make pretty decent 2FA tokens these days). That’s the economic and social equilibrium most users seem to have settled into.
For everyone else, there are perfectly reputable “locked” phones on the Android market that the vendor *will* allow you to unlock (mostly if not entirely) by official means, if hacking and experimenting is your thing. Many people dom but most do not – and that’s where the market sits ATM.
Laurence Marks
> “What exactly is preventing cell phones (or more accurately: pocket computers) from evolving the way PCs did in the 80’s?”
Actually, it’s concern that users will tamper with cellular settings (e.g., power settings) that would disrupt all the other users in the vicinity. Consider someone who is regularly in an oversubscribed cell area and frequently drops calls. The individual tampers with the transmit power settings to get more bandwidth but knocks other users off the air. This is particularly the case where CDMA is in use.
You will find that it’s difficult to mess with corresponding settings on wired ethernet cards for the same reasons.
Interestingly, it’s fairly easy to “adjust” those settings in routers that have been “updated” with open-source code like DD-WRT and OpenWrt. That’s probably because the signals have such short range that they are unlikely to affect others (unless you are in a Multi-Tenant Dwelling unit).