Security researchers have found a "severe infection" in 38 Android devices belonging to two unidentified companies that were riddled with an assortment of malware. According to security firm Check Point's Mobile Threat Prevention team, the malware were pre-installed on the devices before users even received them.
The infected devices belonged to a "large telecommunications company" and a "multinational technology company," the researchers wrote in a blog post on Friday. The malicious apps present in the infected devices were not a part of the official ROM supplied by the phone manufacturers, but were added somewhere later along the supply chain.
In six of the instances, the malware was installed by a malicious actor using system privileges. This means a user would not have been able to remove it and the device had to be re-flashed.
Check Point researchers said most of the pre-installed malware on the infected devices were information stealers and rough ad networks, including the mobile ransomware Slocker.
Using the AES encryption algorithm to encrypt all files on a device, Slocker then demands ransom from the user in exchange for the decryption key. It also uses Tor for its communications to help its operators avoid detection.
The powerful and complex Loki malware was also found on the devices which displays illegitimate ads to generate revenue, swipes data about the infected device and installs itself to the system "allowing it to take full control of the device and achieve persistency."
"Pre-installed malware compromise the security even of the most careful users," researchers said. "In addition, a user who receives a device already containing malware will not be able to notice any change in the device's activity which often occur once a malware is installed."
"As a general rule, users should avoid risky websites and download apps only from official and trusted app stores," researchers wrote. "However, following these guidelines is not enough to ensure their security.
"Pre-installed malware compromise the security even of the most careful users. In addition, a user who receives a device already containing malware will not be able to notice any change in the device's activity which often occur once a malware is installed. Users could receive devices which contain backdoors or are rooted without their knowledge."