Triada Android malware infected system image before the phone is released

Following the first public report of Russian security company Kaspersky 3 years ago, today, Google security blog issued a message saying that through their supply chain, it has been confirmed that some Android device firmware updates have been infected, so that hackers can install malicious programs. Hackers infected the firmware with a malicious program called “Triada,” which was first described by Kasper on the official blog of March 2016.

The malicious program can communicate with numerous commands, control centers, and allow applications that can be used to send spam and display advertisements. In July 2017, anti-virus vendor Dr.Web discovered that Triada was built into the firmware of many Android devices, including Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20. Because the malicious program belongs to the operating system itself, it cannot be easily deleted.

Lukasz Siewierski, a member of Google’s Android security and privacy team, released a detailed blog post on Thursday confirming the report of Dr. Web nearly two years ago. He wrote in the blog post that “the main purpose of Triada apps was to install spam apps on a device that displays ads. The creators of Triada collected revenue from the ads displayed by the spam apps… Triada apps started as rooting trojans, but as Google Play Protect strengthened defenses against rooting exploits, Triada apps were forced to adapt, progressing to a system image backdoor. However, thanks to OEM cooperation and our outreach efforts, OEMs prepared system images with security updates that removed the Triada infection.“