CHECK POINT SECURITY has alarmed everyone by explaining that it has found 38 Android phones that ship with malware that was installed during the supply chain and manufacturing process.
We know what you are thinking. These are probably knock off phones that are the pride of Hong Kong, but Samsung is included in the list and Check Point says that the threat is severe.
"The Check Point Mobile Threat Prevention has recently detected a severe infection in 38 Android devices, belonging to a large telecommunications company and a multinational technology company," said Oren Koriat of the Check Point mobile research team.
"While this is not unusual, one detail of the attacks stands out. In all instances, the malware was not downloaded to the device as a result of the users' use, it arrived with it.
"According to the findings, the malware were already present on the devices even before the users received them. The malicious apps were not part of the official ROM supplied by the vendor, and were added somewhere along the supply chain.
"Six of the malware instances were added by a malicious actor to the device's ROM using system privileges, meaning they couldn't be removed by the user and the device had to be re-flashed."
Check Point recommends that as a general rule people should not download applications from unusual and untrusted places, but that doesn't help much here.
More handy is the list of affected handsets, which is long, and includes Samsung models the Note 2 and 8.0, the Galaxy S4, A5 and A7, the Xiaomi Mi 4i, Oppo N3, 5 Asus Zenfone 2, LenovoS90 and more more more.
Check Point is full of advice about this sort of thing, and about the kind of threats that exist - which include the Loki malware and a piece of ransomware that sounds like an utter shit, but other than that this is a bit lacking.
It is not clear if it has contacted the mobile phone companies, so we suppose we will have to do that.
"As a general rule, users should avoid risky websites and download apps only from official and trusted app stores. However, following these guidelines is not enough to ensure their security. Pre-installed malware compromise the security even of the most careful users. In addition, a user who receives a device already containing malware will not be able to notice any change in the device's activity which often occur once a malware is installed," it added.
"The discovery of the pre-installed malware raises some alarming issues regarding mobile security. Users could receive devices which contain backdoors or are rooted without their knowledge. To protect themselves from regular and pre-installed malware, users should implement advanced security measures capable of identifying and blocking any abnormality in the device's behaviour."
We've contacted the companies, but so far Xiaomi and Lenovo have been the only firms to comment.
"In a report concerning preinstalled malware on smartphones, Check Point stated that the 'malicious apps were not part of the official ROM supplied by the vendor, and were added somewhere along the supply chain'. We can confirm that the malware listed do not come with any official ROM on Xiaomi smartphones," a spokesperson told the INQUIRER.
"Xiaomi takes security very seriously and strongly recommends users go through official channels when buying our smartphones to ensure they receive the official version of MIUI."
Lenovo said, albeit vaguely: "Lenovo is aware of the research published by Checkpoint on Friday 10th March and is investigating the findings." µ
Windows 10, 64-bit OS devices susceptible to rootkit attack
Malware suite likened to Stuxnet worm
Not the biggest fish out there
Redmond says figure is closer to the five million mark