Enterprises Infected By Pre-installed Android Malware

14.3.2017 securityweek Android
Android devices containing pre-installed malware were recently discovered on 38 mobile devices belonging to two large companies, according to security firm Check Point.

A new report from Check Point reveals that a variety of malware, mostly comprised of info-stealers and sketchy ad networks, though a mobile ransomware family was also discovered among them. What’s also interesting, is that the malware was present on the infected devices before the users received them, although it wasn’t part of the official ROM the vendors supplied.

The security company says that the malicious applications were “added somewhere along the supply chain.” Six of the malware instances, Check Point discovered, were added by a malicious actor using system privileges, meaning that the users had no means to remove the malware unless they re-flashed the ROM.

One of the malicious APKs, com.google.googlesearch, was an adnet present on 6 devices. Another one was the Slocker mobile ransomware, which uses AES encryption to encrypt all files on the device. The malware uses Tor for its command and control (C&C) communications.

The most notable of the threats, however, was the Loki info-stealer and rough adnet, found on devices as the com.androidhelper.sdk APK. The malware, Check Point says, uses several different components, each with its own functionality and role. Loki’s malicious goal, in addition to displaying illegitimate advertisements to generate revenue, is to steal data about the device, while installing itself to the system partition to achieve persistence and take full control of the device.

The infected devices include: Galaxy Note 2, Galaxy Note 3, Galaxy Note 4, Galaxy Note 5, Galaxy Note Edge, Galaxy Note 8.0, Galaxy S7, Galaxy S4, Galaxy A5, Galaxy Tab S2, Galaxy Tab 2, LG G4, ZTE x500, vivo X6 plus, Asus Zenfone 2, Oppo N3, Oppo R7 plus, Xiaomi Mi 4i, Xiaomi Redmi, Lenovo S90, Lenovo A850, Nexus 5, and Nexus 5X.

What the security researchers didn’t reveal was whether the infection was part of a targeted attack against the two affected companies, a large telecommunications company and a multinational technology company.

“Pre-installed malware compromise the security even of the most careful users. In addition, a user who receives a device already containing malware will not be able to notice any change in the device’s activity which often occur once a malware is installed,” Oren Koriat, Check Point Mobile Research Team, says.

Pre-installed malware on mobile devices isn’t new, though it was clear who was to blame for it in previous incidents. In November last year, researchers discovered that the Firmware Over The Air (FOTA) update software system managed by China-based ADUPS performed backdoor activities by collecting information about the devices it was present on. The company said the backdoor was used to im prove user experience.

Also in November 2016, the OTA update mechanism provided by another Chinese company, Ragentek Group, was revealed to expose nearly 3 million devices to Man-in-the-Middle (MitM) attacks and to allow adversaries to execute arbitrary commands with root privileges.