Malicious software may be preloaded on numerous Android televisions and smartphones, potentially affecting millions of devices


In general, the reputation of Android devices in terms of security has been a mixed one. While the operating system itself and Google’s Pixel phones have proven resilient against software exploits over the years, the presence of malicious apps on Google Play and the susceptibility of some third-party manufacturers’ devices have tainted Android’s image.

This tarnished image was further exacerbated by two recent reports. The first report, by security firm Trend Micro, revealed that a significant number of Android phones, potentially totaling 8.9 million devices from 50 different brands, were infected with preinstalled malware.

Also see: The Best Smartphones

The malware, known as Guerrilla, was initially discovered by researchers at security firm Sophos within 15 malicious apps that had made their way into the Google Play store.

Guerrilla establishes a backdoor, allowing infected devices to regularly communicate with a remote command-and-control server in order to receive and install new malicious updates.

These updates collect user data, which the Lemon Group (the threat actor identified by Trend Micro) can sell to advertisers. Guerrilla also surreptitiously installs aggressive ad platforms that drain battery life and negatively impact the user experience. The United States had the highest concentration of infected phones, followed by Mexico, Indonesia, Thailand, and Russia. Unfortunately, the affected brands were not disclosed in the report.

The second report, published by TechCrunch, focused on Android-based TV boxes sold on Amazon that were found to be infected with malware.

Specifically, the T95 models with an h616 chipset were discovered to have preinstalled malware. These TV boxes establish communication with a command-and-control server similar to Guerrilla’s servers, enabling the installation of any application desired by the malware creators.

The default malware found on these TV boxes is a clickbot, which generates revenue by surreptitiously clicking on ads in the background. The findings of researcher Daniel Milisic, who purchased one of the infected TV boxes, were independently confirmed by Bill Budington from the Electronic Frontier Foundation.

It is important to note that incidents of Android devices being sold with preinstalled malware are not new. Several previous cases have been reported, typically involving budget-tier models.

To minimize the risk, potential Android phone buyers are advised to opt for well-known brands like Samsung, Asus, or OnePlus, as these companies generally have more robust quality assurance controls in place. Higher-end Android devices and iPhones have not been reported to come with preinstalled malware thus far.

Also see: What is Malware and How to Protect Your Computer from It