Android devices may come with built-in malware
Attackers can place malicious code at the device development stage and thus infect the supply chain.
Android devices may come with built-in malware and backdoors due to inadequate control and verification. According to researcher Maddie Stone (Maddie Stone) from Google Project Zero, attackers use this opportunity to place malicious code right at the stage of development and thus infecting the supply chain.
Certified Android devices that come pre-installed with Google apps use approved build images for the mobile operating system. They undergo rigorous testing before release to consumers, verifying compliance with the Android security model and permissions, as well as the latest OS updates.
However, most Android vendors use a cheaper version of the Google operating system – AOSP (Android Open-Source Project). In this case, protection from malicious applications is provided by the integrated Google Play Protect (GPP). Attackers see an opportunity in this scheme, because it’s enough to convince one manufacturer to turn on malicious code among preinstalled applications and infection can reach thousands of users.
As an example, Stone cited the Chamois botnet, which is used for fraud via SMS, clicks, and application installation. The malware spread in the form of an SDK to third-party developers who mistook it for an advertising library and unwittingly included it in their application. Chamois operators were able to infect about 7.4 million devices in March 2018. Users saw on their phones a preinstalled application that could download the Chamois backdoor, the Snowfox trojan, and click fraud software.