Android malware was found loaded onto hundreds of thousands of phones straight out of the box, with cybercriminals trying to carry out almost 20million attacks. Android is one of the most used pieces of software in the world, with over two billions devices running the Google-made mobile OS. And this huge userbase are unfortunately no strangers to security threats, with a number of high-profile Android alerts and warnings coming from leading experts.
Oftentimes these Android warnings revolve around nefarious apps that manage to sneak their way onto the Google Play Store.
But the latest Android alert is to do with malware that was found on a device even before a user turns it on for the first time.
As reported on in a post by HackRead, almost a quarter of a million of Android devices were found to have pre-loaded malware.
The well-known Triada strain of malware was discovered on over 200,000 Android phones straight out of the box.
This malicious software acts as a software backdoor and malware downloader, using top-level device privileges to execute arbitrary malicious code.
It can also stay hidden inside permanent system components which makes it more resilient to attempts to remove it, as explained in an Upstream Systems blog post.
The Secure-D makers said this activity originated from handsets made by a Chinese manufacturer called Transsion.
The firm produces budget Android handsets, with suspicious transactions spotted mainly in Ethiopia, Cameroon, Egypt, Ghana, and South Africa.
However, fraudulent mobile transaction activity was also detected in another 14 countries.
This isn’t the first time pre-installed malware has been found on Android phones, and the results can be catastrophic for the victims.
It can lead to widespread losses and criminals netting millions in stolen funds if it isn’t identified and blocked.
Upstream Systems said an investigation carried out by Google revealed a vendor “somewhere in the manufacturing supply chain” was likely responsible for placing a Triada malware component into the devices’ firmware.
The security experts added: “Secure-D blocked a total of 19.2m suspicious subscription sign-ups between March 2019 to August 2020, coming from over 200,000 unique Transsion Tecno W2 devices across 19 countries.
“Most of the suspicious activity, which is still on-going, took place in Egypt, Ethiopia, South Africa, Cameroon, and Ghana. In the period under investigation, Secure-D detected and blocked nearly 800,000 xHelper suspicious requests from W2 devices.
“The mobile malware uncovered by researchers generated fake clicks, attempted fraudulent subscriptions, installed other suspicious apps without user consent. All of these actions happened completely in the background and were invisible to device owners.
“Had the subscription attempts been successful, the data services involved would have consumed each user’s pre-paid airtime – the only way to pay for digital products in many emerging markets.
“Ad and click fraud are recurring issues affecting everyone in the mobile marketing ecosystem. To avoid falling victim, Android users in particular should check their phone airtime records for unexpected charges and high data usage.
“Third-party app stores often have less rigorous approval processes that let malware-prone apps sneak into their listings, but even apps from official sources like Google Play can be compromised. And as we’ve seen in this instance, sometimes the infection is already present when you purchase a new phone.”
Secure-D managed to block all suspicious activity originating from Transsion devices in Africa since the start of their investigation.