This Threat Research is about the recently discovered “Pre-installed Android Malware” threat.
At least 36 high-end smartphone models belonging to popular manufacturing companies such as Samsung, LG, and Lenovo were found pre-loaded with 21 malware programs. The programs were part of two malware families: Loki and SLocker. The malicious apps were not part of the official ROM firmware supplied by the manufacturers, but were installed before being sold via eBay and other unofficial stores.
Additional details of the threat, and how Zimperium zIPS protects devices against it, are included below.
- Loki Trojan injects devices inside Android operating system processes to gain root privileges. The Trojan can also access / steal data such as the contact list, call history and location data.
- SLocker locks devices for ransom and communicates through Tor to hide the identity of its operators.
zIPS will detect and alert on all of the malicious apps with an option to delete/uninstall the apps immediately. For pre-installed apps (e.g., those built into the ROM), zIPS will still alert on the attack, and will notify the security teams in the organization, but in order to fully mitigate the threat, the device must be re-flashed.
When an app is downloaded or installed (including those pre-installed, as is the case with these 21), the zIPS on-device engine analyzes the code to determine if it contains anything malicious. As a secondary layer of defense, zIPS can also query our advanced cloud-based threat intelligence capabilities (e.g., the Zimperium Global Malware Database) for additional analysis.
Threat level: Low