This blog intends to educate the general public about the various privilege levels in which an Android malware can be installed and the difficulties in removing malware that are installed as system applications.
The trend of malware or adware preinstalled as system apps is an increasingly worrying one, albeit not a completely new phenomenon.
With security in mind, Android system applications are hosted in the system partition with high privileges unlike user-installed applications, and cannot be uninstalled or modified easily by an end user. Therefore the installation of malware as a system app complicates the removal process.
The privilege levels under which a malware can be installed on a victim’s device are as follows:

  • User level – location on the device: /data/app
  • System level – location on the device: /system/app

Unlike the user level app installation, it is possible to install an application at the high privilege (system) area only if the device is rooted by a user.  There are two primary ways in which many malicious applications are installed on a phone’s system partition:

  • An already installed malware:
    • roots the victim’s device either by availing of an exploit or by running another application that requires root (administrative) permissions
    • downloads and installs another malware on to the system partition
  • Devices come equipped with malware as preinstalled system applications

Now, the obvious question is “Does the handset manufacturer preinstall malware or adware as part of its manufacturing process?” The answer appears to be that there are middle-men who gain monetary benefits from malware writers and adware developers by installing their malware and adware applications into custom ROM, thus replacing the stock ROM in new devices before the handsets reach end users or retailers via distributors. The notable rise in the mobile shopping increases the concern about preinstalled malware even further.

Removing a malware application installed in the user area is similar to that of uninstalling any other user-downloaded application. However, deleting a system application, malicious or not, is not seen as an easy task for an end user since it would require the device to be rooted that would typically render the device’s warranty void.
As per the Android architecture, mobile security products have the same privilege as any other user applications and therefore cannot by default modify or delete a system application. Mobile security products would protect their users from being compromised by these preinstalled malware by blocking the application from execution.
Just to re-iterate, with an enhancement in the Android boot framework to load security products or its processes at a very early stage in the boot process, even before the system applications are loaded, it is possible to stop and remove such malware/adware system apps.
Users are recommended to:

  • Purchase the handset only from reputed vendors and distributors.
  • Verify the handset package’s state to determine if the package is tampered with before purchasing or using it.
  • Verify the unique id of the device or the ROM on the handset manufacturer’s website, if possible.

Image courtesy of:
makingdifferent.com
V.Dhanalakshmi
Senior Threat Researcher, K7TCL
If you wish to subscribe to our blog, please add the URL provided below to your blog reader: https://labs.k7computing.com/feed/

Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.