Over 40 models of low-cost Android smartphones are sold already infected with the Triada banking trojan, says Dr.Web, a Russia-based antivirus vendor.

The security vendor published today a list of 42 Android models its researchers analyzed and found to be infected with the Android.Triada.231 trojan.

Triada is a very powerful Android banking trojan discovered in early 2016. It can root devices and then infect Zygote, a core Android operating system process, where it's almost impossible to remove without wiping the entire device and reinstalling the OS.

Infected smartphones sold all over the globe

Dr.Web says it found the trojan on newly shipped devices from lesser-known brands —mostly based in China— such as Leagoo, Doogee. Vertex, Advan, Cherry Mobile, and others.

"The malware is present in the devices which are sold not only in Russia but globally," a Dr.Web spokesperson told Bleeping Computer earlier today via email. "For instance, in Poland, Indonesia, China, the Checz Republic, Mexico, Kazakhstan, [and] Serbia."

Dr.Web's recent discovery isn't new, but it's a continuation of previous research. Back in July 2017, researchers found the same Triada trojan on four low-cost Android smartphone models —Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20.

Researchers continued to look into the matter and eventually discovered 42 smartphone models that were coming with malware pre-installed out of the box.

Experts say that their discovery over the summer didn't deter whoever was behind this action to stop. For example, they found Triada pre-installed on Leagoo M9 phones, a model launched in December 2017.

Trojan tracked down to Shanghai software company

The antivirus vendor says it contacted all affected vendors, believing one of their shared resellers was injecting the trojan before shipping devices forward.

Instead, researchers figured out that a software developer from Shanghai was most likely the source of the Triada infection.

"This company provided Leagoo with one of its applications to be included into an image of the mobile operating system, as well as with an instruction to add third-party code into the system libraries before their compilation," researchers say. "Unfortunately, this controversial request did not evoke any suspicions from the manufacturer. Ultimately, Android.Triada.231 got to the smartphones without any obstacles."

Same company responsible for other malware campaigns

Researchers say this Triada-infected application developed by the Shanghai company was signed with the same certificate that was seen in another malware infection, in November 2016 —an Android app with over 1 million downloads on the Google Play Store that was infecting users with the Android.MulDrop adware.

In the end, this is just another case when users suffer the consequences of companies that fail to validate their software supply chain.

The list of Android smartphone models that Dr.Web found infected with the Triada trojan right out of the box is below:

Leagoo M5

Leagoo M5 Plus

Leagoo M5 Edge

Leagoo M8

Leagoo M8 Pro

Leagoo Z5C

Leagoo T1 Plus

Leagoo Z3C

Leagoo Z1C

Leagoo M9

ARK Benefit M8

Zopo Speed 7 Plus

UHANS A101

Doogee X5 Max

Doogee X5 Max Pro

Doogee Shoot 1

Doogee Shoot 2

Tecno W2

Homtom HT16

Umi London

Kiano Elegance 5.1

iLife Fivo Lite

Mito A39

Vertex Impress InTouch 4G

Vertex Impress Genius

myPhone Hammer Energy

Advan S5E NXT

Advan S4Z

Advan i5E

STF AERIAL PLUS

STF JOY PRO

Tesla SP6.2

Cubot Rainbow

EXTREME 7

Haier T51

Cherry Mobile Flare S5

Cherry Mobile Flare J2S

Cherry Mobile Flare P1

NOA H6

Pelitt T1 PLUS

Prestigio Grace M5 LTE

BQ 5510