About 10 years ago, security researchers began warning users and technology manufacturers about the problem of hardware devices coming out of the box pre-loaded with malware. It began with digital picture frames and USB drives, and it has moved to mobile phones, with the latest example coming in the form of 36 Android phones that shipped with malware already installed on them.
Researchers at Check Point discovered the infected devices, which belonged to a pair of large companies, and found that there were multiple types of malware involved. One of the malicious apps was a ransomware variant and another was part of a mobile ad fraud network. The Check Point researchers said the malware variants clearly had been added after the manufacturing process.
“The malicious apps were not part of the official ROM supplied by the vendor, and were added somewhere along the supply chain. Six of the malware instances were added by a malicious actor to the device’s ROM using system privileges, meaning they couldn’t be removed by the user and the device had to be re-flashed,” Oren Koriat of the Check Point Mobile Threat Researcher team said in a post analyzing the attacks.
Among the devices found to have the pre-installed malware were several versions of the Samsung Galaxy Note, the Galaxy S4, Galaxy A5, and Lenovo A850. For attackers, installing malware on a device before it reaches the end user is a dream scenario, albeit a difficult one to realize. Getting malware onto a device during the manufacturing or distribution process requires the attacker to have access to an employee–or several employees–at a target facility who are willing to install the malware surreptitiously.
“The malicious apps were not part of the official ROM supplied by the vendor, and were added somewhere along the supply chain.”
It’s a risky enterprise, but it has the potential to reap big rewards for the attackers if it’s successful. This attack scenario is one of the reasons why Apple exerts such tight control over the manufacturing and assembly process for iPhones and its other hardware.
Koriat said that some of the malware Check Point discovered on the compromised devices is difficult to find and can be very damaging. One piece of malware the researchers discovered is the Slocker ransomware, one of the growing number of Android ransomware variants. Some devices also were infected with the Loki malware, which is part of an ad fraud network.
“The most notable rough adnet which targeted the devices is the Loki Malware. This complex malware operates by using several different components; each has its own functionality and role in achieving the malware’s malicious goal. The malware displays illegitimate advertisements to generate revenue. As part of its operation, the malware steals data about the device and installs itself to system, allowing it to take full control of the device and achieve persistency,” Koriat said.