geonode logo

Exposed: Google’s Invisible War: The Malware Epidemic of 2023!

Preinstalled malware on Android devices: a silent but deadly reality. In 2023, millions face potential threats from this insidious software. Learn to identify and combat these covert dangers.

Maricor Bunal

by Maricor Bunal

May 22, 2023

Android devices, renowned for their versatility and user-friendly nature, have recently been scrutinized for a less desirable feature - preinstalled malware.

This article delves into the alarming reality of millions of Android TVs and phones potentially coming with malware preinstalled, shedding light on the risks involved, how to identify such threats, and the steps you can take to secure your devices.

What is preinstalled malware?

Preinstalled malware, as the name suggests, is malicious software that comes installed on a device right out of the box. This type of malware is particularly insidious because it bypasses the usual download and installation process that typically triggers security software. In the case of Android TVs and phones, this malware can range from ad click bots to more dangerous software that can steal personal information or even take control of your device.

Recent reports suggest that potentially millions of Android TVs and phones come with malware preinstalled. According to a study by cybersecurity firm Trend Micro, as many as 8.9 million phones and an unspecified number of Android TVs could be affected. This alarming figure highlights the scale of the problem and the potential risks to unsuspecting users.

How does malware gets preinstalled?

One might wonder how malware ends up preinstalled on a device. Here are some of the most likely scenarios to understand this.

  1. Third-Party Involvement - According to a report by cybersecurity firm Trend Micro, the installation of malware on Android devices can occur when Android device manufacturers hire third parties to enhance standard system images. These third parties may have malicious intent or inadequate security measures, leading to the installation of malware. (
  2. Compromised Security Measures - In some cases, the security measures at the factory level may be compromised, allowing malware to be installed on the devices. This could be due to a lack of proper security protocols or the use of outdated or unsecure software.
  3. Unscrupulous Manufacturers - Some manufacturers may intentionally install malware on their devices to make a quick profit. This malware often generates revenue through ad clicks or data theft.
  4. Low-Cost Devices - Low-cost Android devices seem to be particularly susceptible to preinstalled malware. These devices often have lax security measures and use third-party app stores, which are more likely to host malicious apps. (
  5. Preinstalled Apps - Some malware may come preinstalled in the form of seemingly legitimate apps. These apps often have excessive permissions and can perform various malicious activities, from displaying intrusive ads to stealing personal data. (

2023: Reports on Preinstalled Malware on “Innocent” Apps

According to a report by Bleeping Computer, cybercriminals are known to charge up to $5000 to add malware to an app on Google Play. This indicates that the preinstallation of malware can be a lucrative business for cybercriminals, further emphasizing the need for stringent security measures.

Dr. Web's January 2023 review of virus activity on mobile devices highlighted an increase in adware trojan activity with the Android.HiddenAds trojan family being particularly prevalent. These trojans are often distributed as popular and harmless applications, but once installed, they can display intrusive ads and significantly slow down device performance.

A Malwarebytes report also pointed out that malware is a much bigger threat to Android devices than it is to iOS devices. Malware on Android devices comes in many forms, including adware, ransomware, and trojans disguised as innocent apps. These malicious apps can steal personal and financial data and establish a permanent gateway into a smartphone, posing a significant threat to businesses.

These reports underscore the fact that preinstalled malware is a serious issue that needs to be addressed. It's not just about the device you buy; it's also about the apps you install and the security measures you take to protect your device.

Here are some impacted apps in the April 2023 Goldoson malware (here’s the full list):

L.POINT with L.PAY - 10 million downloads

Swipe Brick Breaker - 10 million downloads

Money Manager Expense & Budget - 10 million downloads

GOM Player - 5 million downloads

LIVE Score, Real-Time Score - 5 million downloads

Pikicast - 5 million downloads

Compass 9: Smart Compass - 1 million downloads

GOM Audio - Music, Sync lyrics - 1 million downloads

LOTTE WORLD Magicpass - 1 million downloads

Bounce Brick Breaker - 1 million downloads

Infinite Slice - 1 million downloads

SomNote - Beautiful note app - 1 million downloads

Korea Subway Info: Metroid - 1 million downloads

Here’s what a Google spokesperson says about malware on Google Play apps: Google Play policy.png

Case Studies

The issue of preinstalled malware on Android devices is not new. Over the years, there have been several high-profile cases that have brought this issue to light. Here are some notable examples:

2023: Android TV Streaming Gadgets

• In May 2023, another notable case involved popular Android TV streaming gadgets based on chipsets manufactured in China.

• These devices reportedly arrived with malware preinstalled, causing significant performance issues and security concerns.

• The malware was found to be capable of stealing personal information and even taking control of the device.

• This case underscored the need for rigorous security measures, even in seemingly harmless devices like TV streaming gadgets.

2022: T95 Android TV Box Malware Incident

• In 2022, a Canadian systems security consultant discovered that a T95 Android TV box purchased from Amazon was pre-loaded with persistent, sophisticated malware baked into its firmware.

• The malware was found to be similar to 'CopyCat,' a sophisticated Android malware first discovered by Check Point mobile threat researchers in 2017. This malware was previously seen in an adware campaign that infected 14 million Android devices.

• The T95 Android TV box was widely available through Amazon, AliExpress, and other big e-commerce platforms, highlighting the potential scale of the issue.

