Millions of shiny new Android smartphones are being purchased with dangerous malware factory-installed, according to Google’s own security research team. There have been multiple headlines about the millions of harmful apps being installed from the Play Store, but this is something new. And the danger to unsuspecting users, trusting that new boxed devices are safe and clean, is that some of that preinstalled malware can download other malware in the background, commit ad fraud, or even take over its host device.
Android is a thriving open-source community, which is great for innovation but not so great when threat actors seize the opportunity to hide malware in basic software loads that come on boxed devices. New phones can have as many as 400 apps factory-installed, many of which we just ignore. But it transpires that many of those apps have not been vetted. The apps themselves will work as billed, providing a useful capability or service, so we can be forgiven for not considering the risk that might lurk within.
Google’s Maddie Stone, a security researcher with the company’s Project Zero, shared her team’s findings at Black Hat on Thursday. “If malware or security issues come as preinstalled apps,” she warned, “then the damage it can do is greater, and that’s why we need so much reviewing, auditing and analysis.”
The risk impacts Android’s Open-Source Project (AOSP), a lower-cost alternative to the full-fat version. AOSP is installed on lower-cost smartphones where cheaper software alternatives help keep prices down. This means owners of Android-badged devices from the likes of Samsung and Google itself are safe from this particular risk.
For an attacker, Stone warned, the benefit of supply chain compromise is that they “only have to convince one company to include their app, rather than thousands of users.” The Google team didn’t disclose any details of the brands of phones involved, but more than 200 device manufacturers fell foul of the testing, with malware allowing the devices to be attacked remotely.
Of particular concern were two particularly virulent malware campaigns: Chamois and Triada. Chamois generates various flavors of ad fraud, installs background apps, downloads plugins and can even send premium rate text messages. Chamois alone was found to have come installed on 7.4 million devices. Triada is an older variant of malware, one that also displays ads and installs apps.
Google is working to help device manufacturers screen for such vulnerabilities, and between March 2018 and March 2019, Stone claims such screening helped reduce the instances of devices infected by Chamois from 7.4 million to “only” 700,000. “The Android ecosystem is vast,” she warned, “with a diversity of OEMs and customizations—if you are able to infiltrate the supply chain out of the box, then you already have as many infected users as how many devices they sell—that’s why it’s a scarier prospect.”
In the meantime, the usual advice applies around downloading and installing apps from the Play Store. A healthy dose of skepticism does not go amiss when the app is from an unknown source. Not much users can do if those threats come preinstalled, though, and that’s why this revelation is so dangerous. For this one we need to rely on manufacturers to do the right thing and follow Google’s advice in screening software fully to eradicate such risks.