Preinstalled Malware Targeting Mobile Users | Check Point Blog

Preinstalled Malware Targeting Mobile Users | Check Point Blog

The Check Point Mobile Threat Prevention has recently detected a severe infection in 36 Android devices, belonging to a large telecommunications company and a multinational technology company. While this is not unusual, one detail of the attacks stands out. In all instances, the malware was not downloaded to the device as a result of the users’ use, it arrived with it.

According to the findings, the malware were already present on the devices even before the users received them. The malicious apps were not part of the official ROM supplied by the vendor, and were added somewhere along the supply chain. Six of the malware instances were added by a malicious actor to the device’s ROM using system privileges, meaning they couldn’t be removed by the user and the device had to be re-flashed.

Below are two examples of the malware installation. The research team was able to determine when the manufacturer finished installing the system applications on the device, when the malware was installed, and when the user first received the device.

A malicious adnet found in 6 mobile devices, APK

Loki malware, APK com.androidhelper.sdk:

Most of the malware found to be pre-installed on the devices were info-stealers and rough ad networks, and one of them was Slocker, a mobile ransomware. Slocker uses the AES encryption algorithm to encrypt all files on the device and demand ransom in return for their decryption key. Slocker uses Tor for its C&C communications.

The most notable rough adnet which targeted the devices is the Loki Malware. This complex malware operates by using several different components; each has its own functionality and role in achieving the malware’s malicious goal. The malware displays illegitimate advertisements to generate revenue. As part of its operation, the malware steals data about the device and installs itself to system, allowing it to take full control of the device and achieve persistency.

The risk of pre-installed malware

As a general rule, users should avoid risky websites and download apps only from official and trusted app stores. However, following these guidelines is not enough to ensure their security. Pre-installed malware compromise the security even of the most careful users. In addition, a user who receives a device already containing malware will not be able to notice any change in the device’s activity which often occur once a malware is installed.

The discovery of the pre-installed malware raises some alarming issues regarding mobile security. Users could receive devices which contain backdoors or are rooted without their knowledge. To protect themselves from regular and pre-installed malware, users should implement advanced security measures capable of identifying and blocking any abnormality in the device’s behavior.

Appendix 1 – list of malware APKs, and Affected devices

com.fone.player1: Galaxy Note 2 LG G4 Galaxy S7 Galaxy S4
com.kandian.hdtogoapp: Galaxy Note 4 Galaxy Note 8.0 Galaxy Note 2 Xiaomi Mi 4i
com.baycode.mop: Galaxy A5
com.kandian.hdtogoapp: Galaxy S4
com.iflytek.ringdiyclient: ZTE x500 Galaxy A5
com.changba: Galaxy S4 Galaxy Note 3 Galaxy S4 Galaxy Note Edge Galaxy Note 4
com.example.loader: Galaxy Tab S2 Galaxy Tab 2 Oppo N3 vivo X6 plus
com.mobogenie.daemon: Galaxy S4 5 Asus Zenfone 2 LenovoS90
com.skymobi.mopoplay.appstore: LenovoS90
com.example.loader: OppoR7 plus
com.yongfu.wenjianjiaguanli: Xiaomi Redmi
air.fyzb3: Galaxy Note 4
com.ddev.downloader.v2: Galaxy Note 5
com.mojang.minecraftpe: Galaxy Note Edge
com.androidhelper.sdk: Lenovo A850


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s