Here's a scary thought: Mobile devices may soon come with pre-installed malware on required system apps. While it might sound like a grim foretelling, pre-installed mobile malware is an unfortunate reality of the future.

In the past, we’ve seen pre-installed malware with the notorious Adups threat, among others. "Pre-installed" means the malware comes already installed on a device at the system level, thus, it cannot be removed; only disabled. However, remediating these iterations of pre-installed malware is possible by using a work-around to uninstall apps for the current user. This method involves connecting the mobile device to a PC and using the ADB command line tool. Follow our guide, removal instructions for Adups, to find out more.

Although this method is a bit tedious, it works to remediate the malware. In contrast, remediating newer versions of pre-installed malware has become much more difficult. We are now seeing malware authors target system apps that are required for the device to function properly. By injecting malicious code within these necessary apps, threat actors have reshaped the landscape of pre-installed malware for the worse.

Types of pre-installed apps

There are two types of preinstalled apps, based on the apps' location on the device. This location also determines the importance of the app.

The first location is /system/app/. Apps in this location are typically something you want to have, but not critical for the device to run. For example, apps that contain functionally for the camera, Bluetooth, FM radio on the device, or photo viewing are stored in this location. This location is also where device manufactures cache what some may consider bloatware. Uninstalling some of these apps may degrade the user experience, but it isn’t going to stop the device from functioning.

The other location is /system/priv-app/. This is where significantly important apps reside. For instance, apps like settings and system UI, which include the functionality for the back/home buttons on Android devices, are stored here. In other words, apps you absolutely cannot uninstall these without essentially breaking the phone. Sadly, the latest pre-installed malware is targeting this location.

The evidence

In the light of this new, frightening pre-installed malware, let's look at two case studies.

Case study 1: Riskware auto installer within System UI

The device is a THL T9 Pro. The infection is Android/PUP.Riskware.Autoins.Fota.INS. Although the code looks similar to the well-known preinstalled malware Adups, it's entangled within the critical system app System UI, instead of being in a standalone app like a UpgradeSys. The infection causes headaches, as it repeatedly installs variants of Android/Trojan.HiddenAds. It’s unknown if this is the doing of Adups themselves, or on the other hand, if code was taken from the Adups Auto Installer and inserted into System UI. Neither scenario is good.

Case Study 2: Monitor within settings

This time, the device is a UTOK Q55. The infection is Android/Monitor.Pipe.Settings. The category "Monitor" is a subset of Potentially Unwanted Programs (PUPs). As the name implies, Monitor apps collect and report sensitive information from the device. Furthermore, this particular Monitor app is hardcoded in the highly-important Settings app. In effect, the app used to uninstall other apps would need to be uninstalled itself to remediate—pure irony.

Attempting to remediate

Here lays the biggest problem with these infections—there is currently no good way to remediate. I have worked with several customers with these infections, but despite my attempts, I have yet to find a good work around. However, I can offer some guidance. If a clean version of the system app can be found to replace the malicious version, you might be able to replace it. You will want to look for system apps that match the current Android OS version of the device.  If found, you can try using the following method:
  • Read the disclaimer from the removal instructions for Adups.
  • Follow the steps under Restoring apps onto the device (without factory reset) in the removal instructions for Adups to save the proper <full path of the apk> of the system app to be replaced.
  • Download a clean version of the system app to your PC.
    • You can use the popular site VirusTotal to determine if it's clean or not.
  • Move the system app from your PC to your device.
    • adb push <PC file path>\<filename of clean version.apk> /sdcard/Download/<filename of clean version.apk>
  • Uninstall the old, malicious version of the system app.
    • adb shell pm uninstall -k --user 0 <package name of malicious system app>
  • Install the new version of the system app.
    • adb shell pm install -r --user 0 /sdcard/Download/<filename of clean version.apk>
  • See if it works.
    • Common failure errors:
    • If the new version fails to install, you can revert to the old system app.
      • adb shell pm install -r --user 0 <full path of the apk saved from second step>
As noted above, I have yet to find a version of any of the infections encountered that successfully installs. If you need assistance, feel free to post on our forum Mobile Malware Removal Help & Support.

What really can be done?

Currently, the best method to deal with these infections is to:
  1. Stay away from devices with these infections. Here are the manufacturers/models we have seen so far that have been impacted:
    • THL T9 Pro
    • UTOK Q55
    • BLU Studio G2 HD
  2. If you already bought one, return the device.
  3. If you already bought the device and can’t return it, contact the manufacturer.

Extreme frustration

As a mobile malware researcher, it pains me to no end to write about malware we can’t currently remediate.  However, the public needs to know that these types of infections exist in the wild. No one should have to tolerate such infections on any mobile device regardless of its price point and/or notoriety. I will continue to look for methods to deal with these infections. In the meantime, stay safe out there.

APK samples

Detection: Android/PUP.Riskware.Autoins.Fota.INS MD5: 9E0BBF6D26B843FB8FE95FDAD582BB70 Package Name:

Detection: Android/Monitor.Pipe.Settings MD5: DC267F396FA6F06FC7F70CFE845B39D7 Package Name: