Connect with us

Hi, what are you looking for?


Malware & Threats

Triada Trojan Preinstalled on Low-Cost Android Devices

Several low-cost Android device models were recently found to feature the Triada Trojan built into their firmware, Dr. Web security researchers say.

Several low-cost Android device models were recently found to feature the Triada Trojan built into their firmware, Dr. Web security researchers say.

Designed as a financial threat, Triada was said last year to be the most advanced mobile malware because it could inject itself into the Zygote parent process, thus running code in the context of all applications. Earlier this year, it adopted sandbox technology (specifically, the open source sandbox DroidPlugin) to improve its detection evasion capabilities.

According to Dr. Web, the malware was recently found embedded in system library, thus being able to penetrate the processes of all running apps without requiring root privilages. The modified library, the security firm reveals, was found on several mobile devices, including Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20.

“[Triada] is embedded into the source code of the library. It can be assumed that insiders or unscrupulous partners, who participated in creating firmware for infected mobile devices, are to be blamed for the dissemination of the Trojan,” Dr. Web researchers reveal.

The malware was implemented in the library in a way that allows it to get control “each time when an application on the device makes a record to the system log.” The initial launch of the Trojan, the researchers say, is performed by Zygote, which is launched before other applications.

After initialization, the malware sets up parameters, creates a working directory, then checks the environment. If running in the Dalvik environment (the discontinued process virtual machine in Android), it intercepts a system method to keep track of when applications start and inject its malicious code in them immediately after they start.

The Trojan can secretly run additional malicious modules to download other Trojan components. This approach, the security researchers say, can be used to run malicious plugins to steal confidential information and bank credentials, to run cyber-espionage modules, or intercept messages from social media clients and messengers.

Advertisement. Scroll to continue reading.

Another malicious module Triada can extract and decrypt from was designed to download additional malicious components from the Internet and to ensure they can interact with each other.

“Since [Triada] is embedded into one of the libraries of the operating system and located in the system section, it cannot be deleted using standard methods. The only safe and secure method to get rid of this Trojan is to install clean Android firmware,” the security researchers warn.

Dr. Web says it has informed the manufacturers of compromised smartphones of the issue. Affected users are advised to install all updates that might be released for their devices.

Related: Android Trojan Uses Sandbox to Evade Detection

Related: Firmware of Dozens Android Device Models Packed with Trojans

Related: Triada Trojan Most Advanced Mobile Malware Yet: Kaspersky

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...