We always warn Android smartphone owners about the dangers of downloading and installing apps from third-party and unknown sources since they can be vectors for malicious software and spying apps.
But what if these types of malware already come pre-installed on your smartphone?
Late last year, preinstalled spyware was found on 700 million BLU branded Android phones that sent data to a server in China without user knowledge.
Recently, security researchers from Check Point detected severe malware infections in 36 Android gadgets belonging to a “large telecommunications company and a multinational technology company.”
The security firm stated that although this practice is not unusual, it is alarming that the malicious apps were installed even before the users received the smartphones. This means these apps, which were not part of the phone’s official ROM, were “added somewhere along the supply chain” between the phone vendors and the users.
Additionally, six of the malicious apps were found to have been added to device’s ROM using system privileges and they can’t be uninstalled by the user. Their removal requires a full device firmware re-flash.
“Most of the malware found to be pre-installed on the devices were info-stealers and rough ad networks,” Check Point warned and they identified the ad-bot malware Loki as the most notable of the bunch.
According to Check Point’s post:
“The most notable rough adnet, which targeted the devices is the Loki Malware. This complex malware operates by using several different components; each has its own functionality and role in achieving the malware’s malicious goal. The malware displays illegitimate advertisements to generate revenue. As part of its operation, the malware steals data about the device and installs itself to system, allowing it to take full control of the device and achieve persistency.”
Here’s the list of the corporate Android devices that Check Point found to have the corresponding malware pre-installed:
- Asus Zenfone 2 – com.google.googlesearch
Google Nexus 5 – com.changba (removed from list)
Google Nexus 5 – com.mobogenie.daemon (removed from list)
Google Nexus 5X – com.changba (removed from list)
Lenovo A850 – com.androidhelper.sdk
LenovoS90 – com.google.googlesearch
LenovoS90 – com.skymobi.mopoplay.appstore
LG G4 – com.fone.player1
Oppo N3 – com.android.ys.services
OppoR7 plus – com.example.loader
Samsung Galaxy A5 – com.baycode.mop
Samsung Galaxy A5 – com.android.deketv
Samsung Galaxy Note 2 – com.fone.player0
Samsung Galaxy Note 2 – com.sds.android.ttpod
Samsung Galaxy Note 3 – com.changba
Samsung Galaxy Note 4 – com.kandian.hdtogoapp
Samsung Galaxy Note 4 – com.changba
Samsung Galaxy Note 4 – air.fyzb3
Samsung Galaxy Note 5 – com.ddev.downloader.v2
Samsung Galaxy Note 8.0 – com.kandian.hdtogoapp (amended by Check Point from Note 8)
Samsung Galaxy Note Edge – com.changba
Samsung Galaxy Note Edge – com.mojang.minecraftpe
Samsung Galaxy S4 – com.lu.compass
Samsung Galaxy S4 – com.kandian.hdtogoapp
Samsung Galaxy S4 – com.changba
Samsung Galaxy S4 – com.changba
Samsung Galaxy S4 – com.mobogenie.daemon
Samsung Galaxy S7 – com.lu.compass
Samsung Galaxy Tab 2 – com.armorforandroid.security
Samsung Galaxy Tab S2 – com.example.loader
Vivo X6 Plus – com.android.ys.services
Xiaomi Mi 4i – com.sds.android.ttpod
Xiaomi Redmi – com.yongfu.wenjianjiaguanli
ZTE X500 – com.iflytek.ringdiyclient
Note: We updated this list to reflect the changes made by Check Point on their original list. All Nexus devices were removed and the Samsung Galaxy Note 8 was changed to Samsung Galaxy Note 8.0 (an Android tablet),
The problem with pre-installed malware
Please be advised that NOT all the Android smartphones listed are necessarily infected. It just means that malware was injected at some point between the phone vendor and the corporate users of the infected devices.
As evidenced by the Blu spyware problem last year, pre-installed malware is oftentimes hard to detect since users will hardly notice any malicious activity considering the phone already comes with it. Any suspicious processes may then be deemed as part of the gadget’s normal operation.
We always warn Android users about downloading and installing third-party apps but obviously, this precaution will not apply in scenarios where the phone’s original firmware or ROM has been tampered with.
As Check Point warned, “The discovery of the pre-installed malware raises some alarming issues regarding mobile security. Users could receive devices which contain backdoors or are rooted without their knowledge.”
For protection, the firm recommended that “users should implement advanced security measures capable of identifying and blocking any abnormality in the device’s behavior.”
This implies that the best defense against these kinds of pre-installed malware then are mobile security and anti-virus apps from the Google Play app store. For peace of mind, install these types of apps and scan your Android smartphones as soon as you receive them.