Security firm Check Point say it found 36 Android phones given to employees at two unnamed companies that arrived with malware already installed.
The company says it detected the “severe infection” in 36 the phones belonging to a large telecommunications company and a multinational media company.
Check Point’s Oren Koriat says the malware was added “somewhere along the supply chain”, and included six pieces of malware that were added to the devices’ firmware or ROM, which required re-flashing to remove them. Koriat said the malware was not part of the official ROM for the devices.
Most of the malware were information stealers and ad fraud apps, but there was one piece of file encrypting ransomware, known as Slocker.
“As a general rule, users should avoid risky websites and download apps only from official and trusted app stores. However, following these guidelines is not enough to ensure their security. Pre-installed malware compromise the security even of the most careful users,” wrote Koriat.
While the list of infected devices includes some newer handsets, many of the models were first released several years ago, and some are no longer sold new at retail.
The newest phone was the Galaxy S7, while others included the Galaxy Note 2, an LG G4, several Galaxy S4 devices, Galaxy Note 4, Galaxy Note 8.0, Xiaomi Mi 4i, the Galaxy A5, Galaxy Note 3, Galaxy Tab S2, Galaxy Tab 2, Oppo N3, vivo X6 plus, Asus Zenfone 2, LenovoS90, Oppo R7 plus, Xiaomi Redmi, Galaxy Note 5, Galaxy Note Edge, and Lenovo A850.
Check Point initially said a Nexus 5 and 5x also came with malware pre-installed, but later retracted the claim. Google stopped selling these handsets in 2015 and 2016, respectively.
Check Point hasn’t said where the devices were bought from, nor whether they were second hand or refurbished. CSO Australia has asked Check Point for details.Read more: New study finds zero-day flaws live for 7 years, supporting stockpiling
Late last year security firm Doctor Web discovered trojans embedded in the firmware of several dozen Android models, affecting brand new handsets however these were mostly from brands selling in the Russian market.
Similarly, in 2014 security firm Lookout warned that a malicious ringtone app was found pre-installed on new handsets sold in Vietnam, India and China.