according to Google’s own security research team, millions of new Android smartphones are being purchased with dangerous malware factory-installed.
There have been multiple headlines about the millions of harmful apps being installed from the Play Store, but this is something new.
And the danger to unsuspecting users, trusting that new boxed devices are safe and clean, is that some of that preinstalled malware can download other malware in the background, commit ad fraud, or even take over its host device.
New phones can have as many as 400 apps factory-installed, many of which we just ignore. But it transpires that many of those apps have not been vetted. The apps themselves will work as billed, providing a useful capability or service, so we can be forgiven for not considering the risk that might lurk within.
Google’s Maddie Stone, a security researcher with the company’s Project Zero, shared her team’s findings at Black Hat on Thursday. “If malware or security issues come as preinstalled apps,” she warned, “then the damage it can do is greater, and that’s why we need so much reviewing, auditing, and analysis.”
The risk impacts Android’s Open-Source Project (AOSP), a lower-cost alternative to the full-fat version. AOSP is installed on lower-cost smartphones where cheaper software alternatives help keep prices down. This means owners of Android-badged devices from the likes of Samsung and Google itself are safe from this particular risk.
For an attacker, Stone warned, the benefit of supply chain compromise is that they “only have to convince one company to include their app, rather than thousands of users.” The Google team didn’t disclose any details of the brands of phones involved, but more than 200 device manufacturers fell foul of the testing, with malware allowing the devices to be attacked remotely.
Of particular concern were two particularly virulent malware campaigns: Chamois and Triada. Chamois generates various flavors of ad fraud, installs background apps, downloads plugins and can even send premium-rate text messages. Chamois alone was found to have come installed on 7.4 million devices. Triada is an older variant of malware, one that also displays ads and installs apps.
Google is working to help device manufacturers screen for such vulnerabilities, and between March 2018 and March 2019, Stone claims such screening helped reduce the instances of devices infected by Chamois from 7.4 million to “only” 700,000. “The Android ecosystem is vast,” she warned, “with a diversity of OEMs and customizations—if you are able to infiltrate the supply chain out of the box, then you already have as many infected users as how many devices they sell—that’s why it’s a scarier prospect.”