Malware found pre-installed on some Android devices
Malware found pre-installed on some Android devices

More than three dozen Android devices have been found to contain 21 different types of malware, including Loki, that came pre-installed on the phone read-only memory (ROM).

The discovery was made by Check Point's Mobile Threat Prevention unit, according to company researcher Oren Koriat, which found 38 devices belonging to two unnamed large technology companies infected with an ad server, info stealer and most dangerously a variant of a past campaign, Loki malware, which proceeds in a variety of ways for a number of malicious purposes, ultimately causing illegitimate ads that generate revenue. Loki also is capable of siphoning out data about the device and installing itself to the system, which enables it to gain control of the device. Slocker ransomware has also been found.

In all cases the malicious software was not installed as part of the official ROM supplied by the vendor, but were added at some other point in the supply chain.

“Six of the malware instances were added by a malicious actor to the device's ROM using system privileges, meaning they couldn't be removed by the user and the device had to be re-flashed,” Koriat said.

The types involved are:

  • Samsung Galaxy Note 2, 3, 4, 5 and Edge
  • Samsung Galaxy S2 and S4
  • Samsung Galaxy Tab 2 and S2
  • Samsung Galaxy A5
  • Lenovo S90 and A850
  • Xiaomi Redmi and M4i
  • Asus Zenfone 2
  • Oppo N3 and R7 plus
  • ZTE X500
  • LG G4
  • Nexus

This is the second time in a week that pre-installed malware has been discovered impacting Android. Last week Palo Alto Networks found 132 Android apps on Google Play whose HTML code was injected with hidden, malicious iframes, likely due to malware infecting a development platform used by the apps' creators.

“The discovery of the pre-installed malware raises some alarming issues regarding mobile security. Users could receive devices which contain backdoors or are rooted without their knowledge. To protect themselves from regular and pre-installed malware, users should implement advanced security measures capable of identifying and blocking any abnormality in the device's behavior,” Koriat said.