2 min

Tags in this article

, , ,

Pre-installed malware was found on more than 7.4 million Android devices. The malware was able to take over devices, download apps in the background and commit advertising fraud.

The find was made by researchers from Google itself. The malware ended up on devices through the manufacturers of the phones.

These are mainly budget phone makers, who use third-party software to save money. Attackers offer real services, and then put malware in it. That’s what security researcher Maddie Stone from Google’s Project Zero tells CNet.

Millions of devices affected

The problems with pre-installed malware are not new. Over the past three years, Android security researchers have already found two major malware campaigns in pre-installed apps. They were Chamois and Triada, who together infected tens of millions of cheap Android devices.

Stone has now announced three new investigations. The malware that was used to do this affected millions of devices and turned off Google Play Protect. The activities of users on the internet were also spied on and hackers might be able to remotely run code on the device.

Google has not disclosed which devices are involved. It is also not clear whether the creators of the apps also had malicious intentions.


According to Stone, there were two cases in which the pre-installed malware was not intended as malware. The errors had accidentally appeared in the services, but did cause security risks for millions of people.

As many as 225 device manufacturers had put apps on their devices with code that made remote code execution possible. The apps opened a screen with which anyone who is online can connect. Once a connection was established, that person was in complete control. According to Stone, this problem affected 6 million devices, but it was solved within a month.

Also multinational Honeywell had vulnerabilities installed on Android devices that managed its industrial control systems. The apps on the Android devices had extensive privileges, allowing an attacker to steal passwords and documents. The error was announced last September.

Virus scanners don’t pick it up

Pre-installed malware is approved by phone manufacturers, which is a problem. Virus scanners therefore do not see the app as malicious, even if an app behaves like malware.

In addition, the apps often have more permissions to perform tasks than malware downloaded by users, and cannot be deleted unless the manufacturer sends a security update. Google Play Protect can turn off the malicious app, but cannot remove it.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.