During last week's Black Hat security conference in Las Vegas, Google's Maddie Stone warned (via Forbes) those attending about the dangers inherent in pre-installed apps. Stone, a security researcher with the tech giant's Project Zero, pointed out that malicious actors are moving to the supply chain. She said, "If malware or security issues come as preinstalled apps, then the damage it can do is greater, and that's why we need so much reviewing, auditing, and analysis." Why is this move potentially more harmful to Android users? Because the attackers "only have to convince one company to include the app, rather than thousands of users." Stone says that most Android devices usually have 100 to 400 apps pre-installed out of the box.
The security researcher mentioned two particular malware attacks during her presentation, Chamois and Triada. The former pushes out fraudulent ads, sends out text messages that generate revenue, installs background apps and plugins. The latter is an older version of malware that also runs ads and installs other apps. Google has been screening pre-installed apps and Stone states that from March of 2018 through March of this year, the number of devices infected with Chamois was reduced from 7.4 million to 700,000.
Some infected apps can hide their presence on a phone
While these infected pre-installed apps are bad enough since they come with a new device out of the box, Android users need to use common sense when installing an app from the Google Play Store. Before downloading an app from an unknown developer, check out the comments. If the app is infected by malware, you'll usually find a number of complaints by users who have already installed the title and had to deal with some unusual issues related to it. For example, earlier this year Google removed 29 camera beauty and filter apps from the Play Store after it was discovered that they contained malware. These apps claimed to improve selfies and photos snapped by the user, but also served up full-screen ads. Anyone considering loading these apps on their phone would have been dissuaded to do so had they looked at the comments sections for most of these titles. An Android user who downloaded one of the infected apps warned others by writing, "Please don't download. If you download it, your phone will be hacked." Another user said that even though he deleted the app, and it no longer appeared in his list of installed apps, he was still receiving the ads that it was pushing out.
Many of the malware-infected apps are able to hide their presence on a phone once installed. The icon might not even appear anywhere on the device. But that doesn't mean that they can't continue to run ads on the device, or generally hamper the ability of a phone owner to use his or her handset. And any type of app can hide evil intentions. Even something as innocuous appearing like a wallpaper app can contain malware. You might recall that two years ago, Google removed such apps from its Android app storefront after they had infected 21 million handsets. In that case, a specific attack called ExpensiveWall was cooked up and "packed" inside these apps, allowing it to escape Google's scanning. These apps would send premium text messages that users were charged for, and also signed them up for other pay services without their knowledge or consent.