Photo: Getty

Cyber Security firm Check Point has found malware on 38 Android devices from two separate corporate clients. That wouldn’t be a huge surprise but what they found worthy of note was that the malware was preinstalled “somewhere along the supply chain,” according to a blog post by the company.

From the post:

According to the findings, the malware were already present on the devices even before the users received them. The malicious apps were not part of the official ROM supplied by the vendor, and were added somewhere along the supply chain. Six of the malware instances were added by a malicious actor to the device’s ROM using system privileges, meaning they couldn’t be removed by the user and the device had to be re-flashed.

Update: An earlier version of the Check Point blog post included Nexus 5 and Nexus 5x, but those models were removed without explanation in an update made over the weekend.

Advertisement

Advertisement

Little detail was given about the clients. They are only identified as a “large telecommunications company and a multinational technology company.” The advisory does list which forms of malware were found on which devices. Most of the devices contained info-stealers and adware. But one phone contained ransomware, which in the right hands and targeting the right company could be a very big deal.

These are the malware-infected devices that Check Point has named:

  • Galaxy Note 2
  • LG G4
  • Galaxy S7
  • Galaxy S4
  • Galaxy Note 4
  • Galaxy Note 5
  • Galaxy Note 8
  • Xiaomi Mi 4i
  • Galaxy A5
  • ZTE x500
  • Galaxy Note 3
  • Galaxy Note Edge
  • Galaxy Tab S2
  • Galaxy Tab 2
  • Oppo N3
  • vivo X6 plus
  • Asus Zenfone 2
  • LenovoS90
  • OppoR7 plus
  • Xiaomi Redmi
  • Lenovo A850

To be clear, this does not mean that all models of those phones are infected with the malware that Check Point found. But it does mean at some point in the supply chain process, the malware was added to the phones and the owners might think they’re just fine because they haven’t even added an app or clicked a link from a Nigerian prince yet.

Advertisement

Advertisement

The lesson here is to install a malware scanner on Android devices as soon as they’re out of the box. There are lots of trusted options available like Lookout, Malwarebytes and Kaspersky.

One of the biggest takeaways of the Wikileaks dump of alleged CIA hacking documents is that if the phone itself is compromised, hackers can access any information in any app. While iPhone is understood to be more secure it’s not invulnerable either. But Android is certainly more flawed. A 2015 study found that 85% of Android devices contained at least one critical security vulnerability.

Scan that device and if malware is found that can’t be removed, get in touch with the manufacturer.

[Check Point via Ars Technica]