Security researchers at Antivirus firm Dr.Web have discovered that 42 models of low-cost Android smartphones are shipped with the Android.Triada.231 banking malware.
“In the middle of 2017, Doctor Web analysts discovered a new Trojan Android.Triada.231 in the firmware of some cheap models of Android devices. Since this detection, the list of infected devices has been constantly increasing.” reads the blog post published by Dr-Web. “At the moment, the list contains over 40 models. Doctor Web specialists have monitored the Trojan’s activity and now we can publish the results of this investigation.”
The Triada Trojan was spotted for the first time in 2016 by researchers at Kaspersky Lab that considered it the most advanced mobile threat seen to the date of the discovery.
Triada was designed with the specific intent to implement financial frauds, typically hijacking the financial SMS transactions. The most interesting characteristic of the Triada Trojan apart is its modular architecture, which gives it theoretically a wide range of abilities.
The only way to remove the threat is to wipe the smartphone and reinstall the OS.
Researchers at Dr.Web discovered the Triada Trojan pre-installed on newly shipped devices several minor brands, including Advan, Cherry Mobile, Doogee, and Leagoo.
This isn’t the first time the company discovered a pre-installed malware on Android device, back in in July 2017 Dr..Web researchers discovered the many smartphone models were shipped with the dreaded Triada trojan such as Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20.
The researchers at Dr.Web who investigated the issue discovered that a software developer from Shanghai was responsible for the infection.
“For example, it was detected on the Leagoo M9 smartphone that was announced in December 2017. Additionally, our analysts’ research showed that the Trojan’s penetration into firmware happened at request of the Leagoo partner, the software developer from Shanghai.” continues the blog post.
“This company provided Leagoo with one of its applications to be included into an image of the mobile operating system, as well as with an instruction to add third-party code into the system libraries before their compilation. Unfortunately, this controversial request did not evoke any suspicions from the manufacturer. Ultimately, Android.Triada.231 got to the smartphones without any obstacles.”
The infected app found on the device was developed by a Chinese firm, the experts highlighted that the code was signed with the same certificate that was observed in 2016 infections.
“The analysis of this application showed it is signed with the same certificate as Android.MulDrop.924. Doctor Web previously wrote about this Trojan in 2016. We can presume the developer that requested adding the additional program into the mobile operating system image can be connected expressly or implicitly with the distribution of Android.Triada.231.” continues Dr.Web.
At the moment, the experts confirmed to have detected the Android.Triada.231 in the firmware of the following Android device models:
Leagoo M5 Plus
Leagoo M5 Edge
Leagoo M8 Pro
Leagoo T1 Plus
ARK Benefit M8
Zopo Speed 7 Plus
Doogee X5 Max
Doogee X5 Max Pro
Doogee Shoot 1
Doogee Shoot 2
Kiano Elegance 5.1
iLife Fivo Lite
Vertex Impress InTouch 4G
Vertex Impress Genius
myPhone Hammer Energy
Advan S5E NXT
STF AERIAL PLUS
STF JOY PRO
Cherry Mobile Flare S5
Cherry Mobile Flare J2S
Cherry Mobile Flare P1
Pelitt T1 PLUS
Prestigio Grace M5 LTE
Unfortunately, the number of infected smartphones models could be much bigger.
(Security Affairs – Android, Triada Trojan)