How does malware find its way on to Android smartphones and tablets?
By some margin, it’s by way of Google’s Play Store, which despite repeated efforts to clean it up remains a recurring source of dodgy apps that sit somewhere between suspiciously misleading and downright malicious.
But according to a Black Hat presentation by Google Project Zero researcher Maddie Stone, there’s another route that’s nearly impossible for users to defend themselves against – malicious apps that have been factory pre-installed.
It starts with the sheer number of apps that now come with Android devices out of the box – somewhere between 100 and 400.
Criminals only need to subvert one of those, which has become a particular problem for cheaper smartphones using the Android Open Source Platform (AOSP) as opposed to the licensed ‘stock’ Google version that powers better-known brands.
She cited several instances encountered while doing her old job on Google’s Android Security team, including an SMS and click fraud botnet called Chamois which managed to infect at least 21 million devices from 2016 onwards.
The malware behind it proved harder to defeat than anticipated, in part because the company realised in March 2018 that in the case of 7.4 million devices the infection had been pre-installed in the supply chain.
Google was able to reduce pre-installed Chamois to a tenth of that level by 2019 but, unfortunately, Chamois was only one of several supply chain security issues it uncovered.
Others included 225 device makers either leaving diagnostic software on devices offering backdoor remote access, modified Android Framework code allowing spyware-level logging, or installing apps that had been programmed to bypass Google Play Protect (GPP) security.
Some of this was inadvertent, a case of OEMs messing around with settings to make their lives easier, but it was dangerous enough for Google to assign the issue a CVE number and software fix that outlawed the bypass in early 2019.
Supply chain complexity
The issue of supply chain malware has been rumbling away at a low level for some time, but this is the first time someone from Google has drawn attention to the issue in so much detail.
As Stone admits, stopping the problem is tougher than achieving the same thing for rogue apps that make it on to the Google Play Store, because detection must happen at a lower level beyond the knowledge of traditional security apps.
It’s also an inherent part of the complex OEM Android supply chain – contrast that with Apple, which controls the entire process for its iPhone.
With the cat now out of the bag regarding supply chain attacks on Android, Stone would like to see more third-party research into this software layer.
While a useful suggestion, this shouldn’t distract us from the fact that most users are still more likely to encounter bad apps in the one place many assume they won’t – Google’s Play Store.