Malicious apps were surreptitiously added somewhere along the supply chain.

A commercial malware scanner used by businesses has recently detected an outbreak of malware that came preinstalled on more than three dozen Android devices.

An assortment of malware was found on 38 Android devices belonging to two unidentified companies. This is according to a blog post published Friday by Check Point Software Technologies, maker of a mobile threat prevention app. The malicious apps weren't part of the official ROM firmware supplied by the phone manufacturers but were added later somewhere along the supply chain. In six of the cases, the malware was installed to the ROM using system privileges, a technique that requires the firmware to be completely reinstalled for the phone to be disinfected.

"This finding proves that, even if a user is extremely careful, never clicks a malicious link, or downloads a fishy app, he can still be infected by malware without even knowing it," Check Point Mobile Threat Researcher Daniel Padon told Ars. "This should be a concern for all mobile users."

Most of the malicious apps were info stealers and programs that displayed ads on the phones. One malicious ad-display app, dubbed "Loki," gains powerful system privileges on the devices it infects. Another app was a mobile ransomware title known as "Slocker," which uses Tor to conceal the identity of its operators.

The infected devices included:

Galaxy Note 2
LG G4
Galaxy S7
Galaxy S4
Galaxy Note 4
Galaxy Note 5
Galaxy Note 8
Xiaomi Mi 4i
Galaxy A5
ZTE x500
Galaxy Note 3
Galaxy Note Edge
Galaxy Tab S2
Galaxy Tab 2
Oppo N3
vivo X6 plus
Nexus 5
Nexus 5X
Asus Zenfone 2
LenovoS90
OppoR7 plus
Xiaomi Redmi
Lenovo A850
Check Point didn't disclose the names of the companies that owned the infected phones.

Padon said it's not clear if the two companies were specifically targeted or if the infections were part of a broader, more opportunistic campaign. The presence of ransomware and other easy-to-detect malware seems to suggest the latter. Check Point also doesn't know where the infected phones were obtained. One of the affected parties was a "large telecommunications company" and the other was a "multinational technology company."

Here we go again

This isn't the first time Android phones have been shipped preinstalled with apps that can surreptitiously siphon sensitive user data to unknown parties. In November, researchers found a secret backdoor installed on hundreds of thousands of Android devices manufactured by BLU. A few days later, a separate research team uncovered a different backdoor on more than 3 million Android devices from BLU and other manufacturers. In those cases, however, the backdoors were previously unknown, and, in the latter case, they were intended to deliver legitimate over-the-air updates.

Friday's report shows why it's never a bad idea to scan a new Android device for malware, especially if the device is obtained through low-cost channels. Reputable malware scanners such as those from Lookout, Check Point, or Malwarebytes are all suitable. Most such apps can be used to scan a phone without having to pay a subscription. Although who sold or supplied the 38 phones Check Point found infected is unknown, another general rule is to avoid low-cost resellers. Instead, buy from a trusted store or website.