Unknown sources account for hundreds of thousands of Trojan installations on Android devices, but Google Play and pre-installation are also main sources of malware installation, a recent report from Cheetah Mobile Security Research Lab reveals.

Tens of millions of applications are being installed on users’ smartphones daily, but nearly one third of them come from sources that cannot be tracked, and most of the mobile Trojans are installed via these unknown sources, researchers say. However, some malicious apps also slip into Google Play, while other malware might come pre-installed on mobile devices right out of the box, Cheetah Mobile says.

Regardless, unknown sources remain the largest threat when it comes to malware distribution, with hundreds of thousands of Trojan installations recorded daily, across a large variety of malware families. These unknown sources include pornographic webpages and third-party links, malware that promotes and installs malware, and SMS worms.

Among the malware installed via unknown sources, there are three families that are installed more than 10,000 times a day, namely org.message.up.update (16379), com.android.syscore (12090), and com.power.core.setting (10229).

Some of the mobile malware, security researchers explain, install other malicious apps on the compromised devices, and researchers say that two such sources of malware installations are the com.sms.sys.manager and com.al.alarm.controller Trojans. Belonging to the same family, these two install over 30,000 malicious apps each day.

The two Trojans focus mainly on devices in India, with over 50% of installations happening in this country, but also hit Indonesia and the Philippines, along with other Asian countries. To achieve their nefarious purposes, researchers explain, the two Trojans root the compromised devices and then display ads to trick users into downloading other malicious apps.

“Since the two Trojans were discovered in January 2016, the amount of applications promoted by them has been increasing. Currently, these two Trojans are promoting about 30,000 to 40,000 applications, including legitimate but unwanted apps to users and malwares,” the security researchers say.

Another source of malware distribution is represented by webpages, and the top malware spreading this way includes Wireless optimizer (16992 installations), WIFI Master pro (8206), and AndroidSystemTheme (7734). The first two were designed to gain root on the compromised devices and to display malicious ads, while the third only to display malicious ads.

Cheetah Mobile observed nine other malware variants distributed through webpages, though at lower rates, and says that all 12 of them belong to the GhostPush malware family. Although they feature different names, the malicious apps show various similarities – for example, they use the same root module as GhostPush. The Trojan can root almost all Android versions except Android 6.0, it seems.

“The core codes are encrypted and put in the assets directory or servers for dynamic loading. The core codes are put in the system directory to disguise the malware as the built-in apps of the phone. The Trojan also leverages the SU files of several different parameters which are able to prevent other third parties from gaining root privilege. These methods make it harder to scan and uninstall the Trojan,” the security researchers say.

Dubbed Wireless Optimizer, one of the malicious apps was designed to display ads or promote pornographic pages to users, to trick them into paying money or into downloading new malicious samples, and to push ads in the status bar. The other Trojans in the family, however, show a similar behavior, the security researchers say.

Although the number of infected users is small, these Trojans can root compromised devices and download and install more malware onto the phone. In addition, they are difficult to remove because of their root permissions and, because they are often updated, they have already established a stable “userbase,” which allows them to constantly make profits.

While looking at the domains used by these Trojans, the security researchers observed that the same domain is used for the rooting service and for the ads. Furthermore, the analysis revealed that short links and ad links are the main sources of distribution for these Trojans, with pornographic websites being the third largest source.

Related: Mobile Malware Shows Rapid Growth in Volume and Sophistication