Android, now featuring pre-installed malware for your convenience

There's a new report out that's gaining traction, and it's not good news for Android users.

Trend Micro has reported that nearly nine million Android devices have been "preinfected" with malware. That is, the devices, mostly smartphones, have the malware on them when you open the box. The malware is installed as part of the operating system:

We identified over 50 different images from a variety of vendors carrying initial loaders. The more recent versions of the loaders use fileless techniques when downloading and injecting other payloads. With this latest development, public repositories for threat intelligence do not list these updated loaders and the forensic analysis of such devices and images have become significantly harder. However, we can still spot the download attempts through telemetry monitoring, and once the main component is identified we would have the decryption keys to decode the payload.

Comparing our analyzed number of devices with Lemon Group’s alleged reach of 8.9 million, it’s highly likely that more devices have been preinfected but have not exchanged communication with the C&C server, have not been used or activated by the threat actor, or have yet to be distributed to the targeted country or market. Shortly after our Black Hat presentation, we noted that the page hosting these numbers of their reach was taken down. But noting our detections for this investigation alone, we were able to identify over 50 brands of mobile devices that have been infected by Guerilla malware, and one brand we’ve identified as a "Copycat" brand of the premiere line of devices from leading mobile device companies. Following our timeline estimates, the threat actor has spread this malware over the last five years. A compromise on any significant critical infrastructure with this infection can likely yield a significant profit for Lemon Group in the long run at the expense of legitimate users.

So far, no list of manufacturers has been released, so we don't know which brands may be safe or which may be compromised. Although I don't know this, I suspect that it is difficult to tell whether a device was infected out of the box or infected later.

That means that, say, the Widget Brand phone may have the infections, but they may have come after the consumer got the device, while the Thingamajig Brand phone may have the malware from an infected installation. In that scenario, Thingamajig phones would be unsafe, while Widget phones would be safe, since the Widget was clean when it was purchased, but a careless user got the infection on his own. It would be unfair to Widget to lump them into the same category as Thingamajig.

Still, I am curious as to which phones have the infection. I'm also curious as to how they got the infected operating system files. There's no evidence that it came from Google, meaning that Pixel phones are probably safe (out of the box). Devices with minimal bloatware, such as Motorola, may be safe, but I don't know that. Heck, it could be that a breach happened at Google and the OS was flawed when Google sent it out. But we don't know that.

What we do know is that a bunch of Android phone users are walking around with malware, and not because of anything they did wrong, but because it came that way.

My Streaming Life has included Android devices, although I don't have any running at the moment. I'm now unsure about running anything with Android OS until I know more.