2021: German Android Mobile Devices Incident

• In 2021, Malwarebytes discovered a pre-installed auto-installer threat on Android mobile devices in Germany.

• The auto-installer was found to be capable of installing additional apps without the user's consent, potentially leading to further security issues.

• This case underscored the importance of regular device updates and the use of reliable security software.

2020: UMX U683CL Phone Malware Incident

• In 2020, Malwarebytes reported a case where the UMX U683CL phone, offered through the Lifeline Assistance program, came with preinstalled malware.

• The malware was identified as HiddenAds, an adware that is known for displaying intrusive ads and potentially stealing user data.

• This case highlighted the risks associated with low-cost devices and the importance of rigorous security measures.

2019: Chamois Botnet

• In 2019, Google Project Zero researcher Maddie Stone revealed the existence of an SMS and ad fraud botnet called Chamois.

• This botnet has affected millions of devices, causing significant disruption and leading to a large-scale investigation.

• The Chamois botnet was unique in that it was not just preinstalled on devices but also capable of spreading to other devices.

• This case study serves as a reminder of the potential scale and impact of preinstalled malware.

2018: Low-Cost Android Smartphones

Low-cost Android devices have been repeatedly found to come with preinstalled malware.

• These devices, often manufactured in China, are particularly susceptible due to lax security measures and the use of third-party app stores.

• The malware found on these devices ranges from adware to more dangerous software capable of stealing personal data.

• This case highlights the risks associated with low-cost devices and the importance of purchasing from reputable manufacturers.

2017: Android Malware Outbreak

• In 2017, a significant incident was reported where multiple lines of Android devices were found to have preinstalled malware.

• The affected devices were from various manufacturers, highlighting the widespread nature of the issue.

• The malware in question was primarily adware, causing intrusive pop-up ads and significantly slowing down device performance.

• This incident led to increased scrutiny of Android device manufacturers and their security practices.

These case studies serve as a stark reminder of the potential risks of preinstalled malware on Android devices. They underscore the importance of vigilance, regular device updates, and the use of reliable security software.

What happens when your mobile device has malware?

The effect of having preinstalled malware on your mobile device can range from mildly annoying to severely damaging. At its least harmful, it can lead to a subpar user experience, with incessant ads and sluggish performance.

At its worst, it can result in significant security breaches, with personal data being stolen or devices becoming inoperable.

"The infection turns these devices into mobile proxies, tools for stealing and selling SMS messages, social media and online messaging accounts and monetization via advertisements and click fraud," said cybersecurity firm Trend Micro. This type of malware can lead to a significant loss of personal data and privacy.

Some malware infiltrates system apps, making them difficult to remove without compromising the device's functionality. This type of malware can lead to a significant decrease in device performance and user experience.

In 2019, Google Project Zero researcher Maddie Stone unveiled the existence of an SMS and ad fraud botnet called Chamois, which had affected millions of devices. This botnet was capable of generating ad fraud, installing background apps, downloading plugins, and even taking control of the device.

There is also some malware that allows the Android device to communicate with a “command & control center” server through a backdoor. This type of malware can lead to a significant security breach, with the potential for personal data to be stolen or the device to be controlled remotely.

A look at the worldwide impact of the recent May 2023 malware

According to Trend Micro, Lemon Group, a large cybercrime group (now rebranded under the name Durian Cloud SMS”), had previously claimed on its website that it had control of over close to nine million devices distributed across 180 nations.

The countries most notably affected include the United States, Mexico, Indonesia, Thailand, and Russia. Infected Devices.png

How to spot preinstalled malware?

Identifying preinstalled malware can be tricky, especially since it often operates in the background without the user's knowledge. However, there are several signs and methods you can use to detect potential malware on your Android device:

  1. Excessive Battery Drain - Malware often uses a significant amount of battery power, leading to faster than normal battery drain.
  2. Unexpected Data Usage - If you notice a sudden spike in data usage, it could be a sign of malware operating in the background.
  3. Frequent, Unexplained Pop-Up Ads - Frequent pop-up ads that appear without any clear source can be a sign of adware, a type of malware.
  4. Use of Security Apps - Security apps like Malwarebytes, Norton, Lookout, or Bitdefender can scan your device for viruses and malware.
  5. Setting Up a Proxy to View Network Traffic - This method can help detect if your Android device is communicating with suspicious servers, a potential sign of malware.
  6. Checking Device Performance - If your device runs slower than usual or experiences frequent crashes, it could be due to malware.
  7. Using Built-In Security Features - Some Android devices have built-in security features that can help detect malware. For example, Samsung's Smart Manager application can check for malware or viruses.
  8. Checking Installed Apps - Check your installed apps for anything you don't recognize. Malware often disguises itself as a legitimate app.


The issue of preinstalled malware on Android TVs and phones is a serious one, affecting potentially millions of devices worldwide.

However, by understanding the risks, recognizing the signs of infection, and taking proactive steps to protect your devices, you can ensure a safe and enjoyable Android experience.

The Geonode team hopes that this article not only enlightens you about the potential risks but also empowers you to take control of your device's security.

For safe online browsing, Geonode offers high-quality mobile proxies for anonymous browsing, web access to geo-restricted content, and web scraping.