Get this: someone is slipping malware into Android devices while they’re still in the supply chain. Security firm Check Point found evidence that malware, adnets, spyware, and even ransomware was installed on some 36 Android devices before customers touched them. Devices from Samsung, LG, Xiaomi, ZTE, Lenovo, Asus, and Oppo were included in Check Point’s report.
From that report (emphasis added):
The Check Point Mobile Threat Prevention has recently detected a severe infection in 36 Android devices, belonging to a large telecommunications company and a multinational technology company. While this is not unusual, one detail of the attacks stands out. In all instances, the malware was not downloaded to the device as a result of the users’ use, it arrived with it.
The firm also said the malware wasn’t part of the official ROM supplied by the manufacturer. Instead, the malware was “added somewhere along the supply chain.”
Worse, “Six of the malware instances were added by a malicious actor to the device’s ROM using system privileges, meaning they couldn’t be removed by the user and the device had to be re-flashed.”
Loki Malware on Android Devices
The most insidious example found by Check Point might be Loki Malware. This suite of bad software is built from multiple components, each with “its own functionality and role in achieving the malware’s malicious goal.”
Loki Malware steals your personal data and displays ads on your device to generate revenue for the criminal or governmental organization that installed it. It also inserts itself into the operating system “to take full control of the device and achieve persistency.”
Android Security Nightmare
Check Point’s report is an indictment on both Google’s Android operating system and the OEM business model. That malicious actors within the supply chain can install malware on devices during the manufacturing process is a nightmare. That Android can be so compromised at all should scare the pants off of any thinking individual.
You can find the full list of Android devices identified by Check Point in the company’s full report.