Google's security research team is warning the public about the dangers of boxed Android devices coming with preinstalled malware programs.
At the Black Hat conference on Thursday, Project Zero researcher Maddie Stone discussed her team's findings regarding the prevalence of harmful apps on consumer devices.
The group found that more than 7.4 million Android gadgets contained preinstalled malware capable of automatically downloading other malicious apps in the background. These programs are then used by criminals to commit ad fraud.
Stone said attackers often mislead consumers by providing legitimate services upfront, but they then hide malware in the apps that they offer.
Hidden Threat Of Preinstalled Malware
The threat of preinstalled malware might not be such a big problem for bigger Android partners such as Samsung or LG. However, it might not be the case for smaller companies that offer budget smartphones. These manufacturers tend to rely on unproven third-party software to help lower production costs, which often leaves their products more vulnerable to cybersecurity attacks.
One program that is most at risk of malware attack is the Android Open-Source Project (AOSP), which is considered as the more affordable version of the Android operating system.
Stone said criminals take advantage of the supply chain to launch their attack. Instead of having to convince thousands of users to download their malicious apps, attackers only need to convince one smartphone maker to include the malware in its product offering.
The Google team did not mention the specific brands of smartphones that contain preinstalled malware. However, the researchers found that more than 200 manufacturers failed their testing. These companies offered products that were vulnerable to a remote malware attack.
Stone and her colleagues discovered two major malware campaigns linked to preinstalled apps over the past three years. These are Chamois and Triada.
Chamois has been involved in various forms of ad fraud. It is known to automatically install background apps, download plugins, or send text messages to other potential victims. Meanwhile, Triada is an earlier version of malware known to display fraudulent ads and install other malicious apps.
Both programs infected in millions of low-budget Android devices even before they were shipped out to stores, according to the researchers.
Lack Of Vigilance
Stone pointed out that security researchers might not be paying enough attention to the dangers of preinstalled apps. Many of them are preoccupied dealing with the threat of malware that consumers download on their own. She said malicious programs that come preinstalled with devices are more difficult to find and get rid of compared to these downloaded apps.
"If malware or security issues come as preinstalled apps, then the damage it can do is greater," Stone warned. "[T]hat's why we need so much reviewing, auditing and analysis."
Google is helping smartphone makers root out the problem of preinstalled malware. Stone said they were able to reduce the number of Chamois-infected devices from 7.4 million to 700,000 between March 2018 and March 2019.
Preinstalled malware is an issue that only Google and device manufacturers can address. However, consumers are still advised to take all necessary precautions when downloading apps from the Google Play Store. If a program comes from an unknown source, it would be best to avoid installing it outright.