Triada Banking Trojan came Preinstalled as Backdoor in Budget Android Smartphones- Google Confirms.

It would probably be the first time ever in Google’s history that the company has revealed details of the tenacity and success of malware dubbed as Triada. Triada malware was discovered in 2017 and came pre-installed on Android devices. It was believed back then that the malware was added to the devices at any stage of the supply chain process.

Now, Google has revealed that cybercriminals indeed managed to compromise Android smartphones and installed a backdoor while the supply chain process of the phones was underway. Triada is known for downloading additional Trojan components on an infected device which then steals sensitive data from banking apps, intercepts chats from messengers and social media platforms and there are also cyber-espionage modules on the device.

It is worth noting that Google remained silent at this issue until now but this week the firm’s Android Security and Privacy team member Lukasz Siewierski posted an in-depth analysis of the Triada banking Trojan on Google’s security blog. In the blog post, Siewierski confirmed that the malware did exist in new Android devices.

In 2016, Kaspersky Lab researchers identified what was probably the most advanced of all mobile banking Trojans at the time. The Trojan was dubbed Triada; it was discovered in the RAM (random access memory) of the smartphones and used root privileges for substituting system files with infected ones. The malware kept evolving until 2017 when Dr. Web researchers identified that it didn’t need to root the smartphone for gaining elevated privileges and was equipped with more advanced attacking methods.

Some of the devices identified by Dr. Web in 2018 were:

Leagoo M5

Leagoo M5 Plus

Leagoo M5 Edge

Leagoo M8

Leagoo M8 Pro

Leagoo Z5C

Leagoo T1 Plus

Leagoo Z3C

Leagoo Z1C

Leagoo M9

ARK Benefit M8

Zopo Speed 7 Plus

UHANS A101

Doogee X5 Max

Doogee X5 Max Pro

Doogee Shoot 1

Doogee Shoot 2

Tecno W2

Homtom HT16

Umi London

Kiano Elegance 5.1

iLife Fivo Lite

Mito A39

Vertex Impress InTouch 4G

Vertex Impress Genius

myPhone Hammer Energy

Advan S5E NXT

Advan S4Z

Advan i5E

STF AERIAL PLUS

STF JOY PRO

Tesla SP6.2

Cubot Rainbow

EXTREME 7

Haier T51

Cherry Mobile Flare S5

Cherry Mobile Flare J2S

Cherry Mobile Flare P1

NOA H6

Pelitt T1 PLUS

Prestigio Grace M5 LTE

BQ 5510

The malware exploited the Android framework log function call to attack, which basically means that it installed backdoor in the infected devices so that whenever an app tried to log something the backdoor code got executed. The code would get executed in almost every app since it came factory-fitted in new smartphones. Later on, Google did add new security features to prevent threats like Triada.

However, malware developers changed their strategy and performed a supply chain attack in the summer of 2017 to get it preinstalled on low-key, budget Android smartphones mainly from Chinese manufacturers Nomu and Leagoo. Researchers couldn’t determine how the supply chain attack occurred but this attack ensured that the malware was able to access legitimate apps and download malicious codes to perform click fraud or infect SMS messages with new scams.

Siewierski explained the working of the backdoor in the blog post that read:

“The methods Triada used were complex and unusual for these types of apps. Triada apps started as rooting Trojans, but as Google Play Protect strengthened defenses against rooting exploits, Triada apps were forced to adapt, progressing to a system image backdoor.”

The malware primarily targeted Android version 4.4.2 and older since the new versions blocked that process through which the malware obtained root access and the code injected was blocked by Google even when the malware was installed as a backdoor. Siewierski explained how Google tried to thwart the threat at all occasions using the advanced automated system called “Build Test Suite” and other strategies. In the blog post, Siewierski wrote:

“By working with the OEMs and supplying them with instructions for removing the threat from devices, we reduced the spread of preinstalled Triada variants and removed infections from the devices through the OTA updates. The Triada case is a good example of how Android malware authors are becoming more adept. This case also shows that it’s harder to infect Android devices, especially if the malware author requires privilege elevation.”

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.