A Malware Has Been Pre-Installed In Some Cheap Android Devices, Google Confirms

ad1

In every purchase, sometimes you can get your money’s worth, sometimes you get something more. In a recent confirmation from Google, purchase of cheap and low-end Android devices also comes with pre-installed malware and has run undetected for a couple of years.

In a press release, Google, for the first time in history, has discussed in detail the malware that is called Triada, which the tech company has confirmed have been pre-installed in several low-end Android devices including Cherry Mobile, Leagoo, and Doogee. The malware, which was first discovered and published by Kaspersky Lab back in 2016 have been pre-installed in the affected devices, meaning, the malware already existed in the device even before someone buys it.

It was believed previously that the malware was added and installed to the affected devices at some point in the supply chain process. Now, Google has revealed that cybercriminals indeed managed to compromise Android smartphones and installed a backdoor while the supply chain process of the phones was underway.

Back in 2016, Triada was simply a rooting trojan that tried to exploit the device, and after getting elevated privileges, it performed a host of different actions. To hide these actions from analysts, Triada used a combination of dynamic code loading and additional app installs. According to the press release from Google, “Triada’s first action was to install a type of superuser (su) binary file. This (su) binary allowed other apps on the device to use root permissions.”

According to Google, Triad’s purpose is to install spam apps on a device by gaining root access. However, as Google’s security feature, Google Play Protect, improves in detecting malware, Triada was able to evolve to adapt to the new challenges posed by updated security firewalls by Google. Triada is known for downloading additional Trojan components on an infected device which then steals sensitive data from banking apps, intercepts chats from messengers and social media platforms, and there are also cyber-espionage modules on the device.

“The binary accepted two passwords, od2gf04pd9 and ac32dorbdq. This is illustrated in the IDA screenshot below. Depending on which one was provided, the binary either 1) ran the command given as an argument as root or 2) concatenated all of the arguments, ran that concatenation preceded by sh, then ran them as root. Either way, the app had to know the correct password to run the command as root,” Google said.

“This Triada rooting trojan was mainly used to install apps and display ads. This trojan targeted older devices because the rooting exploits didn’t work on newer ones. Therefore, the trojan implemented a weight-watching feature to decide if old apps needed to be deleted to make space for new installs.”

Affected devices

According to recent reports, the malware has affected over 40 devices. These devices include:

  • Leagoo M5
  • Leagoo M5 Plus
  • Leagoo M5 Edge
  • Leagoo M8
  • Leagoo M8 Pro
  • Leagoo Z5C
  • Leagoo T1 Plus
  • Leagoo Z3C
  • Leagoo Z1C
  • Leagoo M9
  • ARK Benefit M8
  • Zopo Speed 7 Plus
  • UHANS A101
  • Doogee X5 Max
  • Doogee X5 Max Pro
  • Doogee Shoot 1
  • Doogee Shoot 2
  • Tecno W2
  • Homtom HT16
  • Umi London
  • Kiano Elegance 5.1
  • iLife Fivo Lite
  • Mito A39
  • Vertex Impress InTouch 4G
  • Vertex Impress Genius
  • myPhone Hammer Energy
  • Advan S5E NXT
  • Advan S4Z
  • Advan i5E
  • STF AERIAL PLUS
  • STF JOY PRO
  • Tesla SP6.2
  • Cubot Rainbow
  • EXTREME 7
  • Haier T51
  • Cherry Mobile Flare S5
  • Cherry Mobile Flare J2S
  • Cherry Mobile Flare P1
  • NOA H6
  • Pelitt T1 PLUS
  • Prestigio Grace M5 LTE
  • BQ-5510 Strike Power Max 4G (Russia)

Reportedly, Leagoo and Cubot have already removed the malware from their affected devices since March 2018. Cherry Mobile also confirmed that they removed the malware from the affected devices in 2018.

Google also said that they worked with OEMs to remove the malware from devices and rolled out the fix through OTA updates.

“By working with the OEMs and supplying them with instructions for removing the threat from devices, we reduced the spread of preinstalled Triada variants and removed infections from the devices through the OTA updates,” said Lukasz Siewierski, Android Security & Privacy Team.

“The Triada case is a good example of how Android malware authors are becoming more adept. This case also shows that it’s harder to infect Android devices, especially if the malware author requires privilege elevation.”

Leave a Reply

Your email address will not be published. Required fields are marked *