In yet another example of the ongoing security/privacy issues with the Android operating system, both the German Federal Office for Information Security (BSI) and Google itself are warning users that new Android phones from various manufacturers are coming from the factory with malware embedded in the firmware of the device. By pre-loaded the malware in the firmware, it becomes difficult if not near impossible for the average consumer to either detect the malware or remove it. The capabilities of the malware are such that the device is completely “owned” and can be used for whatever purpose the attacker desires.
Commentary: As I have said consistently, and to paraphrase Benjamin Franklin, those who would trade convenience for security deserve neither. Not only is Google’s entire operating model built around having total knowledge of what information a user accesses in order to target them for advertising, the distribution model that Google uses to distribute their software supports attacks such as this as it is largely out of Google’s hands.
Likely Threat(s): Criminals, Nation-State
Likely Motive(s): Theft, Fraud, Espionage
Likely Means: 8.4 Attack 3rd parties/vendors
Opportunities: Be selective in who you buy systems from to ensure that they are committed to your privacy and security.