Maddie Stone, a security researcher on Google’s Project Zero and a former tech lead on the Android Security team, flagged preinstalled malware on millions of new Android smartphones as a hidden threat that requires more attention.
Stone shared her team’s findings at the Black Hat USA 2019 conference in Las Vegas, in a presentation in which she said that a smartphone may have as many as 400 preinstalled apps out of the box. This is a major problem because attackers are attempting to hide malware in the preinstalled apps, as it is easier to convince one manufacturer to agree to a preloaded app than to convince thousands of users to download an infected file.
“If malware or security issues come as preinstalled apps,” Stone warned, “then the damage it can do is greater, and that’s why we need so much reviewing, auditing, and analysis.”
The risk affects the Android Open Source Project, which is a lower-cost alternative to the full version of Google’s mobile operating system. AOSP is installed in cheaper smartphones to keep the price tag down, but unsuspecting customers are in danger of purchasing devices that come with preinstalled malware.
While this means that Android smartphones released by Google and partners such as Samsung are generally safe from the risk, Google’s Project Zero discovered more than 200 manufacturers who have launched devices with hidden malware. One particular malware of concern is Chamois, which upon infecting a device, generates ad fraud, installs background apps, downloads plugins and even send text messages at premium rates. In March 2018, Stone’s team found Chamois preinstalled in 7.4 million
Google’s Project Zero has been working with device manufacturers to address the issue, and that has helped reduce the number of smartphones preinstalled with Chamois to only 700,000 between March 2018 and March 2019. Stone, meanwhile, called for security researchers to place a bigger focus on preinstalled malware as a security threat, as the attention is often directed towards malware that people are tricked into downloading themselves. Then again, even Android antivirus apps have shown to provide inadequate malware protection, according to a study from earlier this year.
Stone’s Black Hat presentation follows a study from June that claimed 43% of Android apps were found to have vulnerabilities, while 38% of iOS apps had the same issue.
- 4 things Android phones still do better than the iPhone 15
- I used an Android phone with ChatGPT built-in — and I loved it
- This $570 Android phone crushes the iPhone 14 Pro in one big way
- This tiny Android phone almost ruined the Galaxy S23 Ultra for me
- Honor’s new Android phone has a feature we’ve never seen before