{
	"id": "7bc3a031-fe10-4c39-a512-70c0eeb54c26",
	"created_at": "2026-04-06T00:11:33.773128Z",
	"updated_at": "2026-04-10T03:20:31.875977Z",
	"deleted_at": null,
	"sha1_hash": "e3aa88fbb4a8c57db465e73a4228aeb523426cd8",
	"title": "Preinstalled Malware Targeting Mobile Users",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 41964,
	"plain_text": "Preinstalled Malware Targeting Mobile Users\r\nBy bferrite\r\nPublished: 2017-03-10 · Archived: 2026-04-05 22:47:29 UTC\r\nCheck Point mobile threat researchers recently detected a severe infection in 36 Android devices belonging to a large\r\ntelecommunications company and a multinational technology company. While this is not unusual, one detail of the attacks\r\nstands out. In all instances, the malware was not downloaded to the device as a result of the users’ use, it arrived with it.\r\nAccording to the findings, the malware were already present on the devices even before the users received them. The\r\nmalicious apps were not part of the official ROM supplied by the vendor, and were added somewhere along the supply\r\nchain. Six of the malware instances were added by a malicious actor to the device’s ROM using system privileges, meaning\r\nthey couldn’t be removed by the user and the device had to be re-flashed.\r\nBelow are two examples of the malware installation. The research team was able to determine when the manufacturer\r\nfinished installing the system applications on the device, when the malware was installed, and when the user first received\r\nthe device.\r\nA malicious adnet found in 6 mobile devices, APK com.google.googlesearch:\r\nLoki malware, APK com.androidhelper.sdk:\r\nMost of the malware found to be pre-installed on the devices were info-stealers and rough ad networks, and one of them was\r\nSlocker, a mobile ransomware. Slocker uses the AES encryption algorithm to encrypt all files on the device and demand\r\nransom in return for their decryption key. Slocker uses Tor for its C\u0026C communications.\r\nThe most notable rough adnet which targeted the devices is the Loki Malware. This complex malware operates by using\r\nseveral different components; each has its own functionality and role in achieving the malware’s malicious goal. The\r\nmalware displays illegitimate advertisements to generate revenue. As part of its operation, the malware steals data about the\r\ndevice and installs itself to system, allowing it to take full control of the device and achieve persistency.\r\nThe risk of pre-installed malware\r\nAs a general rule, users should avoid risky websites and download apps only from official and trusted app stores. However,\r\nfollowing these guidelines is not enough to ensure their security. Pre-installed malware compromise the security even of the\r\nmost careful users. In addition, a user who receives a device already containing malware will not be able to notice any\r\nchange in the device’s activity which often occur once a malware is installed.\r\nThe discovery of the pre-installed malware raises some alarming issues regarding mobile security. Users could receive\r\ndevices which contain backdoors or are rooted without their knowledge. To protect themselves from regular and pre-installed malware, users should implement advanced security measures capable of identifying and blocking any abnormality\r\nin the device’s behavior.