Trend Micro researchers report that the pre-installation of malware on Android devicesmainly smartphones, has become more and more common in recent years.
The existence of malware against Android is a very old story that we have repeated many times, however, it is normal for it to be obtained through unreliable stores or repositories or through Google’s Play Store itself, despite the fact that the Android giant Browser has implemented things like Play Protect to beef up the security of its own front.
What Trend Micro researchers report goes a step further because the malware comes pre-installed on Android devices, making it more difficult to uninstall as a result. What the user has installed from the Play Store or other stores is easy to remove, but when the malware is embedded in the system or firmware of the device, the task of removing it becomes more complicated and may end up requiring drastic measures.
Delving into Trend Micro’s findings, many of the firmware images they have reviewed contained code snippets that have been described as “silent plugins”. Researchers have discovered more than 80 such plugins, but only a few have been widely distributed. The worst thing is that the most popular ones are sold clandestinely and promoted through blogs and platforms like Facebook and YouTube.
And what do these “silent plugins” allow you to do? Among the possibilities, according to Trend Micro, is the possibility that cybercriminals could “rent” multiple devices at once for up to five minutes and use them to steal credentials or other sensitive user information. Other plugins provide the ability to download and introduce additional malware to the infected device.
Experts from the cybersecurity company point out that another reason is the downward competition among mobile firmware developers, which has caused their sale to cease to be profitable and consequently many developers began to offer their firmware for free.
Researchers estimate that millions of infected devices are currently in use around the world, with Eastern Europe and Southeast Asia apparently the areas most affected by these “silent plugins”. Regarding specific data, the curious thing is that the cybercriminals themselves boast that 8.9 million Android devices are loaded with at least one of these “silent plugins” (which by now are clearly malicious plugins).
Trend Micro has confirmed the presence of these malicious plug-ins in at least ten device vendors, most of them of Chinese origin. The cybersecurity firm suspects there are forty other affected vendors, but for now they are more interested in determining where in the supply chain the infection is most likely to occur.
For its part, Google is aware of the problem, but it is not easy to solve due to the complexity of the Android OEM supply chain and the open nature of the Android Open Source Project, which can make the ground much easier for developers. of malware if things are not done correctly, especially when it comes to monitoring. Cheap devices coming mainly from Chinese origin brands are apparently the most affected by “silent plugins”So from Trend Micro they recommend buying higher-end devices from manufacturers like Samsung or Google.
The search engine giant has invested a lot of efforts in recent years to expand the capabilities of Play Protect in order to monitor the applications that come pre-installed on Android devices and find malicious behavior. However, the Mountain View-based company may have a challenge ahead in detecting and stopping these “silent plugins”.
The measures taken by Google, how could it be otherwise, have been responded to with more research by cybercriminals to circumvent the protections introduced, which has led to the development of businesses on the dark web whose services cost between 2,000 and $20,000 according to Kaspersky.