Lots of smartphone manufacturers are tricked into installing a malware trojan known as Triada, who masquerades as a software vendor believing this will help them add features to the standard Android OS. This Triada malware is designed to put spam and ads on their device. The creators of Triada then collects revenue from the ads displayed by the spam apps. The early versions of this malware have already been detected and removed by malware analysts. Thus, Google got surprised when Triada devised a method, in a form of a code, to inject malware on Android phones virtually at the factory, before customers had even opened the box or even installed a single app.
Triada is a modular malware capable of a lot of features, such as granting additional malware super-user privileges so it can perform its actions unhindered. This malware is also known as a banking trojan where it reads bank transaction SMS messages for vital info and using them to perform financial fraud.
Smartphone manufacturers don’t have the chops necessary to build all the features they want to use which is why they depend on third party vendors to build them. Unfortunately, those third-party vendors become the vector of attack. They use this chance to trick android phone makers into installing the Triada malware without their knowledge and permission.
Even though Google has an automated system in place called the Build Test Suite, which scans system images against threats like Triada, Google recommends enterprises to perform further security review of devices in their network and monitor for any suspicious activity. Signals related to the backdoor, such as odd installs, could possibly detect the Triada malware which should be blocked in enterprise networks.
As of now, which smartphone makers were targeted and which models were infected have not been officially disclosed. However, Google revealed that several Android devices had Triada within their firmware. These devices include Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20.
Still, as Google tightens its malware protection against hackers in one area, attackers are sure to adapt by exploiting new weaknesses.