Trend Micro researchers report that pre-installing malware on Android devicesespecially smartphones, has become increasingly common in recent years.

The existence of Android malware is a very old story that we have repeated many times, however it is normal that it can be obtained through unreliable stores or repositories or through the Google Play Store itself, despite the fact that the Android Browser giant has implemented things like Play Protect to strengthen security of own front.

What Trend Micro researchers are reporting goes a step further, as the malware comes pre-installed on Android devices, making it more difficult to uninstall as a result. What a user has installed from the Play Store or other stores can be easily removed, but when malware is embedded in the device’s system or firmware, its removal is more complicated and may require drastic measures.

When we dive into Trend Micro’s findings, many of the firmware images they reviewed contained code snippets that were described as “silent plugins”. Researchers discovered more than 80 such plugins, but only a few were widely distributed. The worst part is that the most popular ones are sold secretly and promoted through blogs and platforms like Facebook and YouTube.

And what do these “silent plugins” allow you to do? Among the options, according to Trend Micro, is one that cybercriminals could “rent” multiple devices at once for up to five minutes and use them to steal credentials or other sensitive user information. Other plugins provide the option download and install additional malware on the infected device.

Experts from a company dealing with cyber security point out that another reason is the downward competition among mobile firmware developers, due to which their sales stopped paying, and subsequently many developers began to offer their firmware for free.

Researchers estimate that millions of infected devices are currently in use worldwide, with Eastern Europe and Southeast Asia apparently the most affected by these “silent plugins.” As for specific data, it is interesting that the cybercriminals themselves boast that 8.9 million Android devices are loaded with at least one of these “silent plugins” (which are clearly malicious plugins now).

Trend Micro has confirmed the presence of these malicious plug-ins in at least ten device vendors, mostly of Chinese origin. The cyber security firm suspects there are forty other affected vendors, but for now they are more interested in determining where in the supply chain the infection is most likely to occur.

Google is aware of this problem, but it is not easy to solve due to the complexity of the Android OEM supply chain and the open nature of the Android Open Source Project, which can make the ground much easier for developers. malware if things are not done right, especially when it comes to monitoring. “Silent plugins” are apparently the most affected cheap devices coming mainly from brands of Chinese originSo Trend Micro recommends buying higher-end devices from manufacturers like Samsung or Google.

The search engine giant has invested a lot of effort in recent years to expand Play Protect’s capabilities to monitor apps that come pre-installed on Android devices and detect malicious behavior. However, the Mountain View-based company may have a challenge ahead in detecting and stopping these “silent plugins.”

The measures taken by Google, how could it be otherwise, have been responded to by further research by cybercriminals to bypass the protections in place, which has led to the development of a business on the dark web, whose services cost between $2,000 and $20,000, according to Kaspersky.