Nearly 40 Android devices have been discovered with malware preloaded onto them. Check Point discovered that the 36 Android devices had not been infected by a user accidentally downloading a virus, but had been received with the malware already installed.
The devices were mostly of Samsung Galaxy models as well as Lenovo, Xiaomi and Asus products. The malware itself mostly consisted of info stealers and advertising malware. Notable discoveries were the presence of Slocker mobile ransomware and Loki advertising malware which makes money by not only displaying illicit adverts but stealing data too. Six of the devices' ROMs had been infected using system privileges, meaning that devices had to be reflashed in order to be purged of the infection.
On their way down the supply chain to two unnamed recipients - a “large telecommunications company” and a “multinational technology company” - the devices had been infected. The researchers noted that,”the discovery of the pre-installed malware raises some alarming issues regarding mobile security. Users could receive devices which contain backdoors or are rooted without their knowledge.”
Supply chains are so often the cause of large organisations' security woes. One organisation can take account for its own perimeter, but that becomes a harder task when thinking about the security of business associates. If an adversary wants to breach a well secured organisation, then all they have to do is attack one of their associates and get in through there. Plenty of organisations have fallen victim to just such a circumstance. The retail giant Target, is believed to have been exploited in just such a way in 2013. The supplier of the company's HVAC systems was hacked into late in that year, in order to access the company. The breach ended up costing the company US$61 million (£50 million) according to its financial report.
Morey J. Haber, vice president of technology, office of the CTO, BeyondTrust wants to know where these two “recipients” are based. He told SC: “I could expect potentially faulty supply chains in parts of Asia but if this occurred in EMEA or US, I would expect full disclosure and a full regulatory investigation.”
“This problem is not new; however, the quantity and source of these infections is now in question and raises the concern that devices with malware could be sold or distributed to other nations in the supply chain too.”
With the advent of the EU's General Data Protection Regulation (GDPR), organisations will be made responsible for their supply chains if they want to avoid the precipitously high fines. Infringement may cost non-compliant firms up to four percent of worldwide turnover or €20 million (£17,500,00).
This kind of problem is “baked into the way Android works”, Ryan Kalember SVP of cyber-security at Proofpoint told SC Media UK.
“As long as Android remains open source and they let the carriers do what they want and they let the ecosystem do what (it) wants, it's not possible to reduce the risk of this to zero.”
Apple, added Kalember, has more control of its OS and while not completely free of the same danger are better placed to do something about it. While Google, which owns Android, could do something about it, “that is also counter to the spirit of Android. People like modding it and that's a big part of its appeal. In a lot of ways that is a feature and not a bug.”
Google did not respond for comment in time for publication.