Triada Trojan Preinstalled on Low-Cost Android Devices

Several low-cost Android device models were recently found to feature the Triada Trojan built into their firmware, Dr. Web security researchers say.

Designed as a financial threat, Triada was said last year to be the most advanced mobile malware because it could inject itself into the Zygote parent process, thus running code in the context of all applications. Earlier this year, it adopted sandbox technology (specifically, the open source sandbox DroidPlugin) to improve its detection evasion capabilities.

According to Dr. Web, the malware was recently found embedded in libandroid_runtime.so system library, thus being able to penetrate the processes of all running apps without requiring root privilages. The modified library, the security firm reveals, was found on several mobile devices, including Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20.

“[Triada] is embedded into the source code of the library. It can be assumed that insiders or unscrupulous partners, who participated in creating firmware for infected mobile devices, are to be blamed for the dissemination of the Trojan,” Dr. Web researchers reveal.

The malware was implemented in the library in a way that allows it to get control “each time when an application on the device makes a record to the system log.” The initial launch of the Trojan, the researchers say, is performed by Zygote, which is launched before other applications.

After initialization, the malware sets up parameters, creates a working directory, then checks the environment. If running in the Dalvik environment (the discontinued process virtual machine in Android), it intercepts a system method to keep track of when applications start and inject its malicious code in them immediately after they start.

The Trojan can secretly run additional malicious modules to download other Trojan components. This approach, the security researchers say, can be used to run malicious plugins to steal confidential information and bank credentials, to run cyber-espionage modules, or intercept messages from social media clients and messengers.

Another malicious module Triada can extract and decrypt from libandroid_runtime.so was designed to download additional malicious components from the Internet and to ensure they can interact with each other.

“Since [Triada] is embedded into one of the libraries of the operating system and located in the system section, it cannot be deleted using standard methods. The only safe and secure method to get rid of this Trojan is to install clean Android firmware,” the security researchers warn.

Dr. Web says it has informed the manufacturers of compromised smartphones of the issue. Affected users are advised to install all updates that might be released for their devices.

Related: Android Trojan Uses Sandbox to Evade Detection

Related: Firmware of Dozens Android Device Models Packed with Trojans

Related: Triada Trojan Most Advanced Mobile Malware Yet: Kaspersky