Android devices containing pre-installed malware were recently discovered on 38 mobile devices belonging to two large companies, according to security firm Check Point.
A new report from Check Point reveals that a variety of malware, mostly comprised of info-stealers and sketchy ad networks, though a mobile ransomware family was also discovered among them. What’s also interesting, is that the malware was present on the infected devices before the users received them, although it wasn’t part of the official ROM the vendors supplied.
The security company says that the malicious applications were “added somewhere along the supply chain.” Six of the malware instances, Check Point discovered, were added by a malicious actor using system privileges, meaning that the users had no means to remove the malware unless they re-flashed the ROM.
One of the malicious APKs, com.google.googlesearch, was an adnet present on 6 devices. Another one was the Slocker mobile ransomware, which uses AES encryption to encrypt all files on the device. The malware uses Tor for its command and control (C&C) communications.
The most notable of the threats, however, was the Loki info-stealer and rough adnet, found on devices as the com.androidhelper.sdk APK. The malware, Check Point says, uses several different components, each with its own functionality and role. Loki’s malicious goal, in addition to displaying illegitimate advertisements to generate revenue, is to steal data about the device, while installing itself to the system partition to achieve persistence and take full control of the device.
The infected devices include: Galaxy Note 2, Galaxy Note 3, Galaxy Note 4, Galaxy Note 5, Galaxy Note Edge, Galaxy Note 8.0, Galaxy S7, Galaxy S4, Galaxy A5, Galaxy Tab S2, Galaxy Tab 2, LG G4, ZTE x500, vivo X6 plus, Asus Zenfone 2, Oppo N3, Oppo R7 plus, Xiaomi Mi 4i, Xiaomi Redmi, Lenovo S90, Lenovo A850, Nexus 5, and Nexus 5X.
What the security researchers didn’t reveal was whether the infection was part of a targeted attack against the two affected companies, a large telecommunications company and a multinational technology company.
“Pre-installed malware compromise the security even of the most careful users. In addition, a user who receives a device already containing malware will not be able to notice any change in the device’s activity which often occur once a malware is installed,” Oren Koriat, Check Point Mobile Research Team, says.
Pre-installed malware on mobile devices isn’t new, though it was clear who was to blame for it in previous incidents. In November last year, researchers discovered that the Firmware Over The Air (FOTA) update software system managed by China-based ADUPS performed backdoor activities by collecting information about the devices it was present on. The company said the backdoor was used to im prove user experience.
Also in November 2016, the OTA update mechanism provided by another Chinese company, Ragentek Group, was revealed to expose nearly 3 million devices to Man-in-the-Middle (MitM) attacks and to allow adversaries to execute arbitrary commands with root privileges.
Related: Backdoor in Some Android Phones Sends Data to Server in China
Related: Over-the-Air Update Mechanism Exposes Millions of Android Devices

More from Ionut Arghire
- New York Attorney General Fines Vendor for Illegally Promoting Spyware
- 20 Million Users Impacted by Data Breach at Instant Checkmate, TruthFinder
- Florida Hospital Cancels Procedures, Diverts Patients Following Cyberattack
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Atlassian Warns of Critical Jira Service Management Vulnerability
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
Latest News
- Comcast Wants a Slice of the Enterprise Cybersecurity Business
- Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping
- New York Attorney General Fines Vendor for Illegally Promoting Spyware
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- 20 Million Users Impacted by Data Breach at Instant Checkmate, TruthFinder
- Cyber Insights 2023 | Zero Trust and Identity and Access Management
- Cyber Insights 2023 | The Coming of Web3
- European Police Arrest 42 After Cracking Covert App
