Severe malware infection discovered in 38 Android device models
Check Point's Mobile Threat Prevention research team revealed troubling information regarding their latest mobile malware findings in a blog post today. The team detected a "severe infection" targeting 38 Android device models belonging to an unnamed "large telecommunications company and a multinational technology company." The most surprising detail about the findings is that the malware wasn't found inside a deceptive Play Store listing or email link as is usually the case, but came pre-installed on the devices themselves.
The Check Point team isn't placing the blame on the device vendor; rather, they determined that the malware was added to the devices' ROM "somewhere along the supply chain" by a "malicious actor." In some of the instances the malware was impossible to remove, forcing users to re-flash their device's ROM. Among the pre-installed malware is the Loki malware, which displays illegitimate ads, steals device data, and installs itself to system, achieving full control over the device and making it near-impossible to remove. Bad as that piece of malware may be, the most potentially frustrating malware the team found was Slocker, a mobile ransomware. As with other ransomware, Slocker has the ability to encrypt all of a device's files, after which a ransom demand can be made to provide the decryption key.
At the end of their blog post, the Check Point research team posted a list of the affected devices and the infected APK files. Many older but still relatively common devices are included in that list, including the LG G4, Samsung Galaxy Note 4, and Galaxy Tab S2. Check Point's only advice at this time is for users to "implement advanced security measures capable of identifying and blocking" these types of infections.