A WAVE of malware-infected Android phones are flooding the market, cybersecurity researchers have revealed.
Millions of devices have been injected with an information stealing malware before they even leave the factory, according to a new investigation by Japanese security company Trend Micro.
Android fans have been warned against buying cheap devices after experts discovered these phones are being targeted by cyber criminals.
The trend has become more common in recent years, as the market tries to produce cheaper phones.
As more manufacturing aspects of the smartphone supply chain become outsourced, the pipeline has become much easier for third-party threat actors to infiltrate.
Once selling firmware – the software that comes built into the phone – became unprofitable, many developers began offering it for free.
But with this came an array of more than 80 “silent plugins”, according to researchers.
Some of these pre-installed apps, which have become a breeding ground for hackers, allow cyber criminals to “rent out” devices for up to five minutes at a time.
It doesn’t sound like long, but sometimes that’s all fraudsters need to steal login credentials or other sensitive information.
The infection turns these devices into tools for stealing and selling text messages, social media accounts, bank details and even monetisation through advertisements and click fraud.
Most read in Tech
Hackers may even decide to install other malware onto the device.
While just a few of these plugins have become widespread – after being sold on social media and the dark web – millions of phones have been infected worldwide.
The supply chain attack is mostly targeting cheaper smartphones, but it is also affecting smartwatches and smart TVs.
These devices have been found worldwide, but are most concentrated in Eastern Europe and Southeast Asia, the team found.
This pre-installed Android malware scheme is not new, and has been quietly snowballing for some time.
Google has been aware of the issue for years, but there’s little the company can do about it.
The tech giant has limited control over Android’s complex supply chain.
Cheaper phones tend to come with between 100 and 400 pre-installed apps.
All it takes is one infected app for the entire device and its owner to be at risk of data fraud.
It’s not as easy as removing a dodgy app from Google’s Play Store.
So the only way Android fans can really protect themselves is to buy higher-end devices and sticking to brands like Samsung and Google, which are supposed to have better supply chain security.
Best Phone and Gadget tips and hacks
Looking for tips and hacks for your phone? Want to find those secret features within social media apps? We have you covered…
We pay for your stories! Do you have a story for The Sun Online Tech & Science team? Email us at [email protected]