Skip to content
ATTACK OF THE ANDROIDS

Potentially millions of Android TVs and phones come with malware preinstalled

The bane of low-cost Android devices is showing no signs of going away.

Dan Goodin | 120
Cybercriminals or anonymous hackers use malware on mobile phones to hack personal and business passwords online. Credit: Getty Images
Cybercriminals or anonymous hackers use malware on mobile phones to hack personal and business passwords online. Credit: Getty Images
Story text

Overall, Android devices have earned a decidedly mixed reputation for security. While the OS itself and Google's Pixels have stood up over the years against software exploits, the never-ending flow of malicious apps in Google Play and vulnerable devices from some third-party manufacturers have tarnished its image.

On Thursday, that image was further tarnished after two reports said that multiple lines of Android devices came with preinstalled malware that couldn’t be removed without users taking heroic measures.

The first report came from security firm Trend Micro. Researchers following up on a presentation delivered at the Black Hat security conference in Singapore reported that as many as 8.9 million phones comprising as many as 50 different brands were infected with malware. First documented by researchers from security firm Sophos, Guerrilla, as they named the malware, was found in 15 malicious apps that Google allowed into its Play market.

Guerrilla opens a backdoor that causes infected devices to regularly communicate with a remote command-and-control server to check if there are any new malicious updates for them to install. These malicious updates collect data about the users that the threat actor, which Trend Micro calls the Lemon Group, can sell to advertisers. Guerrilla then surreptitiously installs aggressive ad platforms that can deplete battery reserves and degrade the user experience.

Trend Micro researchers wrote:

While we identified a number of businesses that Lemon Group does for big data, marketing, and advertising companies, the main business involves the utilization of big data: Analyzing massive amounts of data and the corresponding characteristics of manufacturers’ shipments, different advertising content obtained from different users at different times, and the hardware data with detailed software push. This allows Lemon Group to monitor customers that can be further infected with other apps to build on, such as focusing on only showing advertisements to app users from certain regions.

The country with the highest concentration of infected phones was the US, followed by Mexico, Indonesia, Thailand, and Russia.

Guerrilla is a massive platform with nearly a dozen plugins that can hijack users’ WhatsApp sessions to send unwanted messages, establish a reverse proxy from an infected phone to use the network resources of the affected mobile device, and inject ads into legitimate apps.

Unfortunately, Trend Micro didn’t identify the affected brands, and company representatives didn’t respond to an email asking for them.

The second report was published by TechCrunch. It detailed several lines of Android-based TV boxes sold through Amazon that are laced with malware. The TV boxes, reported to be T95 models with an h616, report to a command-and-control server that, just like the Guerrilla servers, can install any application the malware creators want. The default malware preinstalled on the boxes is known as a clickbot. It generates advertising revenue by surreptitiously tapping on ads in the background.

TechCrunch cited reports (here and here) by Daniel Milisic, a researcher who happened to buy one of the infected boxes. Milisic’s findings were independently confirmed by Bill Budington, a researcher at the Electronic Frontier Foundation.

Android devices that come with malware straight out of the factory box are, unfortunately, nothing new. Ars has reported on such incidents at least five times in recent years (here, here, here, here, and here). All the affected models were in the budget tier.

People in the market for an Android phone should steer toward known brands like Samsung, Asus, or OnePlus, which generally have much more reliable quality assurance controls on their inventory. To date, there have never been reports of higher-end Android devices coming with malware preinstalled. There are similarly no such reports for iPhones.

Listing image: Getty Images

Photo of Dan Goodin
Dan Goodin Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at @dangoodin on Mastodon. Contact him on Signal at DanArs.82.
120 Comments
Staff Picks
While I understand your post as a reference to the first comment...

It begs the question of why the author of the article put in the last line given that its irrelevant to the content of the article, and literally only serves to create trolling like in the first reply.

Does Ars pay its authors based on engagement metrics?

If so, I'd suggest we all take your comment to heart by not rewarding the obvious troll fishing by the article author, and leave this reply thread barren.
Or maybe it’s an article that says that cheap Android devices have malware pre installed, then goes on to say that the more expensive Android phones do not have malware pre installed, and ends by saying iPhones do not have malware pre installed. Seems logical to me to finish the article by stating to which degree of the phone/device market as a whole is suffering from this.