Check Point: Malware Pre-Installed On Some Android Phones

Malware is usually able to make its way into a device because of user error. You might open an infected attachment, visit a malicious website, or download a piece of malware disguised as a popular app, for example, only to find that your device has been compromised as a result. But a report from the Check Point security company stated that 36 Android devices are compromised out of the box, which shows that user error isn't the only way for malware to get in.

Check Point said the devices were owned by "a large telecommunications company and a multinational technology company." The malicious apps seem to have been installed somewhere along the supply chain--they weren't included in the vendors' official ROMs, but they were installed by someone with system privileges, which means one of the companies involved in manufacturing, assembling, shipping, and selling the phones was probably involved.

Devices from Samsung, ZTE, Asus, Lenovo, Oppo Global, and LG were included in Check Point's report. The company said much of the malware it found was devoted to stealing information or showing illegitimate advertisements. The most notable apps it found were Slocker, ransomware that uses AES encryption to hold a phone's data for ransom, and the Loki Malware that can "take full control of the device and achieve persistency" to display ads.

It's no surprise to learn that Android smartphones were targeted by various types of malware. In the past we've seen attackers disguise malicious apps as the Android version of the currently iOS-exclusive Super Mario Run; use malware called Gooligan to collect user data and compromise Google accounts; and silently install potentially harmful apps via "autorooting" malware like LevelDropper. And those are just a few recent examples.

Attackers targeting Android smartphones along the supply chain, however, is even more worrisome. It means that even if you do your best to keep yourself safe by never opening sketchy attachments, sticking with trusted websites, and making sure you're installing only legitimate software, your device could already be infected with malware. Check Point explained in its report:

As a general rule, users should avoid risky websites and download apps only from official and trusted app stores. However, following these guidelines is not enough to ensure their security. Pre-installed malware compromise the security even of the most careful users. In addition, a user who receives a device already containing malware will not be able to notice any change in the device’s activity which often occur once a malware is installed.The discovery of the pre-installed malware raises some alarming issues regarding mobile security. Users could receive devices which contain backdoors or are rooted without their knowledge. To protect themselves from regular and pre-installed malware, users should implement advanced security measures capable of identifying and blocking any abnormality in the device’s behavior.

It's hard enough to convince most people to take even basic security precautions. Pew reported last year that many Americans reuse passwords, don't lock their smartphones behind a passcode, and otherwise defy security best practices. Expecting many of these people--even if they're valuable enough to warrant targeting via supply chain malware installation--to make sure their device is clean the first time they use it borders on lunacy.

Of course, it's worth noting that many Android smartphones have been sold, and the 36 found by Check Point are a fraction of a fraction of that number. The question now is how long the attackers targeted these devices' supply chains. Were they compromised from the get-go, or was only a small production run affected? The answers could make the difference between a relatively small problem and a much larger issue for these companies and their customers.

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

  • fooliganigan
    This is why it's a good idea to flash your new phone with the stock ROM, if you can.
    Reply
  • kitsinu
    They are going to have to put security seals on phones the way they do for other products. In fact, I can't think of a reason why they haven't been doing that already.
    Reply
  • grant barker
    That's right Fooliganigan. Flashing another ROM should help I think: grantbarker.com/roms.html
    Reply
  • Math Geek
    seems samsung has some issues with their supply chain as many of their popular phones are infected.

    Lenovo does not surprise me and considering their use of malware on their pc's and laptops, they probably installed it themselves.
    Reply
  • jackweinmann
    ...So how does one rectify this?
    Reply
  • Math Geek
    19420572 said:
    This is why it's a good idea to flash your new phone with the stock ROM, if you can.

    it's a good idea but often the stock rom is not available for newer phones and it can be beyond the novice user to do such a thing.
    Reply
  • jackweinmann
    ...so then how does one rectify this? I don't mean industry wide, I mean individually, how does one who is concerned that their phone might be compromised make sure there is nothing on their phone?
    Reply
  • Math Geek
    flash a stock rom for the phone. that's how to remove it. you should be able to go to the phone's product page and get links to the stock rom and instructions of how to flash it.

    if not, sites like xda forums https://forum.xda-developers.com/ or androidforums.com is a good source for roms as well.
    Reply
  • Shadowspawn13
    Isn't there a security app to download to remove it? Like if you have an older phone that you think has been compromised?
    Reply
  • mrmez
    Hilarious. Buy a new phone and then you need to start updating roms.

    If you bought a new car and had to tow it home and replace the gearbox, you'd be P!$$ED!!
    You'd call that car a POS and want to burn it to the ground, yet this seems to e totally acceptable when it comes to electronics.

    For many people that's probably easier than installing a new rom.
    Reply