Receiving a new smartphone with malware pre-installed is unlikely, but this is exactly what has happened with handsets from well-known brands sold by some third-party sellers in Asia and Europe.
Consumers expect them to run factory software, so it is unlikely that they will check to see whether it has been modified prior to using their account credentials and storing sensitive information, making these kind of infections extremely dangerous.
Security firm G Data has discovered malware on more than 20 smartphone models which were advertised as new. And we are not talking about no-name brands. Among other companies, Huawei, Lenovo and Xiaomi, top-tier vendors, have had their devices infected prior to the sale.
The malware is cleverly hidden, being tied to popular apps that users are most-likely to use, such as Facebook. This makes it hard to spot, especially without using dedicated security tools. Most users are unlikely to ever find anything suspicious with their smartphones, while the malware will gather all sorts of private information, like phone calls and messages.
"Somebody is unlocking the phone and putting the malware on there and relocking the phone", says G Data security evangelist Andy Hayter. And even if users somehow discover the malware, it is very difficult to remove it without re-flashing the smartphone with factory firmware.
This is not something that is easy to perform, as it generally requires dedicated tools and, most important of all, access to the bootloader, which can often be difficult to unlock. "You can't take it off there unless you unlock the phone", adds Hayter.
What's worse, some manufacturers seem to have no idea that this is happening. "This is the only such occurrence we have been made aware of", says Lenovo's Ray Gorman. "We always recommend customers transact with authorised distribution channels and only accept merchandise that comes in an official box with original factory seals".
It is not the first time this has been reported by G Data, as it found similar malware running on Star smartphones over a year ago, while Marble Security found pre-installed malware on some Samsung devices around the same time, after customers complained of Netflix being labeled as malware by its security tool.
G Data does not explain why affected consumers purchased the smartphones from those third-parties, but I suspect that it may be due to lower-than-retail prices. Those can be offset by after-sales revenue generated through the malware.