Malware infection is most expected when users download malicious apps. Unfortunately, this isn't necessary in some cases.
There have been many news about Google Play Store in hosting malicious apps. But this time is different, as according to Google's security research team, even shiny new Android smartphones can come with dangerous malware pre-installed.
Some of those malware can download other malware in the background, commit ad fraud, or even take over their hosts' brand new devices.
For people who expect their newly purchased gadget is safe and clean, this report should worry them.
Making things worse, Google said that the number of affected Android smartphones can go up to tens of millions of devices.
As the main competitor to Apple's iOS in the mobile market, Google's Android come with many advantages.
Many of which are results of the operating system's open-source community. This allows developers to collaborate and create new things for the operating system. However, this advantage comes with a huge drawback, as it makes Android an extremely fragmented operating system.
As oppose to iOS, Android phone manufacturers and carriers can tweak and improve the original Android from Google, according to their respective tastes. For example, they can add or remove certain features, as part of their branding efforts.
While this approach makes Android an operating system with a huge varieties, this fragmented ecosystem makes it a not-so-great operating system when it comes to security.
While many bad actors have seized the opportunity to hide malware on Android apps on Google Play Store, this time, they are taking advantage of factory-apps that Google has not vetted.
Android smartphones can come with tens to hundreds of factory-installed apps. Many third-party apps come from developers who pay the phone manufacturer to have their apps pre-installed, marketing their products as utility apps.
Most of the time, those apps do what they're supposed to do, dismissing most users suspicion. Unfortunately, many of those apps can actually have bad intentions in mind.
Maddie Stone, a security researcher from Google's Project Zero, shared her team's findings at the 2019 Black Hat conference., saying that bad actors benefit from supply chain compromise, in which they "only have to convince one company to include their app, rather than thousands of users."
"If malware or security issues come as preinstalled apps," she warned, "then the damage it can do is greater, and that's why we need so much reviewing, auditing and analysis."
She put more concerns to two particularly malware campaigns: Chamois and Triada.
The former generates various types of ad fraud, capable of installing malicious background apps, downloads plugins and can even send premium rate text messages. Chamois alone was found to have come installed on 7.4 million devices. And as for the latter, Triada, it's considered an older variant of malware, which also shows fraudulent ads and installs apps.
Stone continued by saying that Google has been working with device manufacturers to solve this issue, and between March 2018 and March 2019, the attempt was able to reduce Chamois from 7.4 million to "only" 700,000.
"The Android ecosystem is vast," she said, "with a diversity of OEMs and customizations - if you are able to infiltrate the supply chain out of the box, then you already have as many infected users as how many devices they sell—that's why it's a scarier prospect."