Android-driven devices, including smartphones and tablets manufactured by the likes of Asus, LG, Motorola and Samsung, are being sold with pre-installed malware according to claims made by the CTO and Founder of Marble Security. David Jevans made the claim following complaints from a potential client that a mobile security platform from the vendor was mistakenly identifying a Netflix app as being malware. Upon further investigation, Marble researchers discovered that the apps in question were not only malware but were actively harvesting both passwords and financial data which were being sent to a Russian server. Although malware is nothing new, and Android malware distribution in particular is growing at a phenomenal rate year on year according to just about every bit of statistical evidence I have seen, what peaked the interest of Jevans was the fact that the victim in question insisted that the malicious apps were pre-installed on the devices and there when they purchased them.
This is, of course, nothing really new as regular readers of DaniWeb news might recall. It was all of seven years ago now that I broke the story of TomTom satnav devices being found infected with malware direct from the factory. That news story went on to win an IT Security News Story of the Year award at the BT Information Security Journalism Awards, and served as a warning of things to come. Given the proliferation of both Android devices and Android malware, the only surprise here is that it has taken so long for this 'malware pre-installed' revelation to be made.
Samsung, whose Galaxy Note, Galaxy 3 and Galaxy 4 devices were amongst the devices found to be compromised, has stated that neither it nor the carrier partners it uses across the US install any Netflix app before selling the phones and tablets. Which leaves us with something of an obvious question that needs answering, namely who did install the software? Jevans has yet to confirm who was involved in selling the specific devices his researchers found to be infected, although most security experts seem to agree it's likely that the malware is being installed unintentionally through a bundle package that contains the infected files or the handsets in question were refurbished units which were already carrying the distribution. This does, of course, raise further issues regarding the lack of proper device sanitation and security checking before sale.
Michael Sutton, VP of security research at Zscaler, says: "while such instances are rare, it is always possible that a less than reputable vendor, or someone with access to the devices along the supply chain knowingly installed malicious apps. It is also possible that the vendors involved in this situation were selling refurbished devices that had not been properly wiped. Regardless, as with web traffic, devices too should be considered untrusted until properly vetted. For most customers, buying from a reputable retail chain or ordering directly from the manufacturer is adequate to reduce the risk of purchasing an infected device. However, for those that want to be absolutely certain that their new device is clean, they should wipe the device and reinstall the operating system (o/s) from scratch before using it. Fortunately, the process for doing so with mobile phones is relatively simple. This is really only an issue with Android devices as the o/s permits apps to be installed from third party app stores which serve as the source for the vast majority of malicious applications."