Most internet civilians know the rules of digital sanitation: Have an anti-virus and don’t download anything suspicious. But Google researchers have revealed a threat that might upend how we think about cybersecurity: Instead of a user inadvertently downloading malicious code onto their device, sometimes, the malicious code comes pre-installed on the device itself.
In a talk called “Securing The System” at last week’s Black Hat cybersecurity conference, Google researcher Maddie Stone outlined how pre-installed applications are exploited to run malware without the user’s knowledge. This security vulnerability is especially acute for Android’s open-source operating system, which is a favorite for low-budget Android device-makers. Typically, an Android device has about 100-400 pre-installed applications (don’t confuse them with the other sense of the word apps—not all of them have icons on your home screen). Since these apps are pre-installed, anti-virus software does not detect them if they behave maliciously, and they can never be entirely deleted from the device, only deactivated.
Google found that preinstalled malware had affected more than 7.4 million Android devices.
According to Stone, the malware finds its way into devices when manufacturers cut-corners and contract pre-installed application development out to third parties. Some of these third parties appear to offer genuine services but carry in their code either negligent security vulnerabilities or straight-up malware. One case study highlights Chamois, a botnet that posed variously as a “mobile payment solution” or an “advertising SDK [software development kit]” to manufacturers. In reality, Chamois used its users’ devices to commit a wide variety of scams, including costly premium SMS fraud.
Those who have pricey Android phones by Samsung or HTC probably don’t need to worry: One pre-installed malware family called Triada was found by the cybersecurity team at Dr. Web in 2017 on obscure shoestring-budget phones like “Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20.”
Google was able to patch out the vulnerabilities they discovered, but the real threat is how little cybersecurity researchers have surveyed the pre-installed application space. Stone notes that the field needs more researchers and that there are “few publicly available resources on analyzing pre-installed apps.” Unlike traditional methods of malware distribution, malicious actors only have to trick one company into installing their software, potentially compromising millions of devices right at the source.
See Stone and her team’s full deep dive here.