Two companies have discovered that someone had covertly installed malware on 38 devices used by their employees.
According to security firm Check Point, the installation of the malicious apps took place somewhere along the supply chain, after phones left the manufacturer's factory and before they arrived at the two companies.
Researchers say they've identified two malware families on the infected phones. These are the Loki adware/infostealer and Slocker mobile ransomware.
On most phones, researchers say they've spotted the Loki malware, which is a very powerful malware family, capable of gaining root privileges and infecting even Zygote, one of the Android operating system core processes.
While Loki can do a lot of harm, in most cases, the malware is used as an infostealer to gather data from infected devices, but also as adware, showing ads on top of other apps.
On the other hand, Slocker infections were rarer, but if activated, this ransomware can lock devices using an AES encryption algorithm, and talk covertly to its C&C servers located on Tor servers.
Two companies were affected, a large telecommunications company and a multinational technology company. Only 38 devices were found infected with Loki and Slocker.
The malware wasn't always embedded in the same app. Check Point says the following applications were found laced with the two malware strains.
Attackers also didn't target a specific phone brand. The following phone makes and models were found carrying the two malware strains.
Asus Zenfone 2 (5 devices)
LenovoS90 (2 devices)
Nexus 5 (2 devices)
Samsung Galaxy A5 (2 devices)
Samsung Galaxy Note 2 (2 devices)
Samsung Galaxy Note 3
Samsung Galaxy Note 4 (3 devices)
Samsung Galaxy Note 5
Samsung Galaxy Note 8
Samsung Galaxy Note Edge
Samsung Galaxy S4 (5 devices)
Samsung Galaxy S7
Samsung Galaxy Tab 2 (2 devices)
Samsung Galaxy Tab S2
Xiaomi Mi 4i
vivo X6 plus
At the time of writing, Check Point could not say if the apps were installed by an attacker trying to hack into the networks of the two unnamed companies, or if this was just a random act of crime that might have affected more companies and users, yet to be discovered.
A list of SHA hashes for the malicious APKs is available on the Check Point blog.