Security researchers from Check Point reported on ‘Preinstalled malware targeting mobile users’ on March 10, 2017, and it’s been widely reported in the tech media. The exact mechanism by which malware came to be installed on these new Android smartphones is not known, but assumed to have been added in the supply chain after it left the manufacturer.
The implications are pretty scary. We all assume that when we buy a phone from the likes of Samsung, Lenovo, Nexus or LG Mobile, that it’s up-to-date and secure. Because of this exploit, we now have to worry about an unseen supply chain and whether the phone vendor is reputable.
Quoting from the Check Point report:
According to the findings, the malware were already present on the devices even before the users received them. The malicious apps were not part of the official ROM supplied by the vendor, and were added somewhere along the supply chain. Six of the malware instances were added by a malicious actor to the device’s ROM using system privileges, meaning they couldn’t be removed by the user and the device had to be re-flashed.
This exploit is less likely to be found in North America than in other parts of the world, and it’s not at all likely with iOS devices.
We provide details below regarding the types of malware, the risks associated with each type, implications of preinstalled malware, geographies where this threat is most prevalent, and recommendations for enterprises.
Details on the malicious applications
The median age of these malicious applications is approximately 2.2 years with the oldest samples being from 2012. Out of the 21 samples reported, just two are trojans. None of the adware or trojans reported are new, and all major security products should have malware detection in place for the trojans.
First discovered in February 2016.
This malware was an early adopter of the auto-rooting strategy where a malicious application will download several exploits in an attempt to compromise the device and gain persistence. The ultimate goal of this strategy and persistence is to generate advertising and pay per download revenue. However, there is little limitation to what could be accomplished with root capabilities. A device owner affected by malware that roots his or her phone is likely unable to resolve the issue on their own. This is due to the user having fewer on-device privileges than the malware.
First discovered in June 2014.
This malware will gather basic device information, encrypt local files, and attempt to extort the device owner for payment.
The Implications of Preinstalled Malware
Over the last two years, reports of preinstalled malware have been regular occurrences in the Android ecosystem.
Preinstalled malware can come in a few forms:
- A device is used and was not wiped, leaving malicious software installed
- A device is new, however, the supply chain added software and it is user-removable.
- A device is new, and the additional software is in the system partition. This is not user removable.
Any device that is used should be wiped. However, wiping a phone is not a guarantee that the restored partition will be free of bloatware or malware. The most secure option for users here would be to download the factory image, if possible for their phones, and reflash their devices. Cellular providers that sell phones may have alternate images. Reflashing may not be possible for phones where no factory image is available, or where the user can not access certain functions of the phone.
New devices with removable software/bloatware:
A new device does not preclude the installation of adware, bloatware, or even malware. The addition of unwanted software ranging from bloatware to hugely invasive spyware has been commonplace in PCs. In some cases, this has even led to the security of the devices being compromised through the replacement of certificates. Luckily, on mobile devices, applications that are not in the system partition are typically easy to remove using the built-in OS uninstall functionality.
New devices with malware in the system partition:
The worst-case scenario is when there is a new device and the adware or malware is part of the system partition. When applications are in the system partition, users are prevented from uninstalling them. While this has little negative effect for useful applications such as Gmail, or your calendar, it can mean that a user has no quick resolution to remove malware.
Historically preinstalled adware and malware have mostly affected budget devices sourced from Asia or name brand devices that are sold through local markets in Asia. Due to this, it makes sense that the Check Point report would cite multinational enterprises as experiencing preinstall malware issues. However, this does not preclude non-Asian markets from this threat. Counterfeit devices, access to vulnerable devices through online stores, low-cost devices with invasive spyware, manufacturer issues, and device fragmentation make this in exceptional difficult issue for an individual to mitigate.
How to address this mobile risk to enterprises:
- Keep in mind that employees can, through no fault of their own, introduce risk or malware into the enterprise
- If the adware or malware is preinstalled, there is no simple recourse other than device replacement. Advanced users may be able to resolve this if they have Android Debug Bridge — a command-line tool that lets users communicate with a device — enabled and have unlocked their devices, but we don’t recommend this for enterprise users.
- Devices should use a security product to evaluate risks and application behaviours before being allowed access to enterprise resources.
- Sourcing a device directly from a manufacturer such as Google or Apple reduces the risk the most, but does not preclude it.