While Android's open-source operating system allows for more affordable alternatives for millions of users, it also opens the door for hackers to sneak into prepackaged malware. Researchers for Google found preinstalled malware on more than 7.4 million Android devices, with ability to take over devices and download apps in the background while committing ad fraud.
Samsung, LG, and Google's own Pixel devices are likely safe from the preinstalled malware but budget phone makers depend on third-party software to reduce the cost and that could be vulnerable. Maddie Stone, a security researcher on Google's Project Zero, said that the threat actors offer genuine services and hide the malware in the apps which they provide.
Stone, who had earlier worked as a tech lead on the Android Security team said, "If malware or security issues can make its way as a preinstalled app, then the damage it can do is greater, and that's why we need so much reviewing, auditing and analysis."
While discussing her findings at the Black Hat cybersecurity conference in Las Vegas on Thursday, July 2, Stone explained that preinstalled malware is a huge threat but often security researchers don't pay much attention to it, since the focus is usually directed to the malware that victims download on their own. She said that preinstalled malware is harder to find compared to downloaded one and even more difficult to remove it from the device.
She also added, "If malware or security issues can make its way as a preinstalled app, then the damage it can do is greater, and that's why we need so much reviewing, auditing, and analysis."
Controlling the System
Apple has complete control over the iPhones, so preinstalled malware is not a concern for the iOS or App Store. For Android, its security team found two major malware campaigns hidden in preinstalled apps over the last three years -- Chamois and Triada. As per the reports, these two campaigns infected tens of millions but it is still not clear which phones were affected.
Stone explained a few case studies on preinstalled apps that posed threats to Android devices, even though it is not clear whether the developers of these applications had any malicious intent. As per stone, the apps affected millions of devices and turned off Google Play Protect, spied on users' online activity, and allowed potential hackers to run code remotely.
As per her explanation, around 225 device makers had apps with code that allowed for remote code execution (RCE), which refers to the ability of a hacker to access and make changes to a system owned by another, without authority and regardless of where the computer is geographically located. These apps worked as a window to allow anyone online to connect to it and let the threat actor take complete control. Stone said it affected six million devices, but within six months the issue was fixed.
It was found that multinational conglomerate Honeywell had vulnerabilities preinstalled on Android devices controlling its industrial control systems. As per the information disclosed in September 2019, any apps on the devices that Honeywell was using had extended privileges, so a potential cybercriminal could have abused the security flaw to steal passwords and documents.
Not a Preinstalled Malware
As per a new report from Cybereason, an old and dangerous Android malware called FakeSpy, which was first discovered by security researchers nearly three years ago, has resurfaced in a big way. This malware is designed to steal a victim's text messages, financial data, banking information, app data, contact lists, and more.
In its original incarnation, FakeSpy targeted users in South Korea and Japan, but recent reports revealed some other countries like China, France, Germany, the U.K., and the U.S. have also been added into its target list. The current version of FakeSpy is also claimed to be more powerful and sophisticated than the original one, which is to say Android users should be vigilant about avoiding suspicious messages.
The malicious messages claim that the post office tried to deliver a package but was unable to do so because a user wasn't home and then it provides a link that directs the users to download an app disguised as a legitimate postal service app. Once installed on a device, the app will be able to send the fake messages, along with the malicious link, to a user's entire contact list.
The researchers at Cybereason said the fake applications are built using WebView, a popular extension of Android's View class that lets the developer show a webpage. FakeSpy uses this view to redirect users to the original post office carrier webpage on the launch of the application, continuing the deception. This allows the application to appear legitimate, especially given these applications icons and user interface.