Skip to Content

Is your phone on the list of malware-infected Android phones?

We always warn Android smartphone owners about the dangers of downloading and installing apps from third-party and unknown sources since they can be vectors for malicious software and spying apps.

But what if these types of malware already come pre-installed on your smartphone?

Late last year, preinstalled spyware was found on 700 million BLU branded Android phones that sent data to a server in China without user knowledge.

Recently, security researchers from Check Point detected severe malware infections in 36 Android gadgets belonging to a “large telecommunications company and a multinational technology company.”

The security firm stated that although this practice is not unusual, it is alarming that the malicious apps were installed even before the users received the smartphones. This means these apps, which were not part of the phone’s official ROM, were “added somewhere along the supply chain” between the phone vendors and the users.

Additionally, six of the malicious apps were found to have been added to device’s ROM using system privileges and they can’t be uninstalled by the user. Their removal requires a full device firmware re-flash.

“Most of the malware found to be pre-installed on the devices were info-stealers and rough ad networks,” Check Point warned and they identified the ad-bot malware Loki as the most notable of the bunch.

According to Check Point’s post:

“The most notable rough adnet, which targeted the devices is the Loki Malware. This complex malware operates by using several different components; each has its own functionality and role in achieving the malware’s malicious goal. The malware displays illegitimate advertisements to generate revenue. As part of its operation, the malware steals data about the device and installs itself to system, allowing it to take full control of the device and achieve persistency.”

Here’s the list of the corporate Android devices that Check Point found to have the corresponding malware pre-installed:

 Note: If you are having issues viewing this list, click here to read the article at

  • Asus Zenfone 2
  • Google Nexus 5 – com.changba (removed from list)

  • Google Nexus 5 – com.mobogenie.daemon (removed from list)

  • Google Nexus 5X – com.changba (removed from list)

  • Lenovo A850 – com.androidhelper.sdk

  • LenovoS90 –

  • LenovoS90 – com.skymobi.mopoplay.appstore

  • LG G4 – com.fone.player1

  • Oppo N3 –

  • OppoR7 plus – com.example.loader

  • Samsung Galaxy A5 – com.baycode.mop

  • Samsung Galaxy A5 –

  • Samsung Galaxy Note 2 – com.fone.player0

  • Samsung Galaxy Note 2 –

  • Samsung Galaxy Note 3 – com.changba

  • Samsung Galaxy Note 4 – com.kandian.hdtogoapp

  • Samsung Galaxy Note 4 – com.changba

  • Samsung Galaxy Note 4 – air.fyzb3

  • Samsung Galaxy Note 5 – com.ddev.downloader.v2

  • Samsung Galaxy Note 8.0 – com.kandian.hdtogoapp (amended by Check Point from Note 8)

  • Samsung Galaxy Note Edge – com.changba

  • Samsung Galaxy Note Edge – com.mojang.minecraftpe

  • Samsung Galaxy S4 –

  • Samsung Galaxy S4 – com.kandian.hdtogoapp

  • Samsung Galaxy S4 – com.changba

  • Samsung Galaxy S4 – com.changba

  • Samsung Galaxy S4 – com.mobogenie.daemon

  • Samsung Galaxy S7 –

  • Samsung Galaxy Tab 2 –

  • Samsung Galaxy Tab S2 – com.example.loader

  • Vivo X6 Plus –

  • Xiaomi Mi 4i –

  • Xiaomi Redmi – com.yongfu.wenjianjiaguanli

  • ZTE X500 – com.iflytek.ringdiyclient

Note: We updated this list to reflect the changes made by Check Point on their original list. All Nexus devices were removed and the Samsung Galaxy Note 8 was changed to Samsung Galaxy Note 8.0 (an Android tablet),

The problem with pre-installed malware

Please be advised that NOT all the Android smartphones listed are necessarily infected. It just means that malware was injected at some point between the phone vendor and the corporate users of the infected devices.

As evidenced by the Blu spyware problem last year, pre-installed malware is oftentimes hard to detect since users will hardly notice any malicious activity considering the phone already comes with it. Any suspicious processes may then be deemed as part of the gadget’s normal operation.

We always warn Android users about downloading and installing third-party apps but obviously, this precaution will not apply in scenarios where the phone’s original firmware or ROM has been tampered with.

As Check Point warned, “The discovery of the pre-installed malware raises some alarming issues regarding mobile security. Users could receive devices which contain backdoors or are rooted without their knowledge.”

For protection, the firm recommended that “users should implement advanced security measures capable of identifying and blocking any abnormality in the device’s behavior.”

This implies that the best defense against these kinds of pre-installed malware then are mobile security and anti-virus apps from the Google Play app store. For peace of mind, install these types of apps and scan your Android smartphones as soon as you receive them.

Click here to read Check Point’s full blog post.

More must-read stories:

Frightening new way thieves can steal your PIN and passcode in seconds

Don’t type “Amen” on this viral Facebook post – It’s a scam!

Data breach hits world’s largest payment system manufacturer

Ask me your digital question!

Navigating the digital world can be intimidating and sometimes downright daunting. Let me help! Reach out today to ask your digital question. You might even be on my show!

Ask Me