Malware pre-installed in some budget Android smartphones

Malware found pre-installed in some budget Android smartphones

A banking trojan was found to come pre-installed in some old budget Android smartphones including some from Cherry Mobile, Leagoo, and Doogee.

The malware goes by the name Triada and was first discovered in 2016. According to Google, its purpose is to install spam apps on a device by gaining root access, but as Google Play Protect strengthened defenses against rooting exploits, Triada apps were forced to adapt.

In a report by HackRead, developers of the Triada malware changed their strategy in 2017 and evolved Triada into a system image backdoor and was able to install it on devices during the supply chain process. Researchers still couldn’t determine how the supply chain attack occurred but the malware is already capable of stealing data from banking apps and intercept messages from the user’s social media accounts.

According to Dr.Web’s post in March 2018, Triada has infected over 40 Android devices.

Leagoo M5
Leagoo M5 Plus
Leagoo M5 Edge
Leagoo M8
Leagoo M8 Pro
Leagoo Z5C
Leagoo T1 Plus
Leagoo Z3C
Leagoo Z1C
Leagoo M9
ARK Benefit M8
Zopo Speed 7 Plus
UHANS A101
Doogee X5 Max
Doogee X5 Max Pro
Doogee Shoot 1
Doogee Shoot 2
Tecno W2
Homtom HT16
Umi London
Kiano Elegance 5.1
iLife Fivo Lite
Mito A39
Vertex Impress InTouch 4G
Vertex Impress Genius
myPhone Hammer Energy
Advan S5E NXT
Advan S4Z
Advan i5E
STF AERIAL PLUS
STF JOY PRO
Tesla SP6.2
Cubot Rainbow
EXTREME 7
Haier T51
Cherry Mobile Flare S5
Cherry Mobile Flare J2S
Cherry Mobile Flare P1
NOA H6
Pelitt T1 PLUS
Prestigio Grace M5 LTE
BQ-5510 Strike Power Max 4G (Russia)

Dr.Web says that Leagoo and Cubot have already removed the malware from their devices as of March 2018. We have also reached out to Cherry Mobile and they confirmed that they removed the malware from the affected devices in 2018.

Google also said that they worked with OEMs to remove the malware from devices and rolled out the fix through OTA updates.

“By working with the OEMs and supplying them with instructions for removing the threat from devices, we reduced the spread of preinstalled Triada variants and removed infections from the devices through the OTA updates,” said Lukasz Siewierski, Android Security & Privacy Team.

“The Triada case is a good example of how Android malware authors are becoming more adept. This case also shows that it’s harder to infect Android devices, especially if the malware author requires privilege elevation.”

sources: Google, HackRead, Dr.Web