March 1, 2018

In the middle of 2017, Doctor Web analysts discovered a new Trojan Android.Triada.231 in the firmware of some cheap models of Android devices. Since this detection, the list of infected devices has been constantly increasing. At the moment, the list contains over 40 models. Doctor Web specialists have monitored the Trojan’s activity and now we can publish the results of this investigation.

Android.Triada.231—one of the dangerous Android.Triada Trojans. These Trojans infect the process of an important Android system component, Zygote. This process is used to launch all applications. Once the Trojans inject into this module, they penetrate other running applications. In doing so, they obtain the ability to carry out various malicious activities without a user’s intervention: they covertly download and launch software. The key feature of Android.Triada.231 is that cybercriminals inject this Trojan into the libandroid_runtime.so system library. They do not distribute the Trojan as a separate program. As a result, the malicious application penetrates the device firmware during manufacture. Users receive their devices already infected from the box.

In the past summer, following detection of Android.Triada.231, Doctor Web security researchers notified manufacturers who produced infected devices. However, new smartphones models continue getting infected with this malware. For example, it was detected on the Leagoo M9 smartphone that was announced in December 2017. Additionally, our analysts’ research showed that the Trojan’s penetration into firmware happened at request of the Leagoo partner, the software developer from Shanghai. This company provided Leagoo with one of its applications to be included into an image of the mobile operating system, as well as with an instruction to add third-party code into the system libraries before their compilation. Unfortunately, this controversial request did not evoke any suspicions from the manufacturer. Ultimately, Android.Triada.231 got to the smartphones without any obstacles.

The analysis of this application showed it is signed with the same certificate as Android.MulDrop.924. Doctor Web previously wrote about this Trojan in 2016. We can presume the developer that requested adding the additional program into the mobile operating system image can be connected expressly or implicitly with the distribution of Android.Triada.231.

At the moment, security researchers have detected Android.Triada.231 in the firmware of over 40 Android device models:

Leagoo M5

Leagoo M5 Plus

Leagoo M5 Edge

Leagoo M8

Leagoo M8 Pro

Leagoo Z5C

Leagoo T1 Plus

Leagoo Z3C

Leagoo Z1C

Leagoo M9

ARK Benefit M8

Zopo Speed 7 Plus

UHANS A101

Doogee X5 Max

Doogee X5 Max Pro

Doogee Shoot 1

Doogee Shoot 2

Tecno W2

Homtom HT16

Umi London

Kiano Elegance 5.1

iLife Fivo Lite

Mito A39

Vertex Impress InTouch 4G

Vertex Impress Genius

myPhone Hammer Energy

Advan S5E NXT

Advan S4Z

Advan i5E

STF AERIAL PLUS

STF JOY PRO

Tesla SP6.2

Cubot Rainbow

EXTREME 7

Haier T51

Cherry Mobile Flare S5

Cherry Mobile Flare J2S

Cherry Mobile Flare P1

NOA H6

Pelitt T1 PLUS

Prestigio Grace M5 LTE

BQ-5510 Strike Power Max 4G (Russia)

This is not a comprehensive list. The number of infected smartphones models could be much bigger.

Such widespread distribution of Android.Triada.231 shows that many Android device manufacturers pay little attention to security questions and penetration of the Trojan code into system components. This can be due to error or malicious intent and is likely common practice.

Dr.Web for Android detects all possible modifications to Android.Triada.231. To find out whether your mobile device is infected, scan it completely. With root privileges, Dr.Web Security Space for Android can neutralize Android.Triada.231 by curing an infected system component. If root privileges are not available on the device, you can remove this malware by installing a clean image of the operating system. Contact your device manufacturer to receive the clean image.

More about this Trojan

March 15, 2018 Update

Shortly after Doctor Web informed manufacturers of infected mobile devices about the Trojan Android.Triada.231 in their Android smartphone firmware, some of these companies reported successfully solving the detected issue. At the moment the Cubot and Leagoo companies claimed they deleted malicious applications from their devices. The list of smartphones with OS updates includes the following models:

Cubot Rainbow

Leagoo M5

Leagoo M5 Plus

Leagoo M5 Edge

Leagoo M8

Leagoo M8 Pro

Leagoo Z5C

Leagoo T1 Plus

Leagoo Z3C

Leagoo Z1C

Leagoo M9

However, while a new version of the Leagoo M9 firmware does not have Android.Triada.231 anymore, Doctor Web virus analysts have detected another malware dubbed Android.HiddenAds.251.origin installed on the device. It belongs to the Trojan family that displays annoying advertisements. Further analysis revealed that Android.HiddenAds.251.origin is also found on earlier versions of OS Android of the Leagoo M9 devices. The manufacturer of infected smartphones is currently dealing with the new issue.

It is recommended that users of infected devices check for available updates and install them in case new firmware for their phones has been released. After that, a full system scan should be done using Dr.Web for Android products in order to make sure that Android.Triada.231 was neutralized and there are no more malicious applications hidden on the device.