Overall, Android devices have earned a decidedly mixed reputation for security. While the OS itself and Google's Pixels have stood up over the years against software exploits, the never-ending flow of malicious apps in Google Play and vulnerable devices from some third-party manufacturers have tarnished its image.
On Thursday, that image was further tarnished after two reports said that multiple lines of Android devices came with preinstalled malware that couldn’t be removed without users taking heroic measures.
The first report came from security firm Trend Micro. Researchers following up on a presentation delivered at the Black Hat security conference in Singapore reported that as many as 8.9 million phones comprising as many as 50 different brands were infected with malware. First documented by researchers from security firm Sophos, Guerrilla, as they named the malware, was found in 15 malicious apps that Google allowed into its Play market.
Guerrilla opens a backdoor that causes infected devices to regularly communicate with a remote command-and-control server to check if there are any new malicious updates for them to install. These malicious updates collect data about the users that the threat actor, which Trend Micro calls the Lemon Group, can sell to advertisers. Guerrilla then surreptitiously installs aggressive ad platforms that can deplete battery reserves and degrade the user experience.
Trend Micro researchers wrote:
While we identified a number of businesses that Lemon Group does for big data, marketing, and advertising companies, the main business involves the utilization of big data: Analyzing massive amounts of data and the corresponding characteristics of manufacturers’ shipments, different advertising content obtained from different users at different times, and the hardware data with detailed software push. This allows Lemon Group to monitor customers that can be further infected with other apps to build on, such as focusing on only showing advertisements to app users from certain regions.
The country with the highest concentration of infected phones was the US, followed by Mexico, Indonesia, Thailand, and Russia.