After finding Android ransomware and other threats pre-installed on popular smartphones and tablets from manufacturers...
like Samsung, LG and Xiaomi, experts are questioning quality assurance processes.
The Check Point Mobile Research Team detected Android ransomware and malware pre-installed on 36 device models studied at "a large telecommunications company and a multinational technology company."
"The malware were already present on the devices even before the users received them. The malicious apps were not part of the official ROM supplied by the vendor, and were added somewhere along the supply chain," Oren Koriat, cyber analyst at Check Point Software, wrote in a blog post. "Six of the malware instances were added by a malicious actor to the device's ROM using system privileges, meaning they couldn't be removed by the user and the device had to be re-flashed."
According to Koriat, the malware included information stealers, malicious advertisers and even Slocker ransomware. Koriat said the Slocker Android ransomware uses the anonymous Tor network for command and control and can encrypt all files on a device, while the Loki malware not only displays illegitimate advertisements, but can install "itself to [the] system, allowing it to take full control of the device and achieve persistency."
Liviu Arsene, senior e-threat researcher at Romania-based antimalware firm Bitdefender, said the Android ransomware and malware constituted serious threats.
"Considering that some of these applications display illegitimate ads or install ransomware, it's pretty clear that these malicious applications are pretty dangerous, which is to say that a lot affected users risk much more than just losing their data, but also risk being tracked and having their personal information syphoned throughout the entire lifetime of the device," Arsene told SearchSecurity.
Check Point did not speculate on when the malware was added to the devices. The blog post listed major Android devices in the Samsung Galaxy S and Galaxy Note series, as well as devices from Xiaomi, LG and Lenovo, but Check Point confirmed the infections were likely not widespread.
"These were only a handful of devices out of millions. By no means are we suggesting that these models contain built-in malware or anything of the sort," Daniel Padon, mobile threat researcher at Check Point, told SearchSecurity. "This is an isolated attack or attacks, not an entire malicious production line."
Tim Stiller, analytic response consultant at Rapid7, said it could be difficult for the manufacturers to find where in the supply chain the Android ransomware was introduced to the devices.
"Without further insight or data into the supply chain process, it's very challenging to pinpoint the exact moment this malware was most likely installed," Stiller told SearchSecurity. "It could have been installed during any downstream supply chain through infection or compromise, or anywhere along the way through to shipping and logistics."
Arsene noted that although the manufacturer ROMs were not infected, it doesn't mean they didn't include the method for introducing the Android ransomware and malware.
"We've seen recently that some mobile firmware developers have built backdoors into their software, allegedly with the purpose of filtering out spam text messages," Arsene said. "However, there are also instances where OEM manufactures strike deals with various app devices to pre-install root-enabled applications on smartphones that have the ability to install other applications in turn. These affiliations can sometimes cause serious security and privacy concerns."
Of the affected manufacturers, only Xiaomi responded to requests for comment at the time of publication. A Xiaomi spokesperson told SearchSecurity: "We can confirm that the malware listed do not come with any official ROM on Xiaomi smartphones. Xiaomi takes security very seriously and strongly recommends users go through official channels when buying our smartphones to ensure they receive the official version of [Xiaomi Android software]."
"As a consumer of new electronics, there is an expectation of trust that when you buy a new product, it is free from malware. When examples like this come to light, where malware is found to have been added as part of the supply chain, that trust is shattered," Patterson told SearchSecurity. "It places into question the quality assurance processes that exist today for device manufacturers. Based on these findings, device manufacturers should now introduce a final test of devices prior to shipping them to customers."
Patterson and Stiller said mitigation of these threats fall on the in-house security teams within an enterprise.
"Dealing with malware can certainly feel overwhelming, but here are four things you can do to help mitigate the impact: Review any pre-installed apps and their permissions; perform an [antivirus] scan upon receiving new device; report any suspicious apps to the IT/infosec teams; re-flash each inbound device received from an external or internal source prior to company use," Stiller said.
However, Arsene said there's not much enterprises can do if the Android ransomware comes "pre-installed with devices and with root-access."
"Of course, there's always the option to re-flash devices with custom and vetted firmware, but that implies losing warranties and internal code reviewing that could prove too costly for the average company," Arsene said. "However, if the on-device firmware is compromised, then the chances of mitigating those risks are even more grim to say the least."
Learn more about a bad trend indicated by the HummingBad Android malware.
Find out why Android ransomware and malware is harder to deliver than you think.
Get info on how Mazar malware can take control of an Android device.