Android phones and tablets from four different manufacturers are arriving with malware “pre-installed” - a bogus version of Netflix which sends password and credit card information to Russia, according to app security specialist Marble Security.

David Jevans, CTO and founder of the company said that he was alerted to the problem by a company testing his product, software to help organizations manage mobile devices, after it repeatedly flagged Netflix as malicious, according to PC World’s report.

Jevans’ team analysed the app, and found that it was bogus, using  tools including one that analyzed the app’s network traffic for signs of communication with known malicious servers. Jevans says, “This isn’t the real Netflix. You’ve got one that has been tampered with, and is sending passwords and credit card information to Russia.”

Jevans says that the customer informed him that the app had arrived pre-installed, according to Info World’s report. The company then investigated devices from other customers, and found the same malicious app installed on smartphones and tablets from four manufacturers.

"We suspect for most of them, it is preinstalled," Jevans said.

According to ESET security researcher Stephen Cobb, the presence of malicious fake apps that come pre-installed points to weakness in supply chain security, an area of concern for many years in fields such as defense and military IT, but now apparently in play for criminals targeting consumers at scale.

Cobb says, “Findings like this are a warning to companies that they need to take supply chain attacks seriously, the end customer is not likely to be very forgiving of a brand if its products arrive infected with malware.”

While malware is increasingly common on Android - one analysis of malicious apps in Google’s Play Store found that Trojans and spyware had grown 400% year-on-year, as reported by We Live Security here - exercising caution on app stores had previously offered a defense against malware. Marble Security has not revealed which brands are affected by the “pre-installed” malware - but describes the problem as “widespread”.