Pre-installed Trojan in Cheap Android Devices Steal Data, Intercept Chats

Android devices are one of the most vulnerable mobile OS (operating systems) due to its open source nature. But what would a user do if their device is delivered to them with a pre-installed malware? Well, Let’s talk about that.

IT security researchers at Dr. Web, a Russian cyber security firm has discovered that a number of Android devices including Leagoo M8, Leagoo M5 Plus, Nomu S20 and Nomu S10 have a malicious program built into the firmware. 

More:  CopyCat Malware Made $1.5M by Infecting 14M Android Devices

Dubbed Triada by researchers the Trojan is embedded in the Zygote component’s system process whose function is to launch apps and programs on a device. By infecting Zygote, the trojan downloads and executes additional modules on targeted devices – All this is done without the knowledge of the user.

The researchers further noticed that Triada is embedded into libandroid_runtime.so system library which is used by every Android app. This means millions of devices could be infected. However, it is unclear how the Trojan made its way into these devices. Dr.Web believes that it’s an inside job. According to their blog post

Android.Triada.231 is embedded into the source code of the library. It can be assumed that insiders or unscrupulous partners, who participated in creating firmware for infected mobile devices, are to be blamed for the dissemination of the Trojan – Android.Triada.231 is embedded into libandroid_runtime.so in a way that it gets control each time when an application on the device makes a record to the system log. As Zygote is launched before other applications, the initial launch of the Trojan is performed by Zygote.

Furthermore, Triada has the ability to download additional Trojan components on an infected device which then steals sensitive data from banking apps, intercepts chats from messengers and social media platforms and there are also cyber espionage modules on the device 

It must be noted that Triada is not a new Trojan. In March 2016, malware analysts at Russian cyber security giant Kaspersky Labs wrote a blog post about Triada and labeled it as “Truly scary malware for Android.”

“Triada’s functionality allows it to modify those messages, so the money is sent not to some app developer, but to the malware operators. Triada steals the money either from the users — if they haven’t succeeded in purchasing whatever they wanted, or from the app developers, in case the user has completed the purchase successfully.”

Since the Trojan comes pre-installed, it is impossible to get rid of it with traditional anti-virus or anti-malware programs. However, the researchers have informed all the manufacturers about the issue therefore if you are using any of the devices mentioned in the list don’t skip any update issued by the manufacturers. In simple words, keep your device updated.

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.