Low-cost smartphones running Google’s Android operating system have been found to be replete with malware. From the article:

“At present, pre-installed partners cover the entire mobile phone industry chain, including mobile phone chip manufacturers, mobile phone design companies, mobile phone brand manufacturers, mobile phone agents, mobile terminal stores and major e-commerce platforms,” reads a descriptive blurb about the company.

The news will have a negative impact on Google’s stock and is also likely to hurt sales of phones made by these brands as well. Many of these smartphone manufacturers may not have been aware that their phones included malware. Instead, their business model focused on offsetting production costs through the installation of paid-for applications, which (hopefully) inadvertently included the malicious applications. But it illustrates a fundamental issue all companies face today: how well do you know your customers and vendors?

Criminals will use a variety of means to hide their actions, and you will never stop them all. But, if companies begin following the Department of Defense’s lead and push for third-party certification of cybersecurity and data privacy programs before they will do business with a vendor or onboard certain types of customers, this will go a long way toward reducing the companies’ overall risk surface.

https://krebsonsecurity.com/2019/06/tracing-the-supply-chain-attack-on-android-2/