Triada banking Trojan found in 42 models of Android smartphones

Low-cost Android models are being sold with pre-installed Triada banking Trojan

The research team from the Russia-based anti-virus firm Dr.Web^[1] reported 42 low-cost Android smartphone models to be infected with Android.Triada.231 banking Trojan and sold globally. Initially found in 2016, Triada Trojan^[2] is a severe Android infection, which modifies Zygote, the core process of the Android. This way, the Trojan gets full control over every app that is launched on the device:

By infecting Zygote, Trojans embed into processes of all running applications get their privileges and function as part of applications. Then, they secretly download and launch malicious modules.

It's essential to stress the fact that Triada Trojan has been developed with a sole purpose – to initiate financial frauds, including bank account hack or SMS transactions. Since this Android infection penetrates the device firmware during manufacture, the only way to get rid of it is to reinstall the OS from scratch.

Infected devices are sold all around the world

Dr.Web found 42 Android smartphones infected with Triada banking Trojan. While the bulk of the devices are sold for the Russian market, the company warns that users located in Poland, Indonesia, China, the Czech Republic, Mexico, Kazakhstan, and Serbia who are using one of the following Android smartphone models should check their devices for this Trojan:

Leagoo M5
Leagoo M5 Plus
Leagoo M5 Edge
Leagoo M8
Leagoo M8 Pro
Leagoo Z5C
Leagoo T1 Plus
Leagoo Z3C
Leagoo Z1C
Leagoo M9
ARK Benefit M8
Zopo Speed 7 Plus
UHANS A101
Doogee X5 Max
Doogee X5 Max Pro
Doogee Shoot 1
Doogee Shoot 2
Tecno W2
Homtom HT16
Umi London
Kiano Elegance 5.1
iLife Fivo Lite
Mito A39
Vertex Impress InTouch 4G
Vertex Impress Genius
myPhone Hammer Energy
Advan S5E NXT
Advan S4Z
Advan i5E
STF AERIAL PLUS
STF JOY PRO
Tesla SP6.2
Cubot Rainbow
EXTREME 7
Haier T