Android smartphone

Two companies have discovered that someone had covertly installed malware on 38 devices used by their employees.

According to security firm Check Point, the installation of the malicious apps took place somewhere along the supply chain, after phones left the manufacturer's factory and before they arrived at the two companies.

Phones infected with Loki and Slocker

Researchers say they've identified two malware families on the infected phones. These are the Loki adware/infostealer and Slocker mobile ransomware.

On most phones, researchers say they've spotted the Loki malware, which is a very powerful malware family, capable of gaining root privileges and infecting even Zygote, one of the Android operating system core processes.

While Loki can do a lot of harm, in most cases, the malware is used as an infostealer to gather data from infected devices, but also as adware, showing ads on top of other apps.

On the other hand, Slocker infections were rarer, but if activated, this ransomware can lock devices using an AES encryption algorithm, and talk covertly to its C&C servers located on Tor servers.

Only 38 smartphones found infected

Two companies were affected, a large telecommunications company and a multinational technology company. Only 38 devices were found infected with Loki and Slocker.

The malware wasn't always embedded in the same app. Check Point says the following applications were found laced with the two malware strains.

air.fyzb3
com.android.deketv
com.android.ys.services
com.androidhelper.sdk
com.armorforandroid.security
com.baycode.mop
com.changba
com.ddev.downloader.v2
com.example.loader
com.example.loader
com.fone.player1
com.google.googlesearch
com.iflytek.ringdiyclient
com.kandian.hdtogoapp
com.kandian.hdtogoapp
com.lu.compass
com.mobogenie.daemon
com.mojang.minecraftpe
com.sds.android.ttpod
com.skymobi.mopoplay.appstore
com.yongfu.wenjianjiaguanli

Attackers also didn't target a specific phone brand. The following phone makes and models were found carrying the two malware strains.

Asus Zenfone 2 (5 devices)
LG G4
Lenovo A850
LenovoS90 (2 devices)
Nexus 5 (2 devices)
Nexus 5X
Oppo N3
OppoR7 plus
Samsung Galaxy A5 (2 devices)
Samsung Galaxy Note 2 (2 devices)
Samsung Galaxy Note 3
Samsung Galaxy Note 4 (3 devices)
Samsung Galaxy Note 5
Samsung Galaxy Note 8
Samsung Galaxy Note Edge
Samsung Galaxy S4 (5 devices)
Samsung Galaxy S7
Samsung Galaxy Tab 2 (2 devices)
Samsung Galaxy Tab S2
Xiaomi Mi 4i
Xiaomi Redmi
ZTE x500
vivo X6 plus

At the time of writing, Check Point could not say if the apps were installed by an attacker trying to hack into the networks of the two unnamed companies, or if this was just a random act of crime that might have affected more companies and users, yet to be discovered.

A list of SHA hashes for the malicious APKs is available on the Check Point blog.