According to a newly published report on mobile malware from researchers at G Data, "well over 26" smartphones have been discovered shipping complete with pre-installed malware in the device firmware.
Earlier this year the same company revealed the presence of adware on Android devices, along with 'potentially unwanted programs' or PUPs. Now it says that monitoring applications – aka spyware – to collect data without the smartphone owner realising, along with other malware, is also becoming a problem on certain Chinese handsets.
The shipping of mobile devices with pre-installed malware is nothing new, certainly not to me. Some eight years ago I won an award for my investigation and subsequent breaking of a news story involving TomTom GO 910 satnav units that came with a bunch of Trojans right out of the box.
Back then, although never actually confirmed, it appeared that the malware was most likely introduced through the quality assurance process ironically enough – random units taken off the production line and plugged into an infected computer for testing.
This was what you might call an accidental infection.
According to the G Data researchers, there is unlikely to have been anything accidental about the malware it discovered pre-installed on at least 26 different smartphones from manufacturers including Huawei, Lenovo and Xiaomi.
Which isn't to say the security firm thinks that the manufacturers are the perpetrators here, far from it. In fact, G Data reckons it is down to 'middlemen' in the distribution chain who are looking to add to their revenue by making "additional financial gains from stolen user data and enforced advertising".
G Data admits that it's not always obvious – given that legitimate apps often request permissions that go beyond the accepted usual activity of the product – when something is malware or not. These are often referred to as PUPs for this very reason. However, the researchers also point out that monitoring malware that can hide itself, by coming already pre-installed, so avoiding any opportunity for the owner to review these permissions during installation, is an altogether different proposition.
Among the spyware apps that G Data discovered being used for nefarious purposes out of the box was one pretending to be the Google Drive app but actually identified by researchers as Android.Monitor.Gsyn.B which contains no functionality other than the ability to monitor and steal a wide range of data without the user knowing. It can, they say, listen in to telephone conversations, copy contacts, ask for location data, record audio with the microphone, disable AV software and read the device browser history. All highly useful resources for a would-be data thief.
Then there was malware hidden in totally legit apps that have been manipulated to contain the malware code as an add-on alongside the expected functions. These will most often run quietly in the background, causing no suspicion to the user.
Facebook was one such app that had been hijacked by the bad guys, infected with the Android.Trojan.Andup.D malware that could do pretty much everything that the previous spyware example did along with sending premium SMS for profit and the potential for committing bank fraud.
So just how big a problem is the introduction of malware via the supply chain, in the smartphone market specifically and within IT hardware generally?