Triada Banking Trojan came Preinstalled as Backdoor in Budget Android Smartphones- Google Confirms.
It would probably be the first time ever in Google’s history that the company has revealed details of the tenacity and success of malware dubbed as Triada. Triada malware was discovered in 2017 and came pre-installed on Android devices. It was believed back then that the malware was added to the devices at any stage of the supply chain process.
Now, Google has revealed that cybercriminals indeed managed to compromise Android smartphones and installed a backdoor while the supply chain process of the phones was underway. Triada is known for downloading additional Trojan components on an infected device which then steals sensitive data from banking apps, intercepts chats from messengers and social media platforms and there are also cyber-espionage modules on the device.
It is worth noting that Google remained silent at this issue until now but this week the firm’s Android Security and Privacy team member Lukasz Siewierski posted an in-depth analysis of the Triada banking Trojan on Google’s security blog. In the blog post, Siewierski confirmed that the malware did exist in new Android devices.
In 2016, Kaspersky Lab researchers identified what was probably the most advanced of all mobile banking Trojans at the time. The Trojan was dubbed Triada; it was discovered in the RAM (random access memory) of the smartphones and used root privileges for substituting system files with infected ones. The malware kept evolving until 2017 when Dr. Web researchers identified that it didn’t need to root the smartphone for gaining elevated privileges and was equipped with more advanced attacking methods.
Some of the devices identified by Dr. Web in 2018 were:
Leagoo M5 Plus
Leagoo M5 Edge
Leagoo M8 Pro
Leagoo T1 Plus
ARK Benefit M8
Zopo Speed 7 Plus
Doogee X5 Max
Doogee X5 Max Pro
Doogee Shoot 1
Doogee Shoot 2
Kiano Elegance 5.1
iLife Fivo Lite
Vertex Impress InTouch 4G
Vertex Impress Genius
myPhone Hammer Energy
Advan S5E NXT
STF AERIAL PLUS
STF JOY PRO
Cherry Mobile Flare S5
Cherry Mobile Flare J2S
Cherry Mobile Flare P1
Pelitt T1 PLUS
Prestigio Grace M5 LTE
The malware exploited the Android framework log function call to attack, which basically means that it installed backdoor in the infected devices so that whenever an app tried to log something the backdoor code got executed. The code would get executed in almost every app since it came factory-fitted in new smartphones. Later on, Google did add new security features to prevent threats like Triada.
However, malware developers changed their strategy and performed a supply chain attack in the summer of 2017 to get it preinstalled on low-key, budget Android smartphones mainly from Chinese manufacturers Nomu and Leagoo. Researchers couldn’t determine how the supply chain attack occurred but this attack ensured that the malware was able to access legitimate apps and download malicious codes to perform click fraud or infect SMS messages with new scams.
Siewierski explained the working of the backdoor in the blog post that read:
“The methods Triada used were complex and unusual for these types of apps. Triada apps started as rooting Trojans, but as Google Play Protect strengthened defenses against rooting exploits, Triada apps were forced to adapt, progressing to a system image backdoor.”
The malware primarily targeted Android version 4.4.2 and older since the new versions blocked that process through which the malware obtained root access and the code injected was blocked by Google even when the malware was installed as a backdoor. Siewierski explained how Google tried to thwart the threat at all occasions using the advanced automated system called “Build Test Suite” and other strategies. In the blog post, Siewierski wrote:
“By working with the OEMs and supplying them with instructions for removing the threat from devices, we reduced the spread of preinstalled Triada variants and removed infections from the devices through the OTA updates. The Triada case is a good example of how Android malware authors are becoming more adept. This case also shows that it’s harder to infect Android devices, especially if the malware author requires privilege elevation.”