Google researchers have confirmed, group of cybercriminals managed to install the Triada malware on Android smartphones before leaving the factories of some Chinese manufacturers.
Triada is a backdoor malware discovered by Kaspersky in 2016 and defined as “one of the most advanced mobile Trojans” that the analysts of the security firm had found. Once installed, the main purpose of Triada was to install applications that could be used to send spam and display ads.
It employed an impressive set of tools, which included rooting attacks that bypassed the security protections built into Android and the means to modify the system’s all-powerful Zygote process. That meant that the malware could directly alter each installed application. Triada was also connected to no less than 17 command and control servers.
In July 2017, security firm Dr. Web reported that its researchers found that Triada was incorporated into the firmware of several Android devices , including Leagoo M5 Plus, Leagoo M8, Nomu S10 and Nomu S20. The attackers used the back door to download and install hidden modules. Because the backdoor was built into one of the operating system libraries and located in the system section, it could not be removed using standard methods, according to the report .
Two years later, Google has confirmed the information but without naming models and manufacturers. The malware was installed by attacking the supply chain in the final firmware image used on the affected devices.
Last year, Google implemented a program that requires manufacturers to send new or updated compilation images for a set of compilation tests. “One of these security tests analyzes the pre-installed PHAs [potentially harmful applications] included in the system image . ”
“If we find a PHA in the compilation, we work with the OEM partner to remedy and remove it from the compilation before we can offer it to users . ” Even so, the report recognizes that, as Google reinforces security in an area, the attackers will surely adapt by exploiting new weaknesses as has happened with the Triada variants.
“Triad was included by a vendor from China in the system image as a third-party code for additional functions requested by the device manufacturers, infecting the entire process,” they explain. If increasing security in Android is mandatory when it is in the hands of the user, do not say anything before leaving the factory where there must be an exhaustive control that in the case at hand there was not.