Android users menaced by pre-installed malware – Naked Security | #android | #security


How does malware find its way on to Android smartphones and tablets?

By some margin, it’s by way of Google’s Play Store, which despite repeated efforts to clean it up remains a recurring source of dodgy apps that sit somewhere between suspiciously misleading and downright malicious.

But according to a Black Hat presentation by Google Project Zero researcher Maddie Stone, there’s another route that’s nearly impossible for users to defend themselves against – malicious apps that have been factory pre-installed.

It starts with the sheer number of apps that now come with Android devices out of the box – somewhere between 100 and 400.

Criminals only need to subvert one of those, which has become a particular problem for cheaper smartphones using the Android Open Source Platform (AOSP) as opposed to the licensed ‘stock’ Google version that powers better-known brands.

Chamois botnet

She cited several instances encountered while doing her old job on Google’s Android Security team, including an SMS and click fraud botnet called Chamois which managed to infect at least 21 million devices from 2016 onwards.

The malware behind it proved harder to defeat than anticipated, in part because the company realised in March 2018 that in the case of 7.4 million devices the infection had been pre-installed in the supply chain.

Google was able to reduce pre-installed Chamois to a tenth of that level by 2019 but, unfortunately, Chamois was only one of several supply chain security issues it uncovered.

Others included 225 device makers either leaving diagnostic software on devices offering backdoor remote access, modified Android Framework code allowing spyware-level logging, or installing apps that had been programmed to bypass Google Play Protect (GPP) security.

Some of this was inadvertent, a case of OEMs messing around with settings to make their lives easier, but it was dangerous enough for Google to assign the issue a CVE number and software fix that outlawed the bypass in early 2019.