Another case of pre-installed malware make the headlines, malware researchers at the Russian anti-virus firm Dr.Web have spotted the Triada Trojan in the firmware of several low-cost Android smartphones, including Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20.
Experts speculate that threat actors compromised the supply chain infecting a small number of smartphones of the above models.
“Virus analytics from Dr.Web detected a malicious program built into the firmware of several mobile devices running Android. The Trojan called Android.Triada.231 is embedded into one of the system libraries. It penetrates processes of all running applications and can secretly download and run additional modules.” reads the analysis published by Dr Web.
The Triada Trojan was found inside the Android OS Zygote core process, the component used to launch programs on mobile devices.
“By infecting Zygote, Trojans embed into processes of all running applications get their privileges and function as part of applications. Then, they secretly download and launch malicious modules.” continues the analysis.
The Triada trojan was first discovered in March 2016 by researchers at Kaspersky Lab that at time recognized it as the most advanced mobile threat ever seen. The range of techniques used by the threat to compromise mobile devices was not implemented in any other known mobile malware.
Triada was designed with the specific intent to implement financial frauds, typically hijacking the financial SMS transactions. The most interesting characteristic of the Triada Trojan apart is the modular architecture, which gives it theoretically a wide range of abilities.
Once the malware was initialized it sets up some parameters, creates a working directory, and checks the environment it is running. If the malware is running in the Dalvik environment, it hooks up one of the system methods to track the start of all applications and perform malicious activity immediately after they start.
“The main function of Android.Triada.231 is to secretly run additional malicious modules that can download other Trojan components. To run additional modules, Android.Triada.231 checks if there is a special subdirectory in the working directory previously created by the Trojan. The subdirectory name should include the MD5 value of the software package name of the application, into the process of which the Trojan is infiltrated.” states the analysis.
Experts at Dr Web explained that the Triada Trojan cannot be deleted using standard methods because it is hidden into one of the libraries of the operating system and located in the system section. To eradicate the threat, it is necessary to install a clean Android firmware. Dr.Web notified manufacturers of compromised smartphones.
(Security Affairs – Android , Triada Trojan)