Security awareness

Risks of preinstalled smartphone malware in a BYOD environment

Rodika Tollefson
June 1, 2021 by
Rodika Tollefson

The bring-your-own-device (BYOD) trend has been growing for many years, but the wider adoption of a remote or hybrid workforce in a post-COVID world may create an influx of personal smartphones connecting to the corporate networks. Many companies are embracing flexible workplaces using cloud applications to enable their employees to work from anywhere, on any device. But is allowing any device to connect to your sensitive corporate resources really a good idea? 

Considering the growing trend of preinstalled malware and other evolving threats, it may be time to examine your current BYOD policies and evaluate the new risks.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

Android malware: A thorn in IT’s side

The iOS ecosystem is far from safe when it comes to malware. But Android malware is especially worrisome for IT teams, not only because of the Android OS proliferation but due to more relaxed security controls, despite Google’s increased efforts to improve them in recent years. 

About a quarter of infected devices (including Windows/PCs, iOS and IoT) run on Android OS, according to Nokia’s 2020 threat intelligence report. And according to a Google security engineer, at one point Google identified 7.4 million Android phones infected with malware.

Why should you worry about Android malware on personal employee devices that connect to your network? Here are just a few reasons:

  • Just like on a desktop or laptop, mobile malware can steal login credentials or other data while evading detection if an employee logs in to work accounts on the smartphone, your corporate accounts are compromised.
  • When smartphones are not isolated from the rest of the network, an infected Android device phone can spread malware to other Android devices connected to the network.
  • Various Android malware variants can do things like rooting the phone to give a threat actor complete control, recording all activity (spyware), bypassing or stealing multi-factor authentication codes or attacking WiFi routers to do things like rerouting DNS queries.

While the Android malware list is endless, one type that’s emerged in the last few years is especially problematic: malware that comes preinstalled on devices. So far, the purpose of these new strains appears to be largely click fraud, but the malware’s functionalities could enable far more dangerous actions, all the way down to enabling complete device takeover. 

The Pesky xHelper malware 

One type of preinstalled malware that’s been making waves is xHelper. This stealthy Trojan first appeared on researchers’ radar around mid-2019 and quickly worked its way to the top of the Android malware detection lists.

What makes the xHelper malware a big problem is that you can’t get rid of it by simply restoring factory defaults or other common techniques. It took extensive detective work but researchers at Malwarebytes eventually figured out that xHelper installs backdoors that enable app downloads from a server controlled by the attackers, and also gains superuser privileges that provide access to sensitive data, among other things. This is what makes xHelper difficult to remove—but no longer impossible.

Initially, researchers believed the xHelper malware spread via mobile websites, particularly some shady gaming sites. But recently, Secure-D Lab has discovered that the malware came preinstalled on 200,000 Transsion Tecno W2 phones cheap Android phones made in China and used primarily in Africa.

The Secure-D Lab researchers recorded some 19.2 million suspicious transactions that were, essentially, subscription traps stealing money from consumers signing up unsuspecting users for subscription services for click fraud. The researchers suspected that this was the result of a supply chain attack on manufacturers or developers.

Preinstalled malware a growing threat

The xHelper strain is just one example of preinstalled malware. In the United States, a different family of malware that could be used for click fraud was found on cheap phones from Assurance Wireless, which provides the service to low-income individuals via a government-funded program. (The Chinese manufacturer denied that the malware came with the phone.) 

And, most recently, Gigaset mobile devices in Germany were reportedly affected by a hack that delivered malware via a preinstalled, legit system update app.

Not all preinstalled malware is likely due to supply chain security threats, either. Kaspersky Lab researchers believe that pre-installed adware (a type of malware), for example, may be part of an actual “partnership,” with the manufacturer receiving some of the profits from the scammers. Kaspersky also saw an uptick in adware attacks in general in 2020.

Limit your BYOD risks

Whether the malware is preinstalled or gets downloaded by an employee, IT admins should not only examine their BYOD policies but also educate users about the risks and help employees maintain good cyber hygiene.

A few things you can do:

  • Provide employees tips on how to check for malware on Android and other mobile phones, as well as how to stop pop-up ads on Android and other OS.
  • Explain best practices that improve mobile security (not connecting to unsecured public Wi-Fi, avoiding apps from third-party sites, not clicking on suspicious SMS or email links and more).
  • Implement a mobile device management (MDM) program and require employees to enroll their BYOD devices.
  • As part of MDM, consider using a solution that checks a device’s posture before allowing it to access sensitive resources, which ensures that the BYOD phones have up-to-date software and patches, making them less vulnerable to exploits.
  • Offer endpoint protection for personal devices that employees use for work.
  • Encrypt all sensitive data and consider requiring an app like a VPN that encrypts mobile communications to the corporate network.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

Securing your mobile device for work

Android malware is just one of the many threats that personal devices pose to your organization. But in today’s digital workplace, prohibiting employees from connecting personal devices to your network is probably not the most effective way to address BYOD risks. Your best option is to have a strategy that ensures that employees can use their smart devices securely, whether that’s an Android phone or anything else.

Like with any security strategy, implementing BYOD means taking a look at your processes, people and technology and understanding your risks and closing your security gaps before you greenlight the idea.



Threat Advisory: BlackRock Mobile Malware, Zimperium

Android malware can steal Google Authenticator 2FA codes, ZDnet

This Android-infecting Trojan malware uses your phone to attack your router, ZDNet

Google Warns That Preinstalled Malware Affected Millions Of Android Devices, Pulse 2.0

Mobile Menace Monday: Android Trojan raises xHelper, Malwarebytes

Android Trojan xHelper uses persistent re-infection tactics: here’s how to remove, Malwarebytes

Click Fraud Risk as Smartphone Discovered with Pre-Installed Malware, Infosecurity 

Mobile malware evolution 2020, Kaspersky

The secret behind ‘unkillable’ Android backdoor called xHelper has been revealed, Ars Technica

Pre-installed auto installer threat found on Android mobile devices in Germany,” Malwarebytes

Chinese phone maker denies handset in Lifeline program came with preinstalled malware, CNET  

Rodika Tollefson
Rodika Tollefson

Rodika Tollefson splits her time between journalism and content strategy and creation for brands. She’s covered just about every industry over a two-decade career but is mostly interested in technology, cybersecurity and B2B topics. Tollefson has won various awards for her journalism and multimedia work. Her non-bylined content appears regularly on several top global brands’ blogs and other digital platforms. She can be reached at