Pre-Installed Android Malware Raises Security Risks in Supply Chain

Security experts are increasingly worried about the security of the supply chain with reports of more than 20 incidents where rogue retailers have managed to pre-install malware on new Android phones.

Mobile Malware 2

Rogue retailers are unpacking phones made in China, installing malware and then selling the infected phones on the open market, security firm G DATA stated in a report released Sept. 1.

The scheme involves infecting mainly local brands of Android phones—such as Alps, Xiaomi and even a line of devices known as "NoName"—but also it affects phones from well-known international brands such as Huawei and Lenovo.

While some compromised phones have been discovered as far away as Europe, the devices were mainly sold through Chinese retailers, likely street vendors in urban areas of China, according to G DATA's report.

The incidents, which involve nearly two dozen brands of phones, underscore the current difficulties in securing technology as it moves through the supply chain to its destination.

"This happens before the user ever gets the phone," Andy Hayter, security evangelist with G DATA, told eWEEK. "We checked with some of the manufacturers and they are telling us that it is not happening on their end of the supply chain."

The incidents underscore the dangers of untrusted supply chains. Companies and government agencies have grown worried about the security of the supply chain—the flow of goods from manufacturer to retailer to consumers.

In 2013, classified documents leaked by former contractor Edward Snowden showed that the U.S. National Security Agency and other national intelligence agencies have regularly infiltrated supply chains feeding technology to countries of interest to compromise devices that act as electronic moles, according to the documents. Devices from Cisco, Dell and other manufacturers, for example, have all been modified in transit to their destination to include implants to enable NSA monitoring.

Recent events demonstrate that even rank-and-file consumers have to worry about the provenance of their devices and the software being installed by retailers and manufacturers. In February, for example, Lenovo shipped its customers' personal computers pre-loaded with well-known adware known as Superfish.

In June, smartphone maker Samsung gave in to consumer pressure and agreed to allow users to disable pre-installed applications, many of which slowed down the systems and collected data on the users.

As mobile devices and the Internet of things (IoT) become more common, solving supply-chain security issues will become even more urgent, Theodora Titonis, vice president of software-security firm Veracode, told eWEEK.

"You are seeing all these means of inserting these security threats into the holes in the software supply chain," she said. "Everything is moving so quickly and there are all these holes, so it makes securing the device that much harder."

In the latest scheme detected by G DATA, the rogue retailers apparently opened boxes of new Android phones and upgraded the firmware with a malicious version of a standard program—in this case, Facebook's mobile app.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...