Malware affected Android phones
An outbreak of preinstalled malware has affected 38 Android phones used by two unidentified companies, according to a new research report.Creative Commons

A maker of cybersecurity products for businesses has detected "a severe infection" caused by an outbreak of malware in more than three dozen Android handsets used by two leading companies.

What makes the discovery so alarming is that the malware were not downloaded to the devices by users, it came preinstalled.

The malware, which infected 38 Android phones used by a large telecommunications company and a multinational technology company, were not part of the official ROM supplied by vendors, but were added somewhere along the supply chain, according to a blog post published on Friday by Check Point Software Technologies.

In six of the malware instances, the malicious software were added to the devices' ROM using system privileges, which means that the firmware needs to be reinstalled to remove the malware from the devices.

"The research team was able to determine when the manufacturer finished installing the system applications on the device, when the malware was installed, and when the user first received the device," according to the blog post.

Most of the malware that came preinstalled on the phones were meant to steal information while some were rough ad networks. The report specifically mentioned one such "adnet" called the "Loki Malware", which can install itself into systems to take full control of the affected devices.

Another malware researchers detected was "Slocker," a mobile ransomware that can encrypt all files on the devices and then demand ransom in return for a decryption key. According to Check Point Software Technologies, Slocker uses Tor to conceal the identity of its operators.

For those who are not familiar with Tor, it's a free software tool and an open network that enables anonymous communication. It helps users defend against network surveillance, which, according to its developers, "threatens personal freedom and privacy".

The affected devices include:

  • Galaxy Note 2
  • LG G4
  • Galaxy S7
  • Galaxy S4
  • Galaxy Note 4
  • Galaxy Note 5
  • Galaxy Note 8
  • Xiaomi Mi 4i
  • Galaxy A5
  • ZTE x500
  • Galaxy Note 3
  • Galaxy Note Edge
  • Galaxy Tab S2
  • Galaxy Tab 2
  • Oppo N3
  • vivo X6 plus
  • Nexus 5
  • Nexus 5X
  • Asus Zenfone 2
  • LenovoS90
  • OppoR7 plus
  • Xiaomi Redmi
  • Lenovo A850

According to Check Point Mobile Threat Researcher Daniel Padon, it's still unclear whether someone specifically targeted the two companies or the infections were part of larger hacking attempt, Ars Technica reported.

A word of caution

Pre-installed malware compromise the security even of the most careful users. In addition, a user who receives a device already containing malware will not be able to notice any change in the device's activity which often occur once a malware is installed... To protect themselves from regular and pre-installed malware, users should implement advanced security measures capable of identifying and blocking any abnormality in the device's behavior.