More than two years after discovery, Google has finally acknowledged that a number of its budget Android smartphone models have been compromised by cybercriminals, with backdoor malware being pre-installed prior to distribution to customers. Discovered in 2017, it is believed that the malware, dubbed Triada, was added to the devices at some stage in the supply chain process.
Triada is known for downloading additional Trojan components on an already infected device, which can then steal sensitive data, such as from banking apps, as well as intercept chat logs from messaging and social media apps. It is believed that more advanced cyber-espionage modules could also have been installed.
It was actually back in 2016 that Kaspersky Lab researchers identified the malware, which at the time was considered one of the most advanced of all mobile Trojans.
The methods Triada used were complex and unusual for these types of apps. Triada apps started as rooting Trojans, but as Google Play Protect strengthened defences against rooting exploits, Triada apps were forced to adapt, progressing to a system image backdoor.- Lukasz Siewierski: Privacy Team Member, Kaspersky Labs
Initially, Triada was discovered lurking in the RAM (random access memory) of smartphones, and was used to root privileges for substituting system files with infected ones. Over its life the malware has evolved and developed more sophisticated methods of attack, such as no longer needing those pesky privileges.
According to the researchers the malware changed its strategy in 2017 and moved to a supply chain attack. This change allowed it to be pre-installed on low-key, budget Android smartphones – mainly those from Chinese manufacturers, Normu and Leagoo.
Thanks to this change in strategy the malware was able to exploit the Android framework log function. This meant that whenever an app tried to log something, the backdoor code was executed.
Triada focused its attacks on the Android version 4.4.2 and older, since newer models blocked the process through which the malware obtained its roots access. Google has made various attempts to minimise the impact of the Trojan, including using their advanced automated system called ‘Build Test Suite’, as well as other strategies.
In a statement Google said they had worked closely with OEMs (original equipment manufacturers) and had supplied them with the necessary instructions for removing Triada. While acknowledging the sophistication of the malware, Google also asserted that thanks to their actions it was now so much harder to infect Android devices, ‘especially if the malware author requires privilege elevation.’