Today, Google posted what amounts to a case study of some very persistent and clever hackers who kept trying to get malware on Android phones. It’s about the “Triada family” of apps designed to put spam and ads on a device. After a brief history of how it started in 2016 and an overview of how early versions worked, Google got to the surprising turn in the story: Triada devised a method to get malware on Android phones virtually at the factory, before customers had even opened the box or even installed a single app.

The trick is that a whole lot of smartphone manufacturers don’t have the chops necessary to build all the features they want to use in-house, so they depend on third party vendors to build them. Those third party vendors become the vector of attack.

That same vector, by the way, could also be used in over-the-air updates, Google notes. It worked with the relevant manufacturers to eliminate Triada from their devices. The company also argues that method was only necessary in the first place because it had done such a good job of scanning for and eradicating earlier forms of the malware.

If you’re reading this, it’s highly unlikely that any phone you’ve purchased has been affected. Although Google didn’t name the specific devices that were infected with Triada, Ars Technica points out that the original 2017 Dr. Web report about this methodology did: “Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20.”

Beyond this clever — and potentially troubling — way to get malware onto a phone, Triada is also technically sophisticated. Ars does a good job explaining why from a high level, but if you want to dig in you can read Google’s lengthy original post.

Given the way that Android ROMs work, it’s a near-impossibility for even big companies to build ROMs that don’t include some kind of third-party code. Google says that it offers OEMs a “Build Test Suite” which can scan for malware like Triada to help mitigate such risks.

Google believes it’s essential that Android phones continue to have Google Play Services installed, as part what what those services do is scan for malware. That argument is sure to come up in the ongoing arguments with the EU over antitrust violations.