Pre-Installed Triada Trojan Found in Cheap Android Devices

Hands Holding Digital Tablet Trojan

Pre-installed Triada Trojans have been found in several low-budget Android devices, effectively compromising users’ data security.

The cyber security firm Kaspersky first identified the Trojan back in March 2016.

Experts described it as truly dangerous malware for Android.

Originally, it was a banking Trojan used by unscrupulous cyber attackers to steal information, including login credentials, from the devices it infected.

The malware could also create backdoor access for criminal elements to use for insidious purposes.

Currently, malware operators are using Triada as an android Trojan in mobile devices.

It’s pre-installed in cheap Android devices such as Leagoo M8, Leagoo M5 Plus, Nomu S20, and Nomu S10.

How the Triada Firmware Works

Upon installation, the Triada Trojan firmware begins by trying to collect information about the device, such as the OS version, the applications installed and the device model.

Then, it sends this information to the command and control (C&C) servers run by the creators of the malware.

The C&C replies by sending a configuration file containing list modules for installation on the device, as well as the device’s personal identification number and the time interval before contacting the server.

After installation, the modules move to the short-term memory where data is deleted after a short period of time, making it hard for anyone to detect this malware.

In compromised Android devices, the Triada Trojan comes pre-installed, i.e. embedded in the zygote components’ system.

More specifically, it lies within the source code library (libandroid_runtime.so system library).

The zygote is responsible for launching all applications in the device.

That means the Trojan becomes part of all the apps launched on the device after it modifies the zygote process.

This process makes the detection of this Trojan difficult. Once initialized, it creates a directory, sets up parameters and then checks the environment.

In the Dalvik environment, which is the discontinued process virtual machine in Android, the malware intercepts a system method.

Then, it tracks the start of applications before injecting its malicious code immediately after the applications start.

Triada also works by substituting the system functions, hiding its modules from the list of installed apps and other running processes.

This clever concealment means the system will not raise an alarm because it will not detect any unfamiliar processes that are running.

It can also download other Trojan components that can steal data and intercept messages on social media platforms, in addition to enabling cyber espionage.

Stealing Money Using the Triada Trojan

stealing money online

Operators can steal money from purchased apps.

Malware operators can use Triada to steal money from purchased apps.

The program has the ability to do this because it modifies the system’s functions to access outgoing short text messages and filter incoming messages.

In this way, it can modify the messages used by applications that rely on SMS for in-app purchases.

These applications typically use SMS to transfer transaction data and by modifying the message, the money can go to the malware operators instead of the intended app developers.

Triada can steal money from the user before their purchase even goes through, as well as from the developer if the purchase is yet to go through.

Protecting Your Mobile Device

To protect your device from this malware, you can use the Kaspersky antivirus solution (i.e., the Kaspersky Internet Security for Android).

It detects all three versions of Triada modules.

It is also advisable that you update your device anytime there is a new version released from the manufacturer.

Updated operating systems have lower levels of vulnerabilities as compared to older versions of the OS.

How is Android Implicated by Triada

Many people have criticized Android as one of the most vulnerable Operating Systems because of its open source system.

The Triada Trojan validates this criticism to a certain extent.

It is very disturbing to know that the Triada Trojan comes pre-installed in cheap Android smartphones.

This kind of situation points to a compromised supply chain. It may also point to the culpability of the manufacturer.

It is now evident that even the most stringent regulations are necessary when it comes to manufacturing mobile devices—to prevent compromising the safety and security of those who buy such devices.

The manufacturer should ensure that users’ data is secure.

At the same time, users of devices that operate on an Android OS should also be vigilant.

They should take additional steps to protect their data, such as installing an antivirus and regularly updating their devices.

Leave a Reply