Buying New Smartphones for Your Business? Watch out for Preinstalled Malware

In March 2017, a security firm found malware on 36 Android devices purchased by two companies. Several different types of malicious programs were discovered, including the Slocker mobile ransomware and Loki malware. Slocker encrypts your files and requires payment to unlock them, whereas Loki steals data and takes control of devices.

Finding malware on smartphones that employees use for work is fairly common, regardless of whether the phones are owned by the employees or the companies they work for. Generally, the devices get infected when employees use them. However, in this case, the malware was preinstalled on various Android phones manufactured by Samsung, LG Electronics, Lenovo, ASUS, ZTE USA, OPPO, VIVO, and Xiaomi.

When the malicious programs were installed remains a mystery. The malware was not present in the original read-only memory (ROM) — the area where the operating system software and other crucial files are stored — supplied by the phone manufacturers. This means that the malware was added later in the supply chain.

Another unknown is whether the two companies were specifically targeted or the infections were part of a broader campaign. Security experts suspect the latter. So, if you recently purchased any Android smartphones, you should check the list of models found with preinstalled malware.

Regardless of whether your devices are on this list, it is a good idea to take certain precautions to protect your business from preinstalled mobile malware. Security experts recommend installing anti-malware software on any new company-owned smartphones and then running a scan before distributing the devices to employees. This will help catch known malware, such as Slocker and Loki. The anti-malware software will also help protect against malware infections once the phones are in employees’ hands.

If you allow employees to use their own phones for work, you might consider requiring them to use anti-malware software on those devices. A good place to document this requirement is in a Bring Your Own Device (BYOD) policy.

Besides securing the mobile devices used at your company, you should protect your network in case a malware-infected phone connects to it. We can provide guidance on how to develop a comprehensive plan to secure your mobile devices and your network.