Preinstalled malware on Android devices: a silent but deadly reality. In 2023, millions face potential threats from this insidious software. Learn to identify and combat these covert dangers.
by Maricor Bunal
May 22, 2023
Android devices, renowned for their versatility and user-friendly nature, have recently been scrutinized for a less desirable feature - preinstalled malware.
This article delves into the alarming reality of millions of Android TVs and phones potentially coming with malware preinstalled, shedding light on the risks involved, how to identify such threats, and the steps you can take to secure your devices.
Preinstalled malware, as the name suggests, is malicious software that comes installed on a device right out of the box. This type of malware is particularly insidious because it bypasses the usual download and installation process that typically triggers security software. In the case of Android TVs and phones, this malware can range from ad click bots to more dangerous software that can steal personal information or even take control of your device.
Recent reports suggest that potentially millions of Android TVs and phones come with malware preinstalled. According to a study by cybersecurity firm Trend Micro, as many as 8.9 million phones and an unspecified number of Android TVs could be affected. This alarming figure highlights the scale of the problem and the potential risks to unsuspecting users.
One might wonder how malware ends up preinstalled on a device. Here are some of the most likely scenarios to understand this.
According to a report by Bleeping Computer, cybercriminals are known to charge up to $5000 to add malware to an app on Google Play. This indicates that the preinstallation of malware can be a lucrative business for cybercriminals, further emphasizing the need for stringent security measures.
Dr. Web's January 2023 review of virus activity on mobile devices highlighted an increase in adware trojan activity with the Android.HiddenAds trojan family being particularly prevalent. These trojans are often distributed as popular and harmless applications, but once installed, they can display intrusive ads and significantly slow down device performance.
A Malwarebytes report also pointed out that malware is a much bigger threat to Android devices than it is to iOS devices. Malware on Android devices comes in many forms, including adware, ransomware, and trojans disguised as innocent apps. These malicious apps can steal personal and financial data and establish a permanent gateway into a smartphone, posing a significant threat to businesses.
These reports underscore the fact that preinstalled malware is a serious issue that needs to be addressed. It's not just about the device you buy; it's also about the apps you install and the security measures you take to protect your device.
Here are some impacted apps in the April 2023 Goldoson malware (here’s the full list):
• L.POINT with L.PAY - 10 million downloads
• Swipe Brick Breaker - 10 million downloads
• Money Manager Expense & Budget - 10 million downloads
• GOM Player - 5 million downloads
• LIVE Score, Real-Time Score - 5 million downloads
• Pikicast - 5 million downloads
• Compass 9: Smart Compass - 1 million downloads
• GOM Audio - Music, Sync lyrics - 1 million downloads
• LOTTE WORLD Magicpass - 1 million downloads
• Bounce Brick Breaker - 1 million downloads
• Infinite Slice - 1 million downloads
• SomNote - Beautiful note app - 1 million downloads
• Korea Subway Info: Metroid - 1 million downloads
Here’s what a Google spokesperson says about malware on Google Play apps:
The issue of preinstalled malware on Android devices is not new. Over the years, there have been several high-profile cases that have brought this issue to light. Here are some notable examples:
• In May 2023, another notable case involved popular Android TV streaming gadgets based on chipsets manufactured in China.
• These devices reportedly arrived with malware preinstalled, causing significant performance issues and security concerns.
• The malware was found to be capable of stealing personal information and even taking control of the device.
• This case underscored the need for rigorous security measures, even in seemingly harmless devices like TV streaming gadgets.
• In 2022, a Canadian systems security consultant discovered that a T95 Android TV box purchased from Amazon was pre-loaded with persistent, sophisticated malware baked into its firmware.
• The malware was found to be similar to 'CopyCat,' a sophisticated Android malware first discovered by Check Point mobile threat researchers in 2017. This malware was previously seen in an adware campaign that infected 14 million Android devices.
• The T95 Android TV box was widely available through Amazon, AliExpress, and other big e-commerce platforms, highlighting the potential scale of the issue.
