Security researchers at Dr.Web have discovered over 40 models of low-cost Android smartphones are shipped with the dreaded Android Triada banking malware.

Security researchers at Antivirus firm Dr.Web have discovered that 42 models of low-cost Android smartphones are shipped with the Android.Triada.231 banking malware.

“In the middle of 2017, Doctor Web analysts discovered a new Trojan Android.Triada.231 in the firmware of some cheap models of Android devices. Since this detection, the list of infected devices has been constantly increasing.” reads the blog post published by Dr-Web. “At the moment, the list contains over 40 models. Doctor Web specialists have monitored the Trojan’s activity and now we can publish the results of this investigation.”

The Triada Trojan was spotted for the first time in 2016 by researchers at Kaspersky Lab that considered it the most advanced mobile threat seen to the date of the discovery.

Triada was designed with the specific intent to implement financial frauds, typically hijacking the financial SMS transactions. The most interesting characteristic of the Triada Trojan apart is its modular architecture, which gives it theoretically a wide range of abilities.

The Triada Trojan makes use of the Zygote parent process to implement its code in the context of all software on the device, this means that the threat is able to run in each application.

The only way to remove the threat is to wipe the smartphone and reinstall the OS.

Researchers at Dr.Web discovered the Triada Trojan pre-installed on newly shipped devices several minor brands, including Advan, Cherry Mobile, Doogee, and Leagoo.

This isn’t the first time the company discovered a pre-installed malware on Android device, back in in July 2017 Dr..Web researchers discovered the many smartphone models were shipped with the dreaded Triada trojan such as Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20.

The researchers at Dr.Web who investigated the issue discovered that a software developer from Shanghai was responsible for the infection.

“For example, it was detected on the Leagoo M9 smartphone that was announced in December 2017. Additionally, our analysts’ research showed that the Trojan’s penetration into firmware happened at request of the Leagoo partner, the software developer from Shanghai.” continues the blog post.

“This company provided Leagoo with one of its applications to be included into an image of the mobile operating system, as well as with an instruction to add third-party code into the system libraries before their compilation. Unfortunately, this controversial request did not evoke any suspicions from the manufacturer. Ultimately, Android.Triada.231 got to the smartphones without any obstacles.”

The infected app found on the device was developed by a Chinese firm, the experts highlighted that the code was signed with the same certificate that was observed in 2016 infections.

“The analysis of this application showed it is signed with the same certificate as Android.MulDrop.924. Doctor Web previously wrote about this Trojan in 2016. We can presume the developer that requested adding the additional program into the mobile operating system image can be connected expressly or implicitly with the distribution of Android.Triada.231.” continues Dr.Web.

At the moment, the experts confirmed to have detected the Android.Triada.231 in the firmware of the following Android device models:

Leagoo M5

Leagoo M5 Plus

Leagoo M5 Edge

Leagoo M8

Leagoo M8 Pro

Leagoo Z5C

Leagoo T1 Plus

Leagoo Z3C

Leagoo Z1C

Leagoo M9

ARK Benefit M8

Zopo Speed 7 Plus

UHANS A101

Doogee X5 Max

Doogee X5 Max Pro

Doogee Shoot 1

Doogee Shoot 2

Tecno W2

Homtom HT16

Umi London

Kiano Elegance 5.1

iLife Fivo Lite

Mito A39

Vertex Impress InTouch 4G

Vertex Impress Genius

myPhone Hammer Energy

Advan S5E NXT

Advan S4Z

Advan i5E

STF AERIAL PLUS

STF JOY PRO

Tesla SP6.2

Cubot Rainbow

EXTREME 7

Haier T51

Cherry Mobile Flare S5

Cherry Mobile Flare J2S

Cherry Mobile Flare P1

NOA H6

Pelitt T1 PLUS

Prestigio Grace M5 LTE

BQ 5510

Unfortunately, the number of infected smartphones models could be much bigger.

Pierluigi Paganini

(Security Affairs – Android, Triada Trojan)

Share this...

Linkedin Reddit Pinterest

Share On