A test of Android devices used in two unnamed companies revealed that 38 of them were infected with malware before being delivered to the employees.
These were smartphones by Samsung, ZTE, Oppo, Asus, Lenovo, and Xiaomi, but the manufacturers are not to blame for the malware.
Check Point’s research team was able to determine when the manufacturer finished installing the system applications on the device, when the malware was installed, and when the user first received the device.
They concluded that the malware were added somewhere along the supply chain, but could obviously not pinpoint when it happened. They also did not name the organizations to which the devices belonged – they just noted that it was “a large telecommunications company and a multinational technology company.”
What kind of malware are we talking about?
Among the found malware was the Slocker ransomware and the Loki malware, which collects information about the device and displays illegitimate advertisements to generate revenue.
“Six of the malware instances were added by a malicious actor to the device’s ROM using system privileges, meaning they couldn’t be removed by the user and the device had to be re-flashed,” Check Point researchers noted.
“Pre-installed malware compromise the security even of the most careful users. In addition, a user who receives a device already containing malware will not be able to notice any change in the device’s activity which often occur once a malware is installed,” they added.
They advised users to deploy security apps on newly acquired or received devices and to check for presence of malware before they start using them. Once that’s out of the way, users should to be careful about the apps they themselves download and install on their devices.
The list of the malicious APK packages found during this testing can be found here.