It is a security disaster waiting to happen as over 40 Android phone models shipped with pre-installed malware inserted into the firmware straight from the factory.
A new Trojan called Android.Triada.231 is inserted in the firmware of several Android devices back in mid-2017, and after an in-depth research, security firm Doctor Web discovered over 40 models are likely affected.
Most of the compromised phones are in the low-end category, and include devices from Leagoo, Doogee, Umi, and Cubot. Newer models include the Leagoo M9 launched in December, Doctor Web researchers said in a post.
Doctor Web researchers contacted the affected companies to report the problem, and discovered at least in one case, the culprit was a partnership with a software developing company in Shanghai which required Android OEMs to pre-install one of its apps into the image of the mobile operating system.
As for how dangerous the malware can be for Android users purchasing these phones, the security firm said it can steal confidential information, like banking data and personal details.
“These Trojans infect the process of an important Android system component, Zygote. This process is used to launch all applications. Once the Trojans inject into this module, they penetrate other running applications,” the researchers said.
“In doing so, they obtain the ability to carry out various malicious activities without a user’s intervention: they covertly download and launch software. The key feature of Android.Triada.231 is that cybercriminals inject this Trojan into the libandroid_runtime.so system library. They do not distribute the Trojan as a separate program. As a result, the malicious application penetrates the device firmware during manufacture. Users receive their devices already infected from the box.”
The security company said the number of Android phones possibly shipping with the same malware could be bigger.
Removing the malware from a phone isn’t possible without installing a clean version of the operating system, in which case the manufacturer is the only one that can help. If the device is rooted, security applications can help clean the infection.