Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Enterprises Infected By Pre-installed Android Malware

Android devices containing pre-installed malware were recently discovered on 38 mobile devices belonging to two large companies, according to security firm Check Point.

Android devices containing pre-installed malware were recently discovered on 38 mobile devices belonging to two large companies, according to security firm Check Point.

A new report from Check Point reveals that a variety of malware, mostly comprised of info-stealers and sketchy ad networks, though a mobile ransomware family was also discovered among them. What’s also interesting, is that the malware was present on the infected devices before the users received them, although it wasn’t part of the official ROM the vendors supplied.

The security company says that the malicious applications were “added somewhere along the supply chain.” Six of the malware instances, Check Point discovered, were added by a malicious actor using system privileges, meaning that the users had no means to remove the malware unless they re-flashed the ROM.

One of the malicious APKs,, was an adnet present on 6 devices. Another one was the Slocker mobile ransomware, which uses AES encryption to encrypt all files on the device. The malware uses Tor for its command and control (C&C) communications.

The most notable of the threats, however, was the Loki info-stealer and rough adnet, found on devices as the com.androidhelper.sdk APK. The malware, Check Point says, uses several different components, each with its own functionality and role. Loki’s malicious goal, in addition to displaying illegitimate advertisements to generate revenue, is to steal data about the device, while installing itself to the system partition to achieve persistence and take full control of the device.

The infected devices include: Galaxy Note 2, Galaxy Note 3, Galaxy Note 4, Galaxy Note 5, Galaxy Note Edge, Galaxy Note 8.0, Galaxy S7, Galaxy S4, Galaxy A5, Galaxy Tab S2, Galaxy Tab 2, LG G4, ZTE x500, vivo X6 plus, Asus Zenfone 2, Oppo N3, Oppo R7 plus, Xiaomi Mi 4i, Xiaomi Redmi, Lenovo S90, Lenovo A850, Nexus 5, and Nexus 5X.

What the security researchers didn’t reveal was whether the infection was part of a targeted attack against the two affected companies, a large telecommunications company and a multinational technology company.

“Pre-installed malware compromise the security even of the most careful users. In addition, a user who receives a device already containing malware will not be able to notice any change in the device’s activity which often occur once a malware is installed,” Oren Koriat, Check Point Mobile Research Team, says.

Pre-installed malware on mobile devices isn’t new, though it was clear who was to blame for it in previous incidents. In November last year, researchers discovered that the Firmware Over The Air (FOTA) update software system managed by China-based ADUPS performed backdoor activities by collecting information about the devices it was present on. The company said the backdoor was used to im prove user experience.

Also in November 2016, the OTA update mechanism provided by another Chinese company, Ragentek Group, was revealed to expose nearly 3 million devices to Man-in-the-Middle (MitM) attacks and to allow adversaries to execute arbitrary commands with root privileges.

Related: Backdoor in Some Android Phones Sends Data to Server in China

Related: Over-the-Air Update Mechanism Exposes Millions of Android Devices

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...