This article is more than 1 year old
Malware infecting Androids somewhere in the supply chain
Handsets leave the factory clean, then get dragged through the mud before they reach you
Smartphones from Samsung, LG, Xiaomi, ZTE, Oppo, Vivo, Asus and Lenovo have been spotted sporting malware they apparently carried when they were shipped.
The malware discovered by Check Point Software Technologies included info-stealers, ransomware like Slocker; Loki, which shows “illegitimate advertisements” to generate revenue while stealing device information; and information stealers.
Check Point says it found infections in 38 Android devices. Since the malware wasn't in the vendor's ROM, the company's researcher Oren Koriat reckons they were added in the supply chain between vendor and customer.
Koriat's post doesn't identify the victims beyond saying two companies owned the devices: one large telecommunications company, and one international IT company.
The malicious package names and devices they were spotted on are listed below. Since they were added after manufacture, vendors aren't to blame.
Malware | Device |
---|---|
com.fone.player1 | Galaxy Note 2, LG G4 |
com.lu.compass | Galaxy S4, S7 |
com.kandian.hdtogoapp | Galaxy Note 4, Note 8 |
com.sds.android.ttpod | Galaxy Note 2, Xiaomi Mi 4i |
com.baycode.mop | Galaxy A5 |
com.kandian.hdtogoapp | Galaxy S4 |
com.iflytek.ringdiyclient | ZTE x500 |
com.android.deketv | Galaxy A5 |
com.changba | Galaxy S4, Galaxy Note 3, Galaxy Note Edge, Galaxy Note 4 |
com.example.loader | Galaxy Tab 2 |
com.armorforandroid.security | Galaxy Tab 2 |
com.android.ys.services | Oppo N3, Vivo X6 Plus |
com.mobogenie.daemon | Galaxy S4 |
com.google.googlesearch | Asus ZenFone 2, ZenFone 5m LenovoS90 |
com.skymobi.mopoplay.appstore | Lenovo S90 |
com.example.loader | Oppo R7 Plus |
com.yongfu.wenjianjiaguanli | Xiaomi RedMi |
air.fyzb3 | Galaxy Note 4 |
com.ddev.downloader.v2 | Galaxy Note 5 |
com.mojang.minecraftpe | Galaxy Note Edge |
com.androidhelper.sdk | Lenovo A850 |
“Six of the malware instances were added by a malicious actor to the device’s ROM using system privileges, meaning they couldn’t be removed by the user and the device had to be re-flashed”, Koriat writes. ®