Get this: someone is slipping malware into Android devices while they’re still in the supply chain. Security firm Check Point found evidence that malware, adnets, spyware, and even ransomware was installed on some 36 Android devices before customers touched them. Devices from Samsung, LG, Xiaomi, ZTE, Lenovo, Asus, and Oppo were included in Check Point’s report.

Android assembly line with a hacker breaking into them

TMO Reenactment™ of hacker installing Android malware on the assembly line

From that report (emphasis added):

The Check Point Mobile Threat Prevention has recently detected a severe infection in 36 Android devices, belonging to a large telecommunications company and a multinational technology company. While this is not unusual, one detail of the attacks stands out. In all instances, the malware was not downloaded to the device as a result of the users’ use, it arrived with it.

Android Malware

The firm also said the malware wasn’t part of the official ROM supplied by the manufacturer. Instead, the malware was “added somewhere along the supply chain.”

Worse, “Six of the malware instances were added by a malicious actor to the device’s ROM using system privileges, meaning they couldn’t be removed by the user and the device had to be re-flashed.”

Loki Malware on Android Devices

The most insidious example found by Check Point might be Loki Malware. This suite of bad software is built from multiple components, each with “its own functionality and role in achieving the malware’s malicious goal.”

Loki Malware steals your personal data and displays ads on your device to generate revenue for the criminal or governmental organization that installed it. It also inserts itself into the operating system “to take full control of the device and achieve persistency.”

Android Security Nightmare

Check Point’s report is an indictment on both Google’s Android operating system and the OEM business model. That malicious actors within the supply chain can install malware on devices during the manufacturing process is a nightmare. That Android can be so compromised at all should scare the pants off of any thinking individual.

You can find the full list of Android devices identified by Check Point in the company’s full report.

Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Oldest Most Voted
Inline Feedbacks
View all comments

A hellstew indeed. Reminds me of all those cheap netbooks that were the rage at one time.

Andrew Orr

When I wrote for a different website in the past, I was sent a certain Android phone to review ( I won’t name the brand). After using it for a while I discovered it had been preinstalled with adware. It didn’t seem to be malicious, although it could very well have been phoning back home with my personal data. But it was extremely annoying, and a bad user experience (obviously). A frequent argument in the iOS vs. Android is how some people say that the closed nature of iOS is detrimental, but it prevents exactly these types of occurrences, where… Read more »


Platform is as platform does. Android’s seriousness (seriosity?) as a platform could certainly be measured by proliferation, regardless of it’s technical virtue. In my career bubble, everyone uses Apple and we do our best to advocate platform security. Nevertheless, the MASSES folks milling about are generally not inclined to fetishize IT in general, let alone Apple in particular. (I wear my personal iPhone in a special pouch in my loincloth, then I call myself repeatedly from my work iPhone to get through staff meetings.). But when it comes to judging people as “Aware” or “Informed” or “Thinking” or “Involved”, we… Read more »

The only way I could see this happening on iOS would be if the device was jailbroken at the factory and unsigned code installed from there. Jailbreak exploits aren’t too easy to come by these days, but not impossible by any means.

The upshot to this would be that the malware would only be able to run until the user performed their first software update, even if it’s just a minor point release. That would un-jailbreak the phone and the unsigned code wouldn’t be allowed to run any more.


Bryan: What! I can’t believe that you are using ‘Android’ and ‘malware’ in the same sentence – a platform, mind you, created with originality from the ground up by the good people at Google to save the planet from the evils of iOS domination. Sacrilege, I say. Next, you’ll be linking ‘Android’ and ‘fragmentation’ in the same breath, or worse, ‘Samsung’ and ‘bribery’. Libellous, I tell you. I’m calling ‘fake news’ on this one. @geoduck and @johnmartellaro: I was going to cite that same article that you cite, John. As I understand it, Boot ROM and iBoot insures that the… Read more »

Lee Dronick

From a friend of mine. Do you have any suggestions for their question?

I have a Samsung Galaxy tablet and phone. I tried to verify the malware. What do you Do? Does a security sweep detect malware?

John Kheit

And yet the pundits continue to act as if android is a serious platform and competitor. Recommending and android device to anyone having any business and/or sensitive data on the phone is basically pundit malpractice, yet basically all of them do it.

Coincidentally I have a pretty rowdy rant on this on last week’s episode of pop.0.

Episode 0 (at time marker 29:08… CAUTION FOUL LANGUAGE)

John Martellaro

geoduck: I don’t want to claim that it can’t be done, but I have read that Apple uses some very secure manufacturing techniques to make sure the cryptographically signed boot chain, ROM and Secure Enclave remain trustworthy. Some of the details are here, p 4-6.

I don’t recall seeing a full technical description of the technique Apple uses. It may be a trade secret. Apparently, it hasn’t been compromised.


Before we gett too smug though, what is to stop this from happening to iPhones? They don’t know how it got in. It wasn’t in the original Android OS. It was added later, presumably at the factory. Aren’t these some of the same factories that Apple uses?

John Martellaro

I once asked a ski tech to tune my Volkl P9 ski edges to 0/0 degrees. (Experienced skiers will know what that means.) The tech said, “Scary, man, scary.”

This is scarier.