Google Warns of Growing Android Attack Vector: Backdoored SDKs and Pre-Installed Apps (Apr 1, 2019)
Google has released its “Android Security and Privacy Year in Review 2018” in which the company explained that it has observed an increase in threat actors attempting to install Potentially Harmful Applications (PHAs) via supply chain and pre-installed applications. Actors are also targeting Over The Air (OTA) updates “that bundle legitimate system updates with PHAs.” These vectors are appealing from a threat actor’s point of view because they can target applications that come pre-installed on Android devices which leaves a user vulnerable to potential malicious activity associated with an application the user did not choose to install on his/her phone. A device could come pre-installed with malware, and then could download additional malware via compromised third-party update tools.
Recommendation: The threat of pre-installed features has the ability of hiding from even the most cautious of users. If personal devices are also used for work and potentially used by children, they should be properly inspected and the unwanted applications removed. Additionally, it is crucial to inspect all privileges that applications request prior to installation even from legitimate application stores such as the Apple App store and Google Play.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.