Hundreds of thousands of shiny new Android smartphones are being purchased with harmful malware factory-installed, in line with Google’s own security research crew. There were a number of headlines in regards to the thousands of dangerous apps being installed from the Play Store, however that is something new. And the hazard to unsuspecting customers, trusting that new boxed devices are protected and clean, is that a few of that preinstalled malware can download other malware within the background, commit ad fraud, and even take over its host device.
Android is an open-source thriving community, which is good for innovation; however, not so great when risk actors seize the chance to hide malware in basic software loads that come on boxed units. New smartphones can have as many as 400 apps factory-installed, lots of which we just ignore. But it transpires that lots of these apps haven’t been vetted. The apps themselves will work as billed, offering a useful capability or service, so we might be forgiven for not considering the danger which may lurk within.
Google’s Maddie Stone, a security researcher with the corporate’s Project Zero, shared her team’s findings at Black Hat on Thursday. “If malware or security issues come as preinstalled apps,” she warned, “then the harm it can do is greater, and that is why we want so much reviewing, auditing, and analysis.”
The risk impacts Android’s Open-Source Project (AOSP), a lower-cost various to the full-fat version. AOSP is installed on lower-cost smartphones where cheaper software alternatives help hold costs down. This implies owners of Android-badged units from the likes of Samsung and Google itself are safe from this specific risk.