Android Devices Found Shipping With Firmware-Level Malware
Sophos reported that some Android devices were delivered to users with malware already embedded at the firmware level, indicating compromise somewhere in the device supply chain rather than through a typical post-sale infection. Because the malicious code resides below the application layer, it can survive resets, evade standard mobile security controls, and give attackers persistent access to the device.
The finding raises concerns for enterprises that rely on Android endpoints for corporate access, especially where bring-your-own-device and low-cost handset procurement are common. Preinstalled firmware malware can expose credentials, communications, and managed applications from the moment a device is activated, making hardware sourcing, mobile threat defense, and strict device attestation critical parts of enterprise mobile security programs.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
Sophos reports Android devices shipping with firmware-level malware
Sophos published research describing Android devices that were shipped with malware embedded at the firmware level, indicating compromise before end users received the devices. No earlier discrete events are provided in the reference content.
Sources
1 reference tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Supply-Chain Tampering and Persistent Malware Risks on Android and Smartphones
Reporting highlighted **supply-chain malware pre-installed on Android devices** during manufacturing/distribution, enabling low-level capabilities such as data exfiltration, command execution, and persistent unauthorized access before a user ever installs apps. The reporting emphasized that this type of embedded compromise can bypass typical app-based defenses and app-store controls, making mobile devices a durable foothold into personal and corporate environments; recommended mitigations included verifying device integrity, enforcing secure boot chains, and monitoring behavior across managed mobile fleets. Separately, academic research described a **remote “fingerprinting” method** to detect whether a smartphone has been altered during manufacturing by comparing its cellular radio emissions against a library of trusted device/model fingerprints using standards-compliant base-station emulation and specialized SIMs. Another write-up focused on **post-install Android malware persistence techniques** (e.g., `BOOT_COMPLETED` autostart via `BroadcastReceiver`, abuse of overlays to block force-stop/uninstall, and self-restart behaviors), which is related to mobile malware resilience but is not specific to supply-chain preinstallation or the cited manufacturing-tamper investigations.
Mar 21, 2026
Surge in Android Malware and Pre-Installed Threats Targeting Mobile Users
Multiple security researchers have reported a significant escalation in Android-targeted threats, including the discovery of new malware families, pre-installed trojans, and spyware on both counterfeit and budget smartphones. The Triada trojan continues to be found pre-installed on counterfeit Android devices, granting attackers full device control and enabling credential theft, botnet enrollment, and unauthorized access to sensitive apps. In parallel, certain budget Samsung phones have reportedly shipped with an unremovable system app, AppCloud, described as spyware that collects sensitive user data and cannot be removed without voiding the warranty. These findings highlight the persistent risks associated with purchasing devices from untrusted sources and the growing sophistication of supply chain threats. The overall threat landscape for Android users has intensified in 2025, with a marked increase in malware, adware, and potentially unwanted program (PUP) detections. Attackers are shifting from nuisance apps to more covert tools capable of harvesting data, intercepting messages, and facilitating account takeovers. The rise in SMS-based attacks and the integration of advanced capabilities, such as one-time passcode theft, underscore the need for heightened vigilance and robust mobile security practices. Security experts emphasize the importance of verifying device integrity, using only official firmware, and implementing strict security policies to mitigate these evolving threats.
Mar 21, 2026
Hardware-Level Android Chip Vulnerabilities Enable Device Compromise
Security researchers and vendors reported **hardware/firmware-level vulnerabilities in Android chip components** that can enable deep device compromise beyond typical app-layer defenses. Ledger’s Donjon research described a flaw involving **MediaTek chip boot-chain behavior and Trustonic’s trusted execution environment (TEE)** that allowed rapid physical compromise: by connecting an affected phone to a laptop over **USB**, attackers could allegedly brute-force the PIN, decrypt storage, and extract sensitive data including messages and **cryptocurrency wallet seed phrases** (e.g., Kraken Wallet, Phantom). The researchers estimated the affected MediaTek chips appear in roughly **one-quarter of Android phones**, disproportionately in lower-cost devices. Separately, Zimperium reported active exploitation of a **Qualcomm graphics zero-day** (**CVE-2026-21385**) in targeted Android attacks, describing a memory-corruption condition that could enable code execution or unauthorized access across “hundreds” of Qualcomm chipsets. A ZDNET article on Android’s *Repair Mode* primarily provides user guidance and anecdotal troubleshooting around a buggy March update/SIM recognition issue; it does not substantively address the chip-level vulnerabilities described in the other reporting and is best treated as tangential consumer advice rather than incident or vulnerability intelligence.
Mar 21, 2026