\r\nAppendix 1 – list of malware APKs, Shas, and Affected devices\r\ncom.fone.player1\r\nGalaxy\r\nNote 2\r\nLG G4\r\nd99f490802f767201e8d507def4360319ce12ddf46765ca1b1168d64041f20f\r\nhttp://blog.checkpoint.com/2017/03/10/preinstalled-malware-targeting-mobile-users/\r\nPage 1 of 3\n\ncom.lu.compass\r\nGalaxy S7\r\nGalaxy S4\r\nf901fd1fc2ce079a18c619e1192b14dcc164c97da3286031ee542dabe0b4cd8c\r\ncom.kandian.hdtogoapp\r\nGalaxy\r\nNote 4\r\nGalaxy\r\nNote 8.0\r\nb4e70118905659cd9b2c948ce59eba2c4431149d8eb8f043796806262d9a625b\r\ncom.sds.android.ttpod\r\nGalaxy\r\nNote 2\r\nXiaomi Mi\r\n4i\r\n936e7af60845c4a90b8ce033734da67d080b4f4f0ca9c319755c4a179d54bf1b\r\ncom.baycode.mop Galaxy A5 39c6bab80cc157bfe540bdee9ce2440b3b363e830bc7adaab9fc37075fb26fb1\r\ncom.kandian.hdtogoapp Galaxy S4 998ab3d91cbc4f1b02ea6095f833bfed9d4f610eea83c51c56ce9979a2469aea\r\ncom.iflytek.ringdiyclient ZTE x500 e9a30767e69dccb1b980eae42601dff857a394c7abdfe93a18e8739fa218d14b\r\ncom.android.deketv Galaxy A5 01b8cb51464b07775ff5f45207d26d8d9f4a3b6863c110b56076b446bda03a8a\r\ncom.changba\r\nGalaxy S4\r\nGalaxy\r\nNote 3\r\nGalaxy S4\r\nGalaxy\r\nNote Edge\r\nGalaxy\r\nNote 4\r\na07745f05913e122ec19eba9848af6dfda88533d67b7ec17d11c1562245cbed1\r\ncom.example.loader\r\nGalaxy Tab\r\nS2\r\ne4e97090e9fd6cc3d321cee5799efd1806b5d8a9dea7c4872044057eb1c486ff\r\ncom.armorforandroid.security\r\nGalaxy Tab\r\n2\r\n947574e790b1370e2a6b5f4738c8411c63bdca09a7455dd9297215bd161cd591\r\ncom.android.ys.services\r\nOppo N3\r\nvivo X6\r\nplus\r\n0d8bf3cf5b58d9ba280f093430259538b6340b24e805058f3d85381d215ca778\r\ncom.mobogenie.daemon Galaxy S4 0038f450d7f1df75bf5890cf22299b0c99cc0bea8d66e6d25528cb01992a436b\r\ncom.google.googlesearch\r\n5 Asus\r\nZenfone 2\r\nLenovoS90\r\n217eee3a83f33b658fb03fddfadd0e2eb34781d5dd243203da21f6cb335ef1b4\r\ncom.skymobi.mopoplay.appstore LenovoS90 3032bb3d90eea6de2ba58ac7ceddead702cc3aeca7792b27508e540f0d1a60be\r\ncom.example.loader\r\nOppoR7\r\nplus\r\n1cb5a37bd866e92b993ecbbcc4a2478c717eeb93839049ef0953b0c6ba89434e\r\ncom.yongfu.wenjianjiaguanli\r\nXiaomi\r\nRedmi\r\ne5656c1d96158ee7e1a94f08bca1213686a05266e37fb2efb5443b84250ea29d\r\nhttp://blog.checkpoint.com/2017/03/10/preinstalled-malware-targeting-mobile-users/\r\nPage 2 of 3\n\nair.fyzb3\r\nGalaxy\r\nNote 4\r\nc4eac5d13e58fb7d32a123105683a293f70456ffe43bb640a50fde22fe1334a2\r\ncom.ddev.downloader.v2\r\nGalaxy\r\nNote 5\r\n92ae2083a8495cc5b0a0a82f0bdeb53877170d2615ce93bd8081172af9e60f8f\r\ncom.mojang.minecraftpe\r\nGalaxy\r\nNote Edge\r\nfbe9c495f86a291a0abe67ad36712475ff0674d319334dbd7a2c3aa10ff0f429\r\ncom.androidhelper.sdk\r\nLenovo\r\nA850\r\nb0f6d2fc8176356124e502426d7aa7448490556ef68a2f31a78f4dd8af9d1750\r\n NOTE: UPDATE MARCH 13, 2017- Some clarification was made. Number of devices from 38 to 36. Nexus\r\nmachines were removed. Galaxy Note 8 was changed to Galaxy Note 8.0\r\nSource: http://blog.checkpoint.com/2017/03/10/preinstalled-malware-targeting-mobile-users/\r\nhttp://blog.checkpoint.com/2017/03/10/preinstalled-malware-targeting-mobile-users/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://blog.checkpoint.com/2017/03/10/preinstalled-malware-targeting-mobile-users/"
	],
	"report_names": [
		"preinstalled-malware-targeting-mobile-users"
	],
	"threat_actors": [],
	"ts_created_at": 1775434293,
	"ts_updated_at": 1775791231,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e3aa88fbb4a8c57db465e73a4228aeb523426cd8.pdf",
		"text": "https://archive.orkl.eu/e3aa88fbb4a8c57db465e73a4228aeb523426cd8.txt",
		"img": "https://archive.orkl.eu/e3aa88fbb4a8c57db465e73a4228aeb523426cd8.jpg"
	}
}