Malware is usually able to make its way into a device because of user error. You might open an infected attachment, visit a malicious website, or download a piece of malware disguised as a popular app, for example, only to find that your device has been compromised as a result. But a report from the Check Point security company stated that 36 Android devices are compromised out of the box, which shows that user error isn't the only way for malware to get in.
Check Point said the devices were owned by "a large telecommunications company and a multinational technology company." The malicious apps seem to have been installed somewhere along the supply chain--they weren't included in the vendors' official ROMs, but they were installed by someone with system privileges, which means one of the companies involved in manufacturing, assembling, shipping, and selling the phones was probably involved.
Devices from Samsung, ZTE, Asus, Lenovo, Oppo Global, and LG were included in Check Point's report. The company said much of the malware it found was devoted to stealing information or showing illegitimate advertisements. The most notable apps it found were Slocker, ransomware that uses AES encryption to hold a phone's data for ransom, and the Loki Malware that can "take full control of the device and achieve persistency" to display ads.
It's no surprise to learn that Android smartphones were targeted by various types of malware. In the past we've seen attackers disguise malicious apps as the Android version of the currently iOS-exclusive Super Mario Run; use malware called Gooligan to collect user data and compromise Google accounts; and silently install potentially harmful apps via "autorooting" malware like LevelDropper. And those are just a few recent examples.
Attackers targeting Android smartphones along the supply chain, however, is even more worrisome. It means that even if you do your best to keep yourself safe by never opening sketchy attachments, sticking with trusted websites, and making sure you're installing only legitimate software, your device could already be infected with malware. Check Point explained in its report:
As a general rule, users should avoid risky websites and download apps only from official and trusted app stores. However, following these guidelines is not enough to ensure their security. Pre-installed malware compromise the security even of the most careful users. In addition, a user who receives a device already containing malware will not be able to notice any change in the device’s activity which often occur once a malware is installed.
The discovery of the pre-installed malware raises some alarming issues regarding mobile security. Users could receive devices which contain backdoors or are rooted without their knowledge. To protect themselves from regular and pre-installed malware, users should implement advanced security measures capable of identifying and blocking any abnormality in the device’s behavior.
It's hard enough to convince most people to take even basic security precautions. Pew reported last year that many Americans reuse passwords, don't lock their smartphones behind a passcode, and otherwise defy security best practices. Expecting many of these people--even if they're valuable enough to warrant targeting via supply chain malware installation--to make sure their device is clean the first time they use it borders on lunacy.
Of course, it's worth noting that many Android smartphones have been sold, and the 36 found by Check Point are a fraction of a fraction of that number. The question now is how long the attackers targeted these devices' supply chains. Were they compromised from the get-go, or was only a small production run affected? The answers could make the difference between a relatively small problem and a much larger issue for these companies and their customers.