Google has made significant headway when it comes to removing malware from the Play Store but a recent Black Hat presentation from a Google Project Zero researcher has shined light on the fact that many devices ship with malicious apps pre-installed.
Maddie Stone, who previously worked on the Android Security team and is still with Project Zero, revealed that it is nearly impossible for users to defend themselves against pre-installed malware on their devices.
Android devices now ship with somewhere between 100 and 400 apps and a cybercriminal only needs to subvert one of these apps to infect a device even before it ends up in the hands of a consumer.
This problem has become particularly troubling on cheaper smartphones which use the Android Open Source Platform (AOSP) as opposed to the licensed ‘stock’ Google version of Android that larger brands use.
Supply chain security
Stone highlighted several instances she encountered while working on the Android Security team including an SMS and click fraud botnet called Chamois that was able to infect at least 21m devices beginning in 2016.
This malware was harder to defeat than anticipated because it wasn’t until March of 2018 that Google realized that 7.4m of the affected devices had the malware pre-installed in the supply chain. The company was successfully able to reduce pre-installed Chamois to a tenth of that level by 2019 but other supply chain security issues were also identified.
For instance, 225 device manufacturers either left diagnostic software on their devices which provided backdoor remote access, modified Android Framework code that allowed spyware-level logging or installed apps that had been configured to bypass Google Play Protect security. While some of these supply chain security issues were inadvertent, the threat was dangerous enough that Google did assign a CVE number and issued a software fix that outlawed the bypass at the beginning of this year.
According to Stone, stopping the supply chain malware problem is much more difficult than removing rogue apps from the Google Play Store since detection must happen at a lower level than traditional security apps are capable of. Now that light has been shone on the issue, Stone would like to see further third-party research into this software level.