Android phones could be hiding ‘undeletable’ malware

(Image credit:

A large number Android phones may be storing 'undeletable' files and apps following a number of widespread attacks, security researchers have warned.

A new report from Kaspersky found that many Android devices that had been hit by cybercrime could still be harbouring malicious files or items without the user's knowledge.

Overall, the firm found that 14.8% of all users attacked by malware or adware in the past year suffered an infection of the system partition, meaning files were embedded in undeletable system apps and libraries at the code level.

Android malware

Kaspersky gave the example of the CookieStealer malware, which hit the headlines in March 2020 for forcibly installing apps on victim devices to gain money for advertising, and may have infected over a quarter of devices offered by some low-cost Android vendors.

"The Android security model assumes that an antivirus is a normal app, and according to this concept, it physically can not do anything with adware or malware in system directories," Kaspersky noted, meaning criminals have to engineer their schemes to get around such rules.

The company highlighted the example of the Lezok and Triada trojans, with the latter notable for embedding its ad code directly in to libandroid_runtime — a key library used by almost all Android apps on a device. 

However Kaspersky adds that some manufacturers are equally to blame, pre-installing adware modules "under the hood" to show users adverts when in use. Although some let this feature be disabled, others don't, claiming this lowers the end cost of a device to the user.

Chinese firm Meizu was mentioned as one such culprit, with a preinstalled AppStore app launching hidden adware that can display itself in invisible windows, eating up data usage and battery life.

Kaspersky warns that for many users, it may be impossible to completely remove all malicious adware and malware from their devices, and that they may have to just learn to live alongside it. Having an up-to-date security suite can help mitigate widespread cybercrime campaigns, but some device-level installs may end up being permanent.

"Unfortunately, if a user purchases a device with such pre-installed advertising, it is often impossible to remove it without risking damage to the system," the company says.

"As for ad modules have not yet done anything malicious, the user can only hope that the developers do not tack on ads from a malicious partner network without even realizing it themselves."

Mike Moore
Deputy Editor, TechRadar Pro

Mike Moore is Deputy Editor at TechRadar Pro. He has worked as a B2B and B2C tech journalist for nearly a decade, including at one of the UK's leading national newspapers and fellow Future title ITProPortal, and when he's not keeping track of all the latest enterprise and workplace trends, can most likely be found watching, following or taking part in some kind of sport.