Malware found pre-installed on dozens of different Android devices

Can the supply chain be trusted?

David bisson
David Bisson

Malware found pre-installed on dozens of different Android devices

Malware in the form of info-stealers, rough ad networks, and even ransomware came pre-installed on more than three dozen different models of Android devices.

Researchers with Check Point spotted the malware on 38 Android devices owned by a telecommunications company and a multinational technology company.

The affected devices were as follows:

  • Galaxy A5
  • Galaxy Note 2
  • LG G4
  • Galaxy S7
  • Galaxy S4
  • Galaxy Note 4
  • Galaxy Note 5
  • Galaxy Note 8
  • Xiaomi Mi 4i
  • ZTE x500
  • Galaxy Note 3
  • Galaxy Note Edge
  • Galaxy Tab S2
  • Galaxy Tab 2
  • Oppo N3
  • vivo X6 plus
  • Nexus 5
  • Nexus 5X
  • Asus Zenfone 2
  • LenovoS90
  • OppoR7 plus
  • Xiaomi Redmi
  • Lenovo A850

Vendors of electronic devices like smartphones and computers ship out their products with data stored in the ROM. Short for “read-only memory,” ROM is a storage medium that keeps its data even when the power is off. It’s therefore used to contain important information like basic input and output instructions (BIOS) and firmware updates.

For malware to come pre-installed, the malicious software usually ships out on ROM. But that doesn’t mean the vendor is always responsible. Check Point’s team elaborates on that point in a blog post:

“The malicious apps were not part of the official ROM supplied by the vendor, and were added somewhere along the supply chain. Six of the malware instances were added by a malicious actor to the device’s ROM using system privileges, meaning they couldn’t be removed by the user and the device had to be re-flashed.”

So what does the pre-installed malware do?

Most of the unwanted software is either info-stealers or malicious adnets. For example, one Loki malware variant exploits infected devices by displaying illegitimate advertisements to try to generate revenue for their owners. It also steals information and installs itself on the system, allowing it to achieve persistence.

Sign up to our free newsletter.
Security news, advice, and tips.

There were a few notable exceptions among the herd, however. In particular, researchers spotted at least one instance of Slocker. It’s a mobile ransomware that employs AES encryption to encrypt all a device’s files and demand a ransom for the decryption key.

These threats beg the question: as pre-installed malware isn’t new, can users do anything to protect themselves against it?

The short answer: not really. Their best bet is to research a device and vendor thoroughly before they finalize a purchase. Once they’ve settled on the device, they should purchase it directly from the vendor and not go through a third-party seller.

Instead the onus of protecting against pre-installed malware rests with vendors. Organizations need to secure their supply chains by conducting compliance audits of their suppliers. Using least-privileged models and segregating contractors’ roles aren’t bad ideas, either.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

3 comments on “Malware found pre-installed on dozens of different Android devices”

  1. Tim

    Does installing a new operating system override the invested device? I ask because I just upgraded my Galaxy S7 Active to the latest os and security patch level.


    Samsung has never manufactured the "Galaxy Note 8". Product does not exist.

  3. Sam Cross`

    I have had the Samsung Galaxy S3 since it came out and had no problems.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.