Triada Banking Trojan came Preinstalled as Backdoor in Budget Android Smartphones- Google Confirms.It would probably be the first time ever in Google’s history that the company has revealed details of the tenacity and success of malware dubbed as Triada. Triada malware was discovered in 2017 and came pre-installed on Android devices . It was believed back then that the malware was added to the devices at any stage of the supply chain process.Now, Google has revealed that cybercriminals indeed managed to compromise Android smartphones and installed a backdoor while the supply chain process of the phones was underway. Triada is known for downloading additional Trojan components on an infected device which then steals sensitive data from banking apps, intercepts chats from messengers and social media platforms and there are also cyber-espionage modules on the device.
It is worth noting that Google remained silent at this issue until now but this week the firm’s Android Security and Privacy team member Lukasz Siewierski posted an in-depth analysis of the Triada banking Trojan on Google’s security blog. In the blog post, Siewierski confirmed that the malware did exist in new Android devices .In 2016, Kaspersky Lab researchers identified what was probably the most advanced of all mobile banking Trojans at the time. The Trojan was dubbed Triada; it was discovered in the RAM (random access memory) of the smartphones and used root privileges for substituting system files with infected ones. The malware kept evolving until 2017 when Dr. Web researchers identified that it didn’t need to root the smartphone for gaining elevated privileges and was equipped with more advanced attacking methods.
Earlier this year, Forbes reported how a banking Trojan called Triada had been found on a bunch of brand new budget Android smartphones. Google has now confirmed that threat actors did, indeed, manage to compromise Android smartphones with the installation of a backdoor as part of a supply chain attack.
Some of the devices identified by Dr. Web in 2018 were:Leagoo M5 Leagoo M5 Plus Leagoo M5 Edge Leagoo M8 Leagoo M8 Pro Leagoo Z5C Leagoo T1 Plus Leagoo Z3C Leagoo Z1C Leagoo M9 ARK Benefit M8 Zopo Speed 7 Plus UHANS A101 Doogee X5 Max Doogee X5 Max Pro Doogee Shoot 1 Doogee Shoot 2 Tecno W2 Homtom HT16 Umi London Kiano Elegance 5.1 iLife Fivo Lite Mito A39 Vertex Impress InTouch 4G Vertex Impress Genius myPhone Hammer Energy Advan S5E NXT Advan S4Z Advan i5E STF AERIAL PLUS STF JOY PRO Tesla SP6.2 Cubot Rainbow EXTREME 7 Haier T51 Cherry Mobile Flare S5 Cherry Mobile Flare J2S Cherry Mobile Flare P1 NOA H6 Pelitt T1 PLUS Prestigio Grace M5 LTE BQ 5510
The malware exploited the Android framework log function call to attack, which basically means that it installed backdoor in the infected devices so that whenever an app tried to log something the backdoor code got executed . The code would get executed in almost every app since it came factory-fitted in new smartphones. Later on, Google did add new security features to prevent threats like Triada. However, malware developers changed their strategy and performed a supply chain attack in the summer of 2017 to get it preinstalled on low-key, budget Android smartphones mainly from Chinese manufacturers Nomu and Leagoo. Researchers couldn’t determine how the supply chain attack occurred but this attack ensured that the malware was able to access legitimate apps and download malicious codes to perform click fraud or infect SMS messages with new scams.
Siewierski explained the working of the backdoor in the blog post that read:
“The methods Triada used were complex and unusual for these types of apps. Triada apps started as rooting Trojans, but as Google Play Protect strengthened defenses against rooting exploits, Triada apps were forced to adapt, progressing to a system image backdoor.”The malware primarily targeted Android version 4.4.2 and older since the new versions blocked that process through which the malware obtained root access and the code injected was blocked by Google even when the malware was installed as a backdoor. Siewierski explained how Google tried to thwart the threat at all occasions using the advanced automated system called “Build Test Suite” and other strategies. In the blog post, Siewierski wrote:
“By working with the OEMs and supplying them with instructions for removing the threat from devices, we reduced the spread of preinstalled Triada variants and removed infections from the devices through the OTA updates. The Triada case is a good example of how Android malware authors are becoming more adept. This case also shows that it’s harder to infect Android devices, especially if the malware author requires privilege elevation.”
Did you enjoy reading this article? Like our page on and follow us on .
The campaign has been active since May last year, with users previously duped into downloading the malware with a fake version of an adult app — but now those behind Triout have altered their tactics, distributing the malware with a re-purposed version of a legitimate privacy tool that has been ripped from the Google Play store.