Overall, Android devices have earned a decidedly mixed reputation for security. While the OS itself and Google’s Pixels have stood up over the years against software exploits, the never-ending flow of malicious apps in Google Play and vulnerable devices from some third-party manufacturers have tarnished its image.
On Thursday, that image was further tarnished after two reports said that multiple lines of Android devices came with preinstalled malware and couldn’t be removed without users taking heroic measures.
The first report came from security firm Trend Micro. Researchers following up on a presentation delivered at the Black Hat security conference in Singapore reported that as many any 8.9 million phones and comprising as many as 50 different brands were infected with malware. First documented by researchers from security firm Sophos, Guerrilla, as they named the malware, was found in 15 malicious apps that Google allowed into its Play market.
Guerrilla opens a backdoor that causes infected devices to regularly communicate with a remote command and control server to check if there are any new malicious updates for them to install. These malicious updates collect data about the users that the threat actor, which Trend Micro calls the Lemon Group, can sell to advertisers. Guerrilla then surreptitiously installs aggressive ad platforms that can deplete battery reserves and degrade the user experience.
Trend Micros researchers wrote:
While we identified a number of businesses that Lemon Group does for big data, marketing, and advertising companies, the main business involves the utilization of big data: Analyzing massive amounts of data and the corresponding characteristics of manufacturers’ shipments, different advertising content obtained from different users at different times, and the hardware data with detailed software push. This allows Lemon Group to monitor customers that can be further infected with other apps to build on, such as focusing on only showing advertisements to app users from certain regions.
The country with the highest concentration of infected phones was the US, followed by Mexico, Indonesia, Thailand, and Russia.
Guerrilla is a massive platform with nearly a dozen plugins that can hijack users’ WhatsApp sessions to send unwanted messages, establish a reverse proxy from an infected phone and use the network resources of the affected mobile device, and inject ads into legitimate apps.
Unfortunately, Trend Micro didn’t identify the affected brands, and company representatives didn’t respond to an email asking for them.
The second report was published by TechCrunch. It detailed several lines of Android-based TV boxes sold through Amazon that are laced with malware. The TV boxes, reported to be T95 models with an h616 report to a command and control server that, just like the Guerrilla servers, can install any application the malware creators want. The default malware preinstalled on the boxes is known as a clickbot. It generates advertising revenue by surreptitiously tapping on ads in the background.
TechCrunch cited reports (here and here) by Daniel Milisic, a researcher who happened to buy one of the infected boxes. Milisic’s findings were independently confirmed by Bill Budington, a researcher at the Electronic Frontier Foundation.
Android devices that come with malware straight out of the factory box are, unfortunately, nothing new. Ars has reported on such incidents at least five times in recent years (here, here, here, here, and here). All the affected models were in the budget tier.
People in the market for an Android phone should steer toward known brands such as Samsung, Asus, or OnePlus, which generally have much more reliable quality assurance controls on their inventory. To date, there have never been reports of higher-end Android devices coming with malware preinstalled. There are similarly no such reports for iPhones.