In general, Android devices have a decidedly mixed reputation for security. While the operating system itself and Google’s Pixels have resisted software exploits over the years, the endless stream of malicious apps in Google Play and vulnerable devices from some third-party manufacturers has tarnished its image.
On Thursday, that image was further tarnished after two reports said multiple lines of Android devices came with malware pre-installed and could not be removed without users taking heroic action.
The first report came from security firm Trend Micro. Researchers following a presentation at the Black Hat security conference in Singapore reported that as many as 8.9 million phones from as many as 50 different brands were infected with malware. Guerrilla, as they dubbed the malware, was first documented by researchers at security firm Sophos and was found in 15 malicious apps that Google allowed on the Play market.
Guerrilla opens a backdoor that causes infected devices to regularly communicate with a remote command and control server to check for new malicious updates that they can install. These malicious updates collect data about the users that the threat actor, which Trend Micro calls the Lemon Group, can sell to advertisers. Guerrilla then stealthily installs aggressive advertising platforms that can drain battery reserves and degrade user experience.
Trend Micros researchers wrote:
Although we have identified some of the activities that Lemon Group does for big data, marketing and advertising companies, the main activity consists of the use of big data: analyzing huge amounts of data and the corresponding characteristics of manufacturers’ shipments, various advertising content obtained from different users at different times, and the hardware data with detailed software push. This allows Lemon Group to monitor customers who could be further infected with other apps to build on, such as focusing on showing ads only to app users from certain regions.
The country with the highest concentration of infected phones was the US, followed by Mexico, Indonesia, Thailand and Russia.
Guerrilla is a gigantic platform with nearly a dozen plugins that can hijack users’ WhatsApp sessions to send unwanted messages, establish a reverse proxy of an infected phone and use the affected mobile device’s network resources, and can inject advertisements into legitimate apps.
Unfortunately, Trend Micro has not identified the affected brands and company representatives have not responded to an email asking for them.
The second report was published by TechCrunch. It describes several lines of Android-based TV boxes sold through Amazon that are laced with malware. Made by two China-based manufacturers – AllWinner and RockChip – the TV boxes report to a command and control server that, like the Guerrilla servers, can install any application the malware creators want. The default malware pre-installed on the boxes is known as a clickbot. It generates ad revenue by stealthily tapping ads in the background.
TechCrunch cited reports (here and here) from Daniel Milisic, a researcher who happened to buy one of the infected boxes. Milisic’s findings were independently confirmed by Bill Budington, a researcher at the Electronic Frontier Foundation.
Unfortunately, Android devices that ship with malware straight out of the factory box are nothing new. Ars has reported on such incidents a few times in recent years (here, here, here). All affected models were in the budget tier.
People in the market for an Android phone should focus on well-known brands like Samsung or LG, which generally have much more reliable quality checks in their inventory. To date, there have never been any reports of high-end Android devices with pre-installed malware. There are no such reports for iPhones either.