Report finds Android malware pre-installed on hundreds of phones

Low cost devices not certified by Google are mostly affected.

Even if you're careful about avoiding sketchy websites and apps, there's nothing you can do if your smartphone has malware built in. That's actually the case with hundreds of different smartphones, according to Avast Threat Labs. The researchers found adware installed mostly on devices not certified by Google from manufacturers like ZTE, Archos and myPhone. Users with affected phones will see popup ads and other annoying problems, and because the adware is installed on a firmware level, it's incredibly difficult to remove.

This isn't the first time we've seen bad apps pre-installed, as Lenovo famously shipped the "Superfish" malware with brand new PCs. It's one of the bigger scandals related to malware installed on Android devices, however, and might affect a lot more users.

There are a couple of different variants of the Android malware APKs, but they work on the same principal.The infected apps, called droppers, are installed in a hidden way in a list of system applications in the settings. They download a small file called a manifest that tells the app what other files to get. It then downloads those and installs an APK from an URL found in the manifest, and uses a standard Android command to install it. Finally, it starts the payload service.

The payload APK contains Google, Facebook and Baidu ad frameworks. It is able to detect any antivirus software, and will "hold back any suspicious actions in this case," said Avast. If not, it will show popup ads for sketchy games while you surf on your default browser. That's already a big nuisance, but could get a lot worse if you actually installed any of the games.

The top countries affected are Russia, Italy, Germany, the UK and France. Avast managed to disable the dropper server via takedown requests, but it was quickly restored using another provider. The adware servers are still operating, and lots of users have complained about bad ads, the company notes.

Avast contacted Google, which "has taken steps to mitigate the malicious capabilities of many app variants on several device models, using internally developed techniques," said the company. Specifically, Google Play Protect should automatically disable the dropper and the payload, if it's available.

Another solution, of course, is to use mobile antivirus software that Avast just happens offer (or another antivirus app, we presume). That should uninstall the payload, but you'll have to manually go into your settings to disable the dropper. For more information about how to do that, check here.