Stone spoke of two cases in which the pre-installed “malware” was an accident, while representing a threat to the security of millions of people. Up to 225 device manufacturers had code-based applications that allowed remote code execution.
These applications opened a window for anyone online to connect with them, and once that was done, the person would have total control. That touched 6 million devices, but it was repaired in a month, Stone said.
In the second case, Honeywell had vulnerabilities preinstalled on Android devices that control their industrial control systems. All applications on Android devices that Honeywell used had wide privileges, so a potential attacker could have abused this security hole and stolen passwords and documents. The company revealed this vulnerability last September.
In another case study, the Android security team discovered a preinstalled application that disabled Google Play Protect, which it solved last November. Stone also described a preinstalled application that kept detailed records of web activities for users, which Google sees as spyware.
Malware preinstalled or downloadedAll malware may seem identical, but once preinstalled, there are some important differences that make it a more dangerous threat.
As phone manufacturers approve and install them, antivirus programs do not report them as harmful, even if an application behaves exactly like malware. These applications also have higher permissions than downloaded malware and cannot be removed unless phone manufacturers send a security update, Stone said.
Google Play Protect can disable the malicious application, but it cannot completely remove it. In 2018, the Android security team examined versions of approximately 1,000 different phone manufacturers to ensure that no preinstalled malware was included in the devices.
“I devoted a lot of my time and resources to finding it and then identifying all these problems before they appear to users,” Stone said. “We want to make sure that nobody is infected because we are talking about the difficulty of eliminating it after the fact.”
By March 2018, the Chamois botnet had infected 7.4 million devices. In July, about 700,000 devices were still infected, Stone said. Sometimes, these security updates never arrive or users do not download them.
Because these applications are preinstalled, they can often remain hidden without an icon, which prevents users from knowing that they are even affected.
While hackers try to convince victims to download malware, with preinstalled applications, hackers should simply fool phone manufacturers.
If you can infiltrate the supply chain from the beginning, you already have as many infected users as the number of devices they sell,” Stone said. “That’s why the perspective is terrifying and I really hope that more researchers will join us to control these processes.”
iOS 13 comes with new Siri Voice, Dark Mode and Privacy features: all new software provided by Apple will soon be delivered to your iPhone.
We test 5G speeds in 13 cities. This is what we found: higher speed compared to higher coverage. This is the biggest problem for 5G networks today.