Google said in 2018 it tracked a rise in the number of potentially harmful apps found on Android devices that were either pre-installed or delivered via over-the-air updates.

Google is reporting an uptick in efforts by bad actors to plant potentially harmful applications (PHAs) on Android devices via pre-installed apps and by bundling them with system updates delivered over the air.

The technique is especially troubling, Google said, because PHAs are often malicious and users have no control over what comes pre-installed on their phone and what is downloaded via a system update.

“Malicious actors increased their efforts to embed PHAs into the supply chain using two main entry points: new devices sold with pre-installed PHAs and over the air (OTA) updates that bundle legitimate system updates with PHAs,” wrote Google in its Android Security and Privacy Year in Review 2018, released on Friday.

While these two vectors for PHAs are troubling, the report states overall instances of PHAs on Android devices running Google Play Protect in 2018 are down 20 percent compared to the previous year.

This includes PHAs installed via rogue app stores, Google Play or other types of malicious mobile attacks.

Can’t Avoid Apps

Piggybacking on a phone manufacture’s Android system update has advantages for bad actors, according to the report. “The developers of pre-installed PHAs only need to deceive the device manufacturer or another company in the supply chain instead of large numbers of users, so it’s easier to achieve large-scale distribution,” Google wrote.

Even smaller phone manufacturers have the potential of compromising hundreds of thousands of users, Google said.

In a report investigating malware infections on BLU brand phones, Threatpost found out how this vector can be abused first hand. On some model BLU handsets, an investigation found that phones came pre-installed with malware and also downloaded more malware via a third-party update tool.

In its report, Google notes that applications bundled in OTA updates and that come pre-installed on new devices often have heightened device privileges. That allows the developers behind them to more easily sidestep security tool detection and removal attempts by users.

Lastly, Google notes “developers of these apps know that it is easier to compromise the supply chain of device manufacturers than to attack the Android platform security mode” allowing them to use PHAs as a way to root devices.

The report states that malicious apps that have snuck onto devices using these techniques have ranged from data harvesting apps to ones that manipulate or degrade the end-users’ experience. “It may also be used as a part of a larger initiative, such as committing click fraud, mining cryptocurrency, or app install attribution fraud,” according to the report.

Fight Back Against Pre-Installed and SDK PHAs

Unlike apps downloaded from Google Play and third-party app stores, which can utilize Android’s built-in security tools, pre-installed apps and backdoored SDKs don’t have that luxury. To address that problem the Android Security team said it began a program in 2017 that works with device manufacturers to certify devices safe – and free of PHAs.

“We expanded the program in 2018 and now every new Android-certified device goes through the same app scanning process as apps on Google Play. Additionally, our security scanner looks for other common security and privacy issues and denies device certification until device manufacturers fix these problems,” Google wrote.

Backdoored SDKs are a trickier problem to solve. “Some SDKs appear legitimate, but include behaviors and functionality that the app developer may not have known about when they included the SDK,” the report states. “We have been working with impacted developers to educate them about this new threat and to publish updated versions of their apps without the backdoor code.”