Nasty malware duo pre-installed on thousands of cheap Android phones

The pre-installed Triada and xhelper malware have so far carried out a total of 19.2 million suspicious transactions.

The pre-installed Triada and xhelper malware have so far carried out a total of 19.2 million suspicious transactions from over 200,000 used or newly purchased phones.


Nothing is more disconcerting than cyber threats and undetected suspicious activities on your personal devices. But what takes the cake is pre-installed malware that too on mobile phones that are specifically targeted for lower social diaspora in emerging markets.

According to Upstream’s security platform called Secure-D findings, a Chinese manufacturer called Transsion manufactures low-cost Android smartphones riddled with pre-installed malware that enlists oblivious users on subscription services without their knowledge or permission.

Upon full investigation, Secure-D jammed and blocked a humongous number of transactions that traced back to Transsion’s Tecno W2 handsets. This particular variant targeted emerging markets particularly in Ethiopia, Egypt, South Africa, and Ghana.

See: Pre-installed malware on Android devices made $115k revenue in 10 days

Besides this, the security researchers intercepted fraudulent mobile transactions and activity in 14 other locations. But this is just the blip on the radar, the malware riddled handsets ensued transactions of total 19.2 million recorded from over 200,000 unique devices originating from both used or newly purchased phones.


Further analysis led security researchers to declare that the pre-installed malware is Triada. Which in particular, is pretty extensively known for its previous ravage as well. This is rather unnerving as it aims to exploit the most vulnerable segment. Those who are particularly average mobile users looking for both value for money and basic functionalities.

Triada malware basically acts as a software backdoor. It also has the capability to purport malicious code after receiving commands from the remote control server. In this case, however, the command and control servers were used by Triada Malware threat actors.

The analysis of the captured web-related traffic revealed that the device was accessing several malicious domains that are considered Command & Control servers used by Triada malware authors. None of the internet hosts communicating with the malware was linked to the manufacturer.


Besides this, the malware is known for its resilience and is rather invisible to the naked eye as it connivingly hides inside system components. Nevertheless, removing the malware is taxing let alone handled by an average or most likely uneducated user.

In-depth analysis by researchers revealed that the Triada also downloaded a second malware called xhelper. The latter unbeknownst ensues components that ensue click or subscription fraud campaigns. In this case, xhelper was discovered on 53,000 Transsion’s Tecno W2 smartphones.

See: Most second-hand phones contain previous owner’s data

When tested using a South African network, the xhelper perturbed queries and found new targets and automatically made subscription requests on users’ behalf for fraudulent activities. All this happens without the user’s permission or approval. Even if identified, the xhelper trojan makes reboots, factory resets, or uninstalling applications extremely difficult to induce or deal with.

The Triada-xhelper duo stores malicious components in an undeletable directory and has a persistent nature. The Secure D researchers also identified that one such application was in fact downloaded and not pre-installed. Secure-D states in its blog post:

On one device Secure-D, researchers uninstalled com.comona.bac, com.mufc.umbtts, and com.mufc.firedoor while the phone was kept offline. Approximately 5 minutes later and with no Internet connection, all 3 applications had been automatically re-installed.


Last year too, xhelper infected a staggering 45000 android phones. Basically, the attackers exploited android’s native capability which is to install third-party applications via APK packages instead of Google Play Store.

This process is commonly known as sideloading and also posits a huge loophole for threat actors to exploit. However, once this is done users were flooded with pop-ups and notifications to download other files and applications as well.

See: Pre-installed Trojan in Cheap Android Devices Steal Data, Intercept Chats

Previously too, Google revealed that the threat actors were able to compromise Android phones by deploying Triada similar to this case. The malware is notoriously known for downloading additional malicious components that steal sensitive data from banking applications, intercept chats/direct messages from messengers or social media platforms and also ensue cyber espionage.


Did you enjoy reading this article? Do like our page on Facebook and follow us on Twitter.

Related Posts