To help us provide you with free impartial advice, we may earn a commission if you buy through links on our site. Learn more

Millions of Android phones at risk of shipping with malware preinstalled

Cheaper handsets are more likely to be affected

Millions of Android phones are at risk of shipping with malicious preinstalled apps, a recent report from Black Hat has uncovered. The findings were presented by Maddie Stone, a former employee of Android Security and current member of the Project Zero team, who revealed that it’s near-impossible to protect your device against the flaw.

As has been the case for years, Android handsets come in the box with apps preinstalled, although the number of apps has reached anywhere from 100 to 400 in recent years. These apps are vulnerable to malicious hackers, who only need to corrupt one of some 400 apps in order to subvert the entire device – all before it’s been shipped to users.

READ NEXT: Best antivirus for Android – the best free and paid-for apps to keep you safe from viruses, phishing scams and dodgy apps

“If malware or security issues come as preinstalled apps then the damage it can do is greater, and that’s why we need so much reviewing, auditing, and analysis,” said Stone.

She went on to draw attention to several widespread security breaches which had taken place on the handsets. One of the first was back in 2016, which saw an SMS and click fraud botnet infiltrate a whopping 21 million handsets at the start of the year.

Google eventually apprehended in March 2018 that the affected phones had malware preinstalled on them. While by 2019 the Mountain View-based company was able to minimise the chance of this happening to one-tenth of what it was three years prior, supply chain security issues persisted.

Also revealed was that cheaper smartphones are more likely to be affected; budget phones often run Android Open Source Project (AOSP), the operating system that’s at risk. AOSP is a cheaper alternative to Android that’s designed to keep prices low, but it could mean customers are buying into a flawed system.

READ NEXT: This Google Play bug is draining Android batteries

The news comes on the back of concerns surrounding Google Play Services, whose recent battery-depleting tendencies have prompted some to voice concerns over the buggy upgrade responsible for zapping batteries.

However, industry insiders say the preinstalled malware is much harder to solve than fixing Google Play upgrades. Detection of the malicious presences has to take place on a more micro level than is achievable by conventional security apps. For her part, Stone joins others in calling for the industry to bolster this means of detection.

Read more