Millions of Android phones come with pre-installed malware, and there’s no easy fix

The Google Play Store is notorious for harboring apps that contain malware, adware, or some flavor of spyware or fleeceware. A lesser-known fact is that hackers are increasingly targeting pre-installed apps for their misdeeds, and researchers are trying to raise awareness about this growing trend. Millions of affordable Android phones come with numerous pre-installed apps, and hackers only need to subvert one. However, addressing this issue is significantly more challenging than dealing with rogue apps that find their way into the Play Store

Last month, we learned that malware had been discovered in 60 Android apps with over 100 million downloads – another black eye for the mobile operating system that has an estimated three billion active users worldwide. Malicious developers regularly exploit various loopholes in Google’s app vetting process to create apps that steal login credentials or fleeceware that squeeze as much as $400 million per year from users by tricking them into signing up for expensive in-app subscriptions.

However, researchers at Trend Micro are sounding the alarm about the growing trend of Android devices that come with malicious software pre-installed. While you can easily remove an app you’ve downloaded from the Play Store, addressing malware embedded in system apps or device firmware is a significantly more challenging task.

Android’s open nature allows manufacturers to create a wide range of phone models and target price-conscious consumers with more affordable options. However, it also opens the door for hackers to sneak in malicious code before those devices even leave the factory floor. This risk also applies to other Android devices, including smartwatches, tablets, set-top boxes, and smart TVs.

Senior Trend Micro researcher Fyodor Yarochkin says pre-installed malware has become much more common in recent years, partly due to a race to the bottom among mobile firmware developers. Once selling firmware became unprofitable, many developers began offering it for free.

As expected, there’s a catch to this new business model – many of the firmware images analyzed by Trend Micro contained bits of code described as “silent plugins.” The researchers have discovered over 80 flavors so far, but only a few have seen widespread distribution. The more popular ones are being sold underground and promoted on Facebook, YouTube, and various blogs.

Data: ESET Threat Intelligence

Some of these plugins allow cyber criminals to “rent out” Android devices for up to five minutes at a time and use them to steal login credentials or other sensitive user information. Others are capable of downloading additional malware onto the infected device.

Researchers estimate that millions of infected devices are in use worldwide, with a large portion concentrated in Eastern Europe and Southeast Asia. Interestingly, the criminals themselves claim that 8.9 million Android devices are loaded with their silent plugins.

Trend Micro confirmed the presence of malware in phones from at least 10 vendors, most of them Chinese. The firm suspects an additional 40 vendors are affected, but researchers are more interested in determining where along the supply chain the infection is most likely to occur.

Play Protect can usually spot rogue apps from the Play Store, but what about silent plugins?

Google has been aware of pre-installed Android malware for years, but it cannot easily solve the problem due to its limited control over the complex OEM Android supply chain. Cheaper phones tend to use the Android Open Source Platform (AOSP) and come with anywhere between 100 and 400 pre-installed apps – all it takes is infecting one of them.

About the Author

You may also like these