In general, Android devices have gained a mixed reputation in terms of security. While the operating system itself and Google’s Pixels have stood up over the years against software exploits, the endless stream of malicious apps in Google Play and vulnerable hardware from some third-party manufacturers have tarnished its image.
On Thursday, that picture was further tarnished after two reports said multiple lines of Android devices came with pre-installed malware that couldn’t be removed without users taking heroic action.
The first report came from security firm Trend Micro. Researchers following a presentation given at the Black Hat security conference in Singapore report that as many as 8.9 million phones of up to 50 different brands are infected with malware. First documented by researchers from the security company Sophos, Guerrilla, as they called the malware, was found in 15 malicious apps that Google had let into the Play Store.
Guerrilla opens a backdoor that causes infected machines to regularly contact the RCC server to check if there are any new malicious updates to install. These malicious updates collect data about users that the threat actor, which Trend Micro calls the Lemon Group, can sell to advertisers. Guerrilla then surreptitiously installs aggressive ad platforms that can drain battery reserves and reduce user experience.
Trend Micro researchers wrote:
While we have identified a number of works that Lemon Group does for big data, marketing and advertising companies, the main work involves the use of big data: analyzing huge amounts of data and characteristics corresponding to shipments of manufacturers, different advertising content obtained from different users at different times, data Hardware with detailed software push. This allows Lemon Group to monitor which customers could be infected with other apps to build on, such as focusing on showing ads only to app users from certain regions.
The country with the highest concentration of infected phones was the United States, followed by Mexico, Indonesia, Thailand and Russia.
Guerrilla is a massive platform with nearly a dozen plugins that can hijack users’ WhatsApp sessions to send spam, create a reverse proxy from an infected phone to use the affected mobile device’s network resources, and inject ads into legitimate apps.
Unfortunately, Trend Micro did not identify the affected brands, and company representatives did not respond to an email requesting them.
The second report was published by TechCrunch. I have detailed several lines of Android TV boxes sold through Amazon that are packed with malware. The TV boxes, which are said to be T95 models with h616, report to a command and control server that, just like Guerrilla’s servers, can install any application the malware creators want. The default malware pre-installed on the boxes is known as clickbot. Generates advertising revenue by surreptitiously clicking on ads in the background.
TechCrunch cited reports (here and here) by Daniel Milesic, a researcher who purchased one of the infected funds. Milicic’s findings were independently confirmed by Bill Boddington, a researcher with the Electronic Frontier Foundation.
Unfortunately, Android devices that come with malware right out of the factory box are nothing new. Ars has reported such incidents at least five times in recent years (here, here, here, here, here). All affected models were in the budget level.
People in the Android phone market should turn towards well-known brands like Samsung, Asus, or OnePlus, which generally have more reliable quality assurance controls on their stock. So far, there haven’t been any reports of high-end Android devices coming with malware pre-installed. Similarly there are no such reports for iPhones.
#Millions #Android #TVs #Phones #Possibly #Malware #PreInstalled #Ars #Technica