Someone Is Slipping Malware Into Android Devices in the Supply Chain

1 minute read
| Editorial

Get this: someone is slipping malware into Android devices while they’re still in the supply chain. Security firm Check Point found evidence that malware, adnets, spyware, and even ransomware was installed on some 36 Android devices before customers touched them. Devices from Samsung, LG, Xiaomi, ZTE, Lenovo, Asus, and Oppo were included in Check Point’s report.

Android assembly line with a hacker breaking into them

TMO Reenactment™ of hacker installing Android malware on the assembly line

From that report (emphasis added):

The Check Point Mobile Threat Prevention has recently detected a severe infection in 36 Android devices, belonging to a large telecommunications company and a multinational technology company. While this is not unusual, one detail of the attacks stands out. In all instances, the malware was not downloaded to the device as a result of the users’ use, it arrived with it.

Android Malware

The firm also said the malware wasn’t part of the official ROM supplied by the manufacturer. Instead, the malware was “added somewhere along the supply chain.”

Worse, “Six of the malware instances were added by a malicious actor to the device’s ROM using system privileges, meaning they couldn’t be removed by the user and the device had to be re-flashed.”

Loki Malware on Android Devices

The most insidious example found by Check Point might be Loki Malware. This suite of bad software is built from multiple components, each with “its own functionality and role in achieving the malware’s malicious goal.”

Loki Malware steals your personal data and displays ads on your device to generate revenue for the criminal or governmental organization that installed it. It also inserts itself into the operating system “to take full control of the device and achieve persistency.”

Android Security Nightmare

Check Point’s report is an indictment on both Google’s Android operating system and the OEM business model. That malicious actors within the supply chain can install malware on devices during the manufacturing process is a nightmare. That Android can be so compromised at all should scare the pants off of any thinking individual.

You can find the full list of Android devices identified by Check Point in the company’s full report.

11 Comments Add a comment

  1. John Martellaro

    I once asked a ski tech to tune my Volkl P9 ski edges to 0/0 degrees. (Experienced skiers will know what that means.) The tech said, “Scary, man, scary.”

    This is scarier.

  2. geoduck

    Before we gett too smug though, what is to stop this from happening to iPhones? They don’t know how it got in. It wasn’t in the original Android OS. It was added later, presumably at the factory. Aren’t these some of the same factories that Apple uses?

  3. John Martellaro

    geoduck: I don’t want to claim that it can’t be done, but I have read that Apple uses some very secure manufacturing techniques to make sure the cryptographically signed boot chain, ROM and Secure Enclave remain trustworthy. Some of the details are here, p 4-6.

    https://www.apple.com/business/docs/iOS_Security_Guide.pdf

    I don’t recall seeing a full technical description of the technique Apple uses. It may be a trade secret. Apparently, it hasn’t been compromised.

  4. John Kheit

    And yet the pundits continue to act as if android is a serious platform and competitor. Recommending and android device to anyone having any business and/or sensitive data on the phone is basically pundit malpractice, yet basically all of them do it.

    Coincidentally I have a pretty rowdy rant on this on last week’s episode of pop.0. https://www.youtube.com/channel/UC0me4kqCxS1V5HDd8AGM_NA

    Episode 0 (at time marker 29:08… CAUTION FOUL LANGUAGE)
    https://youtu.be/VEFdvgcudpE?t=1749

  5. Lee Dronick

    From a friend of mine. Do you have any suggestions for their question?

    I have a Samsung Galaxy tablet and phone. I tried to verify the malware. What do you Do? Does a security sweep detect malware?

  6. wab95

    Bryan:

    What! I can’t believe that you are using ‘Android’ and ‘malware’ in the same sentence – a platform, mind you, created with originality from the ground up by the good people at Google to save the planet from the evils of iOS domination. Sacrilege, I say. Next, you’ll be linking ‘Android’ and ‘fragmentation’ in the same breath, or worse, ‘Samsung’ and ‘bribery’. Libellous, I tell you. I’m calling ‘fake news’ on this one.

    @geoduck and @johnmartellaro: I was going to cite that same article that you cite, John. As I understand it, Boot ROM and iBoot insures that the boot loader and the iOS kernel are valid and signed by Apple, and they go on to say,

    For devices with an A7 or later A-series processor, the Secure Enclave coprocessor also utilizes a secure boot process that ensures its separate software is verified and signed by Apple.

    If one step of this boot process is unable to load or verify the next process, startup is stopped and the device displays the “Connect to iTunes” screen.

    And regarding apps,

    Once the iOS kernel has started, it controls which user processes and apps can be run. To ensure that all apps come from a known and approved source and have not been tampered with, iOS requires that all executable code be signed using an Apple-issued certificate.

    From my layman’s perspective, it seems that such an integrated approach, involving both software and hardware, would make it very difficult for a third party to simply slip some malware onto an iPhone somewhere along the supply chain. When it comes to state-sponsored infiltration, all bets are off, but it would probably require that level of resource to defeat this system. Even then, I don’t think that it would take long to discover the security breach.

    That Android can be so compromised at all should scare the pants off of any thinking individual.

    The operative word here is ‘thinking’, and speaks for itself, although I’d argue that there is one additional attribute. That one cannot find this story as a lead on any major news outlet (that I’ve seen) also underscores another qualifier, ‘informed’. Informed, thinking individuals would indeed be scared.

  7. Cory Imdieke

    The only way I could see this happening on iOS would be if the device was jailbroken at the factory and unsigned code installed from there. Jailbreak exploits aren’t too easy to come by these days, but not impossible by any means.

    The upshot to this would be that the malware would only be able to run until the user performed their first software update, even if it’s just a minor point release. That would un-jailbreak the phone and the unsigned code wouldn’t be allowed to run any more.

  8. ipaqrat

    Platform is as platform does. Android’s seriousness (seriosity?) as a platform could certainly be measured by proliferation, regardless of it’s technical virtue. In my career bubble, everyone uses Apple and we do our best to advocate platform security.

    Nevertheless, the MASSES folks milling about are generally not inclined to fetishize IT in general, let alone Apple in particular. (I wear my personal iPhone in a special pouch in my loincloth, then I call myself repeatedly from my work iPhone to get through staff meetings.).

    But when it comes to judging people as “Aware” or “Informed” or “Thinking” or “Involved”, we here in TMO have to remember that this is an echo chamber, a closed loop, except for the occasional trolls. We could all take The Long Walk into the Android Wastes to spread word about TPM’s and PKI and block chains… The cannibals would have no frame of reference to understand any of it. And then they’s eat us.

    We’re already witnessing the next wave – IoT left insecure because proactivity would have layered on R&D and indemnification costs that cut profits and increased time to market. Implanted defibrillator anyone? Apple’s style of built in, on-by-default security that (mostly) just works is the only way these kids and their fancy phones will be safe from themselves. But kids don’t care about safety. Kids have less to lose. Kids instinctively rebel against walled-gardens.

    Youth is totally wasted on the young.

  9. Andrew Orr

    When I wrote for a different website in the past, I was sent a certain Android phone to review ( I won’t name the brand). After using it for a while I discovered it had been preinstalled with adware. It didn’t seem to be malicious, although it could very well have been phoning back home with my personal data. But it was extremely annoying, and a bad user experience (obviously).

    A frequent argument in the iOS vs. Android is how some people say that the closed nature of iOS is detrimental, but it prevents exactly these types of occurrences, where every manufacturer wants to add their own bloated skins and malware/adware into the operating system.

Add a Comment

Log in to comment (TMO, Twitter, Facebook) or Register for a TMO Account