Omar Marques/SOPA Images/LightRocket via Getty Images

Keeping your Android device safe from malware is difficult enough as it is -- but it's an entirely different threat when the harmful apps come with your device. Android's open-source operating system allows for more affordable alternatives for millions of people, but it also opens the door for hackers to sneak in prepackaged malware.

Preinstalled malware had been discovered on more than 7.4 million Android devices, which had the ability to take over devices and download apps in the background while committing ad fraud, researchers working for Google found.

While major Android partners like Samsung or LG, as well as Google's own Pixel devices, are likely safe from these kinds of threats, budget phone makers who rely on third-party software to save a few bucks could be vulnerable. Attackers offer genuine services, and hide the malware in the apps they provide, according to Maddie Stone, a security researcher on Google's Project Zero and previously a tech lead on the Android Security team.

"If malware or security issues can make its way as a preinstalled app, then the damage it can do is greater, and that's why we need so much reviewing, auditing and analysis/" Maddie Stone, a security researcher on Google's Project Zero

Stone, who discussed her research at the Black Hat cybersecurity conference in Las Vegas on Thursday, sees preinstalled malware as a threat that security researchers aren't often focused on, since attention is usually directed toward malware that victims download on their own. But unlike downloaded malware, preinstalled malware is harder to find and even more difficult to get rid of.

"If malware or security issues can make its way as a preinstalled app, then the damage it can do is greater, and that's why we need so much reviewing, auditing and analysis," she said.

Because Apple has full control over its iPhone, preinstalled malware isn't much of a concern for iOS, or the App Store. Many of the preinstalled harmful apps pop up after a malicious actor tricks phone makers into including their software on their devices.

Android's security team discovered two major malware campaigns hidden in preinstalled apps over the last three years, one called Chamois and the other called Triada. Together, they infected tens of millions of low-budget Android devices from the moment they were shipped out. Google did not specify which phones were affected.

At Black Hat, Stone detailed three new case studies on preinstalled apps that posed threats to Android devices, though it's unclear whether the apps' creators had malicious intent. They affected millions of devices and turned off Google Play Protect, spied on people's web activity and allowed potential hackers to run code remotely, Stone said.

Case studies

Stone discussed two cases where the preinstalled "malware" were accidents, but still presented a security threat for millions of people. Up to 225 device makers had apps with code that allowed for remote code execution.

These apps opened a window that would allow anyone online to connect to it, and once it did, the person would have complete control. This affected 6 million devices, but was fixed within a month, Stone said.

In the second case, consumer and commercial conglomerate Honeywell had vulnerabilities preinstalled on Android devices controlling its industrial control systems. Any apps on the Android devices that Honeywell was using had extended privileges, so a potential attacker could have abused that security flaw and stolen passwords and documents. The company disclosed that vulnerability last September.

In another case study, the Android security team found a preinstalled app that turned off Google Play Protect, which it fixed last November. Stone also described a preinstalled app that took detailed logs of people's web activities, which Google considers spyware.

Preinstalled vs. downloaded malware

All malware might seem the same to you, but when it's preinstalled, there are a few key differences that make it a more dangerous threat.

Since they're approved and installed by the phone makers, antivirus programs don't flag them as harmful, even if an app is behaving exactly like malware would. These apps also have escalated permissions compared to downloaded malware, and can't be removed unless the phone makers send a security update, Stone said.

Google Play Protect can disable the malicious app, but it can't remove it completely. In 2018, the Android Security team reviewed builds from about 1,000 different phone makers to make sure there weren't any preinstalled malware packaged in with the devices.

"I put a lot of my own time and resources into finding it then versus after the fact to identify all of these issues before they ever go out to users," Stone said. "We want to make sure no one is infected because we talk about how hard it is to remove after the fact."

In March 2018, the Chamois botnet had infected 7.4 million devices. By July, there were about 700,000 devices still infected, Stone said. Sometimes, those security updates never arrive, or people don't download them.

Because these apps are preinstalled, they can often remain hidden without an icon, leaving people unaware that they're even affected.

While hackers try to get victims to download malware, with preinstalled apps, attackers just have to trick the phone makers.

"If you are able to infiltrate the supply chain out of the box, then you already have as many infected users as how many devices they sell," Stone said. "That's why it's a scarier prospect and I really hope more researchers join us in vetting these processes."