Cybersecurity researchers at Trend Micro have uncovered a disturbing supply chain attack that infected millions of Android devices with information-stealing malware before they even left the factory.

While the affected devices are mostly affordable smartphones, the attack has also spread to smartwatches, smart TVs and other smart devices. This issue was discussed at a recent conference in Singapore by Trend Micro senior researcher Fedor Yarochkin and his colleague Zhenyu Dong, who said the root of the problem is fierce competition between original equipment manufacturers.

As you know, smartphone manufacturers do not manufacture all the components of their phones themselves, but ISPs cannot charge money for their products as the price of mobile phone firmware continues to drop.

That’s why Yarochkin explained that products began to come with unwanted little things in the form of “silent add-ons”. Trend Micro found “dozens” of firmware images and 80 different plug-ins looking for malware. According to the researchers, some plugins are part of a broader “business model” and are sold on dark web forums and even on major social media platforms and blogs.

These plugins can steal sensitive information from the device, hijack SMS messages, control social media accounts, use devices for advertising and click fraud, and misuse network traffic.

Trend Micro says data shows that nearly nine million devices worldwide were affected by this supply chain attack, most of them in Southeast Asia and Eastern Europe.