In a development that is sure to scare off lots of potential users around the world, it came to prominence this week that tens of millions of smartphones with the Android operating system have dangerous malware preloaded. To make matters worse, the source of the news is Google itself, Android’s parent company.
Google’s security research staff alerted
the community that numerous new Android devices are being offered in the market
despite coming pre-loaded with malware installed at the factory level. Android is
known as one of the biggest and most prominent operating systems, but also as
one of the most dangerous and unreliable: allegations of dangerous apps in the
Play Store are a common occurrence.
A report from Forbes details how a new
user that takes the phone off its box and starts configuring it may be in
contact with malware because it is pre-installed, and it can download other
kinds of malware in the background, incur in ad-related fraud, or kidnap its
host device, among other things.
The fact that Android is such a
successful open source community is very positive because it stimulates
innovation. However, members of the community can discreetly inject malware in
software loads coming on boxed smartphones and devices.
In fact, consider that new phones can
have nearly 400 preinstalled applications, and that is even before the user
takes it out of its box. Many people ignore that fact and carelessly use the
device without knowing about any threats or risks.
However, most of those apps haven’t been
vetted and, judging by the way they function; the user won’t notice anything
wrong because they seem to work properly and offer the service they are
supposed to.
The Black Hat cybersecurity conference
served as the scenario for Project Zero’s and Google’s researcher Maddie Stone
to present her team’s findings. She explained that the fact that the malware
comes pre-installed makes the situation significantly more dangerous and more
difficult to manage. According to her, Android and Google need more reviewing,
auditing and analysis.
Other entities are impacted by the risk, including the smaller Android’s Open-Source Project (AOSP). It is installed on cheaper smartphones in order to maintain the price structure.
Stone also stated that because of the way
the supply chain works, the attacker has to convince only one firm to include
their app, rather than hundreds or even thousands of potential users.
Although Google did not reveal which brands had the pre-installed malware, over 200 smartphone manufacturers got into trouble for failing the proper tests: their devices could be attacked from remote locations because of the malware.
The Chamois and Triada malware campaigns
were especially virulent. The former because of the ad frauds, secretly
installing apps in the background, and downloading plugins. It comes installed
in a whopping 7.4 million smartphones. Meanwhile, Triada is older but displays
ads and installed applications, as well.
According to reports, Google is not only aware of the issue but is also trying to find a solution by working alongside device manufacturers to detect the vulnerabilities in the supply chain. Because of that, Stone said that the devices infected with Chamois were reduced from 7.4 million to 700,000.
Google and Android have a particularly
problematic issue while dealing with this situation: the ecosystem, per Stone,
is very broad, and that makes it hard to screen in a highly efficient manner.
She explains that the Android ecosystem
has lots of OEMs and customizations and that if a criminal can infiltrate the
supply chain, it has won half of the battle because it will have managed to infect
millions of devices.
For now, users can be more careful with the apps they download from the Google Play Store, avoiding any unknown sources. However, to this date, there is not much they can do about malware pre-installed apps .