Budget Samsung Phones Found Shipping With Unremovable Spyware
Category:Threat Alerts / Threat Intelligence
Digital rights group SMEX accused Samsung of pre-installing AppCloud—unremovable data-harvesting software developed by Israeli firm ironSource—on Galaxy A and M series budget phones across West Asia, North Africa, and 50+ markets. The software collects sensitive data including biometric information and IP addresses, runs invisibly in background with no privacy policy or consent screen, and requires root access to remove (voiding warranty). AppCloud is part of ironSource's Aura toolkit, a Samsung exclusive partnership since 2022. Users report the app re-enables itself after system updates. While disableable via application settings, it's deeply integrated into the OS and never appears on home screen.
CORTEX Protocol Intelligence Assessment
Business Impact: Organizations allowing BYOD risk data exposure and regulatory liabilities when employees use devices shipping with embedded spyware tied to OEM supply chains. Technical Context: The spyware’s privileged permissions and firmware embedding align with MITRE T1412 and T1409, making removal nearly impossible without reflashing trusted firmware images.
Strategic Intelligence Guidance
- Restrict BYOD enrollment from uncertified or unvetted Android devices.
- Deploy MDM/UEM compliance gates to block devices with unknown firmware integrity.
- Enforce zero-trust policies that validate device posture and identity signals.
- Conduct supply-chain risk reviews for mobile devices used in the organization.
Vendors
Threats
Targets
Intelligence Source: Budget Samsung Phones Found Shipping With Unremovable Spyware | Nov 21, 2025