Malware Found Pre-Installed on Android Phones Indicates Supply Chain Security Breakdown

Check Point Software Technologies recently detected “severe infection” in multiple models of Android devices and determined that the malware was pre-installed, indicating an issue with supply chain security of mobile devices.

What Happened: Check Point, an international cybersecurity vendor, posted the results of their threat research findings on Friday, March 10th. A variety of malware was installed on the phones including adware, ransomware, and information-stealers. Some well-known malware was included such as Loki (adware/data exfiltration) and SLocker (mobile ransomware).

The affected phones were mainly Samsung models including the Samsung Galaxy A5, S4, and S7, Note 2, Note 3, Note 4, Note 5, Note 8.0, Note Edge, and Galaxy Tab. Devices from other manufacturers included ZTE , OPPO, Asus Zenfone, Lenovo, and phones made by the Chinese electronics company Xiaomi, called the fourth largest smartphone manufacturer in the world.

The 36 infected phones involved in the Check Point research belonged to two companies, “a large telecommunications company and a multinational technology company.” 

How Did It Happen: The malware was present on the devices before users took possession of the phones, the post reveals, and the malware was not built into the stock Android ROM (Read Only Memory, the system image file) that should have been installed on the phone.

“The malicious apps were not part of the official ROM supplied by the vendor, and were added somewhere along the supply chain. Six of the malware instances were added by a malicious actor to the device’s ROM using system privileges, meaning they couldn’t be removed by the user and the device had to be re-flashed.”

A Threatpost article quotes Check Point research analyst Daniel Pardon as saying that the malware was added weeks, months, or up to a year after the original ROM was installed. “This raises the question of the intent of the attack. We would have expected one type of malware infecting one type of device. Since we found different malware, it could be someone experimenting, or separate events that are not connected; it’s all speculation at this point.” Padon also raised the idea that the devices may have been tampered with at a retail location.

Analysis:

Although the companies who received these infected device, their locations, and their geographical regions were not disclosed by Check Point, all the affected models have ties to Asia. Samsung is a South Korean business conglomerate. Asus in based in Taiwan. Xiaomi, Lenovo, ZTE, and OPPO are all Chinese companies with strong sales throughout Asia.

Supply chain security problems are among the most difficult to resolve. An organization must determine at what point during the design, building, assembly, storage, shipping, receiving, or retail process the security breach occurred. Does the problem result from a fault in single component or has your organization unknowingly partnered with an untrustworthy company? Is the source of the problem an accident, a disgruntled employee, or a malicious state-sponsored actor? Supply chain security problems are difficult to trace, difficult to fix, and the damage can be far-reaching and costly.

Check Point recommends that users avoid risky websites and download apps from official app stores, but that advice could not have prevented the problem discussed here. If a user receives a new phone, perhaps from a trusted source like a workplace, that user naturally expects the device to be free from malware. If malware is pre-installed on brand new devices, a user would not be able to detect any abnormal functioning that might arouse suspicion. To the user with a pre-infected device, the phone is not running slower, it runs as it always has. They will not notice an increase in ads because those ads have always appeared. The first notice of unusual behavior might be a ransomware note informing the user that they must pay to regain the use of their phone.

Organizations can implement user training to ensure that employees know to report any suspicious behavior of a work-issued device to IT support.

Sources: Check Point, Preinstalled Malware Targeting Mobile Users. Security Week, Backdoor in Some Android Phones Sends Data to Server in China. Security Week, Enterprises Infected By Pre-installed Android Malware. SCMagazine, Android Devices pre-loaded with malware signal fault in supply chain. The Register, Malware infecting Androids somewhere in the supply chain. The Hacker News, Beware! Pre-Installed Android Malware Found On 36 High-end Smartphones. Threatpost, 38 ANDROID DEVICES INFECTED WITH MALWARE PREINSTALLED IN SUPPLY CHAIN