In general, Android devices have developed a somewhat mixed reputation regarding their security. While the operating system (OS) itself and Google’s Pixel devices have consistently withstood software exploits over the years, the continuous influx of malicious applications in Google Play and vulnerabilities found in devices from certain third-party manufacturers have cast a shadow over their security credentials.
This perception took another hit on a recent Thursday when two separate reports surfaced, highlighting the presence of preinstalled malware on various lines of Android devices, which proved challenging to remove without extensive user intervention.
The first report emerged from the cybersecurity firm Trend Micro. Researchers, following up on a presentation at the Black Hat security conference in Singapore, revealed that up to 8.9 million smartphones from approximately 50 different brands were discovered to be infected with malware. This malware, dubbed “Guerrilla,” was initially identified by security experts from Sophos and had infiltrated 15 malicious apps within Google Play.
Guerrilla operates by creating a backdoor, enabling infected devices to communicate regularly with a remote command-and-control server, checking for new malicious updates to install. These illicit updates collect user data, which the threat actor, referred to as the Lemon Group by Trend Micro, can sell to advertisers. Guerrilla also surreptitiously installs aggressive ad platforms, draining battery life and degrading the overall user experience.
Notably, Guerrilla encompasses nearly a dozen plugins, allowing it to hijack users’ WhatsApp sessions, send unwanted messages, establish reverse proxies from infected phones, utilizing their network resources, and inject ads into legitimate applications. Regrettably, Trend Micro did not disclose the affected brands, and inquiries for this information went unanswered.
The second report, published by TechCrunch, centered on Android-based TV boxes available on Amazon, specifically the T95 models with an h616 designation. These TV boxes were found to contain malware, connecting to a command-and-control server akin to the Guerrilla servers, enabling the installation of any desired applications by the malware creators. The default malware preinstalled on these boxes is known as a “clickbot,” generating advertising revenue by discreetly tapping on ads running in the background.
TechCrunch’s findings were corroborated by Daniel Milisic, a researcher who purchased one of these infected TV boxes, and independently confirmed by Bill Budington of the Electronic Frontier Foundation.
Instances of Android devices being shipped with factory-installed malware are, unfortunately, not unprecedented, as Ars has reported on similar incidents on multiple occasions in recent years.
Consumers seeking Android phones are advised to gravitate toward reputable brands such as Samsung, Asus, or OnePlus, which typically maintain more robust quality assurance controls on their inventory. To date, there have been no reports of higher-end Android devices arriving with preinstalled malware. Similarly, there have been no such reports for iPhones.