Beware, your Android phone might come with preloaded spyware

Computer users know for quite some time that buying new PCs does not necessarily mean that the computer is clean, lean and ready for use immediately.

Most computer manufacturers push so called "crapware" on PCs, trial software for instance, to increase their bottom line while only a few don't or want you to pay extra for cleaning the crapware that they have put on it.

There have been cases where these were classified as spyware, think back to Lenovo's Superfish fiasco for instance.

Things are identical on most Android devices as you don't get a stock operating system usually but added apps and modifications that the manufacturer of the device preloaded on it.

A recent study by Germany security company G DATA suggests that at least 26 different Android devices shipped with pre-installed malware in the past two years.

According to the report, malware is added to popular legitimate applications such as Facebook. One core difference between the malware-infected version of Facebook and the legitimate Facebook application is that the malware version requests even more permissions, and since it is installed by default, does not even require user consent for that.

The secret add-on functions are wide-ranging. In this example, the app can access the Internet, read and send SMS, subsequently install apps, see, store and amend call data and data about the smartphone, access the contact list, obtain location  data and monitor app updates.

These permissions enable extensive misuse: location detection, listening to and recording telephone calls or conversations, making purchases, bank fraud or sending premium SMS.

Malicious applications that are preloaded on devices pose two main issues for users when it comes to identification and removal. First, since these apps inherit the functions of their host application, e.g. Facebook, they function as the user would expect them to.

It is therefore difficult to detect whether a preloaded application is malicious or not. One could compare the permissions of the installed application with the permissions the legitimate application to find out about that, or run security software instead to scan the system for malware. Security software on the other hand may not detect it if the malware is not known.

Once a malicious preloaded application has been detected, users bump into the issue that these applications cannot be removed as they have been pre-installed on the device. The only option available on the device itself is to disable the application.

Another option would be to root the device or start with a clean slate by installing a different environment on it.

G Data believes that the manipulation is not carried out by the device manufacturer but by middleman who operate out of China. The company discovered malware on three mobile devices in factory condition (the Star N8500, Star 8000 and IceFox Razor).

The list of infected models includes devices by Xiaomi, Huawei and Lenovo (MI3, G510 and S860), a well as devices from Alps, Sesonn, Xido and Concorde.

Most devices are sold in China and Europe. A quick check on the German and US Amazon website revealed that Xiamoi's, Huawei's and Lenovo's devices were sold there. This does not necessarily mean that the devices sold there are infected though.

Closing Words

The devices are not overly popular in Europe or America, and some of them appear to be only available in China and Asia. Still, it is important to know that this is happening and that new devices may ship with malicious code.