• In 2021, Malwarebytes discovered a pre-installed auto-installer threat on Android mobile devices in Germany.
• The auto-installer was found to be capable of installing additional apps without the user's consent, potentially leading to further security issues.
• This case underscored the importance of regular device updates and the use of reliable security software.
• In 2020, Malwarebytes reported a case where the UMX U683CL phone, offered through the Lifeline Assistance program, came with preinstalled malware.
• The malware was identified as HiddenAds, an adware that is known for displaying intrusive ads and potentially stealing user data.
• This case highlighted the risks associated with low-cost devices and the importance of rigorous security measures.
• In 2019, Google Project Zero researcher Maddie Stone revealed the existence of an SMS and ad fraud botnet called Chamois.
• This botnet has affected millions of devices, causing significant disruption and leading to a large-scale investigation.
• The Chamois botnet was unique in that it was not just preinstalled on devices but also capable of spreading to other devices.
• This case study serves as a reminder of the potential scale and impact of preinstalled malware.
• Low-cost Android devices have been repeatedly found to come with preinstalled malware.
• These devices, often manufactured in China, are particularly susceptible due to lax security measures and the use of third-party app stores.
• The malware found on these devices ranges from adware to more dangerous software capable of stealing personal data.
• This case highlights the risks associated with low-cost devices and the importance of purchasing from reputable manufacturers.
• In 2017, a significant incident was reported where multiple lines of Android devices were found to have preinstalled malware.
• The affected devices were from various manufacturers, highlighting the widespread nature of the issue.
• The malware in question was primarily adware, causing intrusive pop-up ads and significantly slowing down device performance.
• This incident led to increased scrutiny of Android device manufacturers and their security practices.
These case studies serve as a stark reminder of the potential risks of preinstalled malware on Android devices. They underscore the importance of vigilance, regular device updates, and the use of reliable security software.
The effect of having preinstalled malware on your mobile device can range from mildly annoying to severely damaging. At its least harmful, it can lead to a subpar user experience, with incessant ads and sluggish performance.
At its worst, it can result in significant security breaches, with personal data being stolen or devices becoming inoperable.
"The infection turns these devices into mobile proxies, tools for stealing and selling SMS messages, social media and online messaging accounts and monetization via advertisements and click fraud," said cybersecurity firm Trend Micro. This type of malware can lead to a significant loss of personal data and privacy.
Some malware infiltrates system apps, making them difficult to remove without compromising the device's functionality. This type of malware can lead to a significant decrease in device performance and user experience.
In 2019, Google Project Zero researcher Maddie Stone unveiled the existence of an SMS and ad fraud botnet called Chamois, which had affected millions of devices. This botnet was capable of generating ad fraud, installing background apps, downloading plugins, and even taking control of the device.
There is also some malware that allows the Android device to communicate with a “command & control center” server through a backdoor. This type of malware can lead to a significant security breach, with the potential for personal data to be stolen or the device to be controlled remotely.
According to Trend Micro, Lemon Group, a large cybercrime group (now rebranded under the name Durian Cloud SMS”), had previously claimed on its website that it had control of over close to nine million devices distributed across 180 nations.
The countries most notably affected include the United States, Mexico, Indonesia, Thailand, and Russia.
Identifying preinstalled malware can be tricky, especially since it often operates in the background without the user's knowledge. However, there are several signs and methods you can use to detect potential malware on your Android device:
The issue of preinstalled malware on Android TVs and phones is a serious one, affecting potentially millions of devices worldwide.
However, by understanding the risks, recognizing the signs of infection, and taking proactive steps to protect your devices, you can ensure a safe and enjoyable Android experience.
The Geonode team hopes that this article not only enlightens you about the potential risks but also empowers you to take control of your device's security.
For safe online browsing, Geonode offers high-quality mobile proxies for anonymous browsing, web access to geo-restricted content, and web scraping.
