Infiltrated OS: Android devices delivered with pre-installed malware


It’s most definitely not the first time you read this kind of headline when it comes to Android devices. CopyCat and Hook are just two of the many examples of severe harmful malware found on Android devices.

Android is the fastest-growing operating system with over 3 billion active Android devices out there. It is no surprise that it is also one of the most exploited ones.

Malware on board

Quite often vulnerabilities find their way into the operating system or installed apps unintended by their developers. Keeping the software secure and up-to-date is a demanding job to take care of. A lacking infrastructure to roll out Over-the-Air software updates makes it harder to roll out security patches. Those patches are needed to fix bugs and vulnerabilities on devices once they left the factory and are delivered to their users.

In these cases, there is usually no intent by the device manufacturers to deliver baked-in malware within their Android devices. But there are also purposely infected devices out there! The malware can be part of apps but also part of the operating system – the Android image itself. That does not mean the original equipment manufacturers (OEM) are behind this. It is not always certain when the malware gets into the supply chain.

One of the reasons for this uncertainty is the fierce competition between OEMs. Smaller companies often lack the resources to employ Android experts to build the operating system in-house. This is why they keep on outsourcing steps in the manufacturing pipeline. One of those steps is the development of a custom Android ROM. It is mostly cheaper to buy an Android image instead of keeping up with the development in-house.

The fallen prices for Android firmware have contributed to the emergence of new business models for monetizing Android images. Surprise, there is better money to be made with criminal activities than with honest business models. This has several severe security implications.

Trend Micro discovers Android supply chain attack

Trend Micro researchers at Black Hat Asia lately discovered malware pre-installed on factory new devices. That means that the malware is baked into the firmware images deployed on the devices while still in production. The security research company found at least 80 malicious plugins in dozens of Android images. Those images are used by budget smartphones, smartwatches, TVs running Android and other IoT devices.

The impact is far-reaching, with a minimum of 10 OEMs confirmed to be affected. However, according to the research team, the scope of the problem could extend to over 40 vendors in total. The sheer magnitude of the issue is staggering, as millions of infected devices are estimated to exist worldwide. Interestingly, the criminals behind the malware have disclosed that approximately 8.9 million devices are currently running their Android images with malicious plugins onboard. These figures highlight the significance of the situation and the need for immediate attention.

How can the infected Android devices be exploited?

As mentioned before the infected devices come with plugins on board. The researchers from Trend Micro call them “silent plugins”. Those silent plugins are implemented within the firmware to steal confidential information, such as:

  • text messages
  • social media credentials
  • bank account logins

Or they are used to:

  • generate clicks for affiliate pages,
  • commit traffic abuse,
  • ... and more.

But the most concerning functionality comes with a proper business model in place. The criminals can take over full control of the device. They don’t do that for themselves but rent out this access in 5-minute slots to the highest bidder. In this time slot, the following information can be harvested by the party paying for the information:

  • keystrokes
  • geographical location
  • IP address
  • nearly every other data on a device

These business models are promoted not only on dark web forums but also on mainstream social media platforms and blogs by the companies behind them.

How to get rid of the malware

The silent plugins are baked into the original Android firmware images, therefore it is not possible to simply roll out security patches to fix the issue. The devices need a whole new image which cannot easily be obtained from the manufacturer since this is where the malware was first introduced to the device.

Make sure that the Android operating system image you use for your devices is not affected by this malware.

Android TV boxes contain malware

And the story takes its course ... This incident is not an exception, as we mentioned in the introduction. Here comes another case of brand-new devices that come with more features than paid for.

Several TV Boxes running Android, sold on popular marketplaces like Amazon and Alibaba, come with an unsecured Android 10 OS version. The used operating system is not Android TV-based but uses a custom Android ROM spiked with a pre-installed backdoor baked into the OS. The "boot to botnet" functionality was found by DesktopEcho who discovered suspicious behavior when using a Pi-hole.

How can the infected Android TV boxes be exploited?

The OS backdoor opens the devices to all kinds of criminal activity. The malware installed with the OS is similar to the Android CopyCat malware, which can root and hijack devices and control network activity. Those devices can be used to:

  • Commit add fraud or traffic abuse,
  • join a large DDoS attack,
  • steal login credentials,
  • target other devices on your network,
  • ... and more.

Which Android TV boxes are infected?

Infected devices are similar to T95, T95Max, X12-Plus and X88-Pro-10 all powered by AllWinner H616, H618 or Rockchip 3328 processors and have folders named:


Moral of the storyGroup 153

This is a reminder to keep an eye on what you are buying. Some of those TV boxes offer cheap or even free access to copyrighted content, so it's not surprising that they come with a catch. But be careful with not-so-obvious devices as well. Most of the infected devices with silent plugins are cheap consumer devices. Stick with the more premium phones and smart solutions out there, and you will at least be spared factory-new malware.

With industrial Android, the solution is not as easy as recommending sticking with what you know. For product builders, we suggest not blindly trusting third-party board support packages and Android images without auditing them very closely. Also, keep in mind that you need the possibility to roll out regular Over-the-Air software updates to patch security vulnerabilities and bugs throughout the lifetime of your customers' devices. And in case of doubt, you can always consult with us. Emteria offers malware-free operating systems customized to your use cases and easily updatable through OTA updates.

As this example of a former CEO of a chain of psychotherapy clinics shows, missing intent to protect customers’ data is not just bad for business but also for your personal criminal record.



Build unique Android products, keep them secure

See why emteria is the chosen Android™ customization & management platform for product builders — build secure Android products based on your requirements.

Book live demo
Secure Android

Table of contents

emteria Demo
See emteria in action