Skip to content

Pre-installed Firmware Grayware

Malware and data-harvesting code embedded in Android device firmware during manufacturing. Unlike app-level grayware, firmware-level infections cannot be removed by the user, persist across factory resets, and operate with system-level privileges. The budget Android supply chain is structurally compromised: economic pressure on firmware suppliers creates incentives for malware bundling.

Documented Cases

ADUPS / Shanghai Adups Technology Co. (2016): Discovered by Kryptowire, ADUPS provided commercial FOTA (Firmware Over The Air) update software claiming 700 million active users across 150+ countries. The most prominent affected device was the BLU R1 HD, sold through Amazon and Best Buy. The backdoor was purposefully installed, not a vulnerability exploit. Every 72 hours, data was exfiltrated to Chinese servers (bigdata.adups.com): full SMS message bodies, contact lists, call history with full telephone numbers, IMSI and IMEI identifiers, and GPS location. A secondary server (rebootv5.adsunflower.com) could issue remote commands with elevated privileges. Neither data collection application could be disabled by end users. ADUPS subsequently affected 43 phone vendors.

Chamois (2017-2019): Google-discovered ad fraud botnet pre-installed in firmware on 21M+ devices. Operated through the supply chain, with malicious code embedded during manufacturing. Generated fraudulent ad revenue through background ad clicks and premium SMS.

Cosiloon (2018): Avast discovered pre-installed adware on 100+ low-cost Android device models from ZTE, Archos, myPhone, and others. The dropper was firmware-level, survived even after payload removal, and used strong obfuscation. Active for at least three years before discovery. Most affected devices were not Google-certified.

Triada in firmware (2019): Google confirmed that Triada was pre-installed in the firmware of budget Android phones during the manufacturing process. A supply chain vendor injected the malware into the system image. Triada operated at the framework level with system privileges, injecting code into every running app process.

Gionee trojan (2020): Over 20 million smartphones infected intentionally between December 2018 and October 2019. Gionee's subsidiary Shenzhen Zhipu Technology implanted a trojan via the "Story Lock Screen" app, using a system called the "Dark Horse Platform" to manage the malware. Executives were convicted and sentenced to 3-3.5 years in prison with CNY 200,000 fines, having profited approximately $4.2 million from ad fraud.

Lemon Group / "Guerrilla" (2023): Trend Micro presented at Black Hat Asia 2023 that 8.9 million Android devices across 180 countries were pre-infected. 55% of victims in Asia, 17% in North America. The malware included an SMS plugin (intercepting OTPs for WhatsApp, Facebook), a proxy plugin (selling victim bandwidth as residential proxies), a cookie plugin (hijacking Facebook and WhatsApp sessions), and a silent app installer. Firmware prices had dropped to zero due to competition among distributors, who began bundling "silent plugins" as monetization. Lemon Group rebranded as "Durian Cloud SMS" after exposure. Overlapping C2 infrastructure indicated collaboration with Triada operators.

RottenSys (2018): Malware disguised as a "System Wi-Fi service" discovered by Check Point pre-installed on devices from Honor, Huawei, Xiaomi, Samsung, HTC, Lenovo, Coolpad, and ZTE. Did not start malicious activity immediately. After a delay, it downloaded ad-display components. Distribution traced to Tian Pai, a Hangzhou-based supply chain distributor (responsible for 49.2% of infections). 4,964,460 infected devices as of March 2018, propagating since September 2016. In 10 days of monitoring: 13.25 million ad impressions, 548,822 clicks, $115,000+ revenue.

BADBOX / BADBOX 2.0 (2023-2025): Off-brand Android devices (TV boxes, tablets, projectors, car infotainment) sold with pre-installed malware. First appeared in April 2023 when researcher Daniel Milisic found unusual communications from a T95 Android TV box. HUMAN Security's investigation (October 2023) uncovered the BADBOX/PEACHPIT operation: infected devices running ad fraud via fake SSPs, creating WhatsApp and Gmail accounts using stolen OTPs, and acting as residential proxies. Evolved into BADBOX 2.0 by 2025 with 10+ million infected AOSP-based devices across 222 countries -- the largest connected TV botnet ever uncovered. Products found on US public school networks. PEACHPIT ad fraud component generated 4 billion fraudulent bid requests per day at peak across 121,000 Android and 159,000 iOS devices daily. Google filed a lawsuit in July 2025 against 25 Chinese entities connected to the operation.

Tecno / Transsion (2020): Triada and xHelper found pre-installed on Transsion's Tecno W2 smartphones sold primarily in Africa. Secure-D recorded 19.2 million suspicious transactions from 200,000+ unique devices across Ethiopia, Cameroon, Egypt, Ghana, and South Africa. The malware silently signed users up for premium subscriptions. Google attributed the insertion to "a malicious supplier somewhere within the supply chain." Transsion is the top-selling phone manufacturer in Africa (40.6% of smartphone market, 69.5% of feature phones in Q4 2019).

UMX Lifeline Program Phones (2020): The UMX U686CL, a $35 phone distributed through the US government's Lifeline Assistance program for low-income Americans, shipped with two malware components: a Wireless Update app (Adups variant silently installing HiddenAds trojan) and the Settings app itself functioning as a trojan dropper. Since Settings is essential to device operation, removing it bricked the phone. Malwarebytes later found the same pattern on the ANS UL40. Both brands traced back to TeleEpoch Ltd.

GMobi SDK (2016): Adware SDK discovered by Dr.Web pre-installed on ~40 mobile device models including Micromax AQ5001. Collected emails, device info, GPS/network coordinates, displayed ad notifications, and made mobile payments via C&C server. Also found in apps from ASUS (WebStorage) and even Trend Micro's own Dr. Safety and Dr. Booster products.

Why Firmware Grayware Persists

The economics are straightforward: budget Android device manufacturers outsource firmware to third-party suppliers. These suppliers face razor-thin margins and monetize through embedded SDKs, adware, and data collection. Google certification (CTS/Play Protect) blocks this on certified devices, but most affected phones are uncertified models sold through online marketplaces in developing markets. The user has no technical means to remove firmware-level malware without flashing a clean ROM, which requires technical knowledge and unlocked bootloaders that budget manufacturers rarely provide.