Android phones come with pre-installed malware

News
By published

Supply chain security issues could leave Android devices vulnerable to attack

(Image credit: Shutterstock)

Google has made significant headway when it comes to removing malware from the Play Store but a recent Black Hat presentation from a Google Project Zero researcher has shined light on the fact that many devices ship with malicious apps pre-installed.

Maddie Stone, who previously worked on the Android Security team and is still with Project Zero, revealed that it is nearly impossible for users to defend themselves against pre-installed malware on their devices. 

Android devices now ship with somewhere between 100 and 400 apps and a cybercriminal only needs to subvert one of these apps to infect a device even before it ends up in the hands of a consumer.

This problem has become particularly troubling on cheaper smartphones which use the Android Open Source Platform (AOSP) as opposed to the licensed 'stock' Google version of Android that larger brands use.

Supply chain security

Stone highlighted several instances she encountered while working on the Android Security team including an SMS and click fraud botnet called Chamois that was able to infect at least 21m devices beginning in 2016.

This malware was harder to defeat than anticipated because it wasn't until March of 2018 that Google realized that 7.4m of the affected devices had the malware pre-installed in the supply chain. The company was successfully able to reduce pre-installed Chamois to a tenth of that level by 2019 but other supply chain security issues were also identified.

For instance, 225 device manufacturers either left diagnostic software on their devices which provided backdoor remote access, modified Android Framework code that allowed spyware-level logging or installed apps that had been configured to bypass Google Play Protect security. While some of these supply chain security issues were inadvertent, the threat was dangerous enough that Google did assign a CVE number and issued a software fix that outlawed the bypass at the beginning of this year.

According to Stone, stopping the supply chain malware problem is much more difficult than removing rogue apps from the Google Play Store since detection must happen at a lower level than traditional security apps are capable of. Now that light has been shone on the issue, Stone would like to see further third-party research into this software level.

Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Security
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Latest in News
Google Pixel 8a in aloe green showing
Google Pixel 9a benchmark link teases the performance of the upcoming mid-ranger
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 17 (game #1148)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 17 (game #379)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 17 (game #645)
Apple iPhone 16 Pro HANDS ON
Leaked iPhone 17 dummy units may have given us our best look yet at all four models
A super close up image of the Google Gemini app in the Play Store
It's official: Google Assistant will be retired for phones this year, with Gemini taking over
More about security
Money

Financial leaders still rely on regular tools like Excel for automation tasks over AI
Half man, half AI.

Generative AI has a long way to go as siloed data and abuse of its capacity remain a downside – but it does change the game for security teams
A person in a wheelchair working at a computer.

Why betting on Mac security could put your organization at risk
See more latest
Most Popular
BraX3
This obscure brand wants to launch the most privacy-friendly smartphone ever without Google, but with a mysterious open-source OS at its core
HAMR
Seagate reportedly sold two billion GBs worth of storage to two of the world's largest tech companies
Google Pixel 8a in aloe green showing
Google Pixel 9a benchmark link teases the performance of the upcoming mid-ranger
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 17 (game #645)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 17 (game #379)
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 17 (game #1148)
Oracle
Bluehost owner is moving to Oracle Cloud, so could thousands of websites be about to migrate?
Money
Financial leaders still rely on regular tools like Excel for automation tasks over AI
Two examples of the Asus Fragrance Mouse MD101 sitting on a table
Your next computer mouse could have a fragrance compartment for aromatherapy oils – and this Asus idea is nothing to sniff at
Apple iPhone 16 Pro HANDS ON
Leaked iPhone 17 dummy units may have given us our best look yet at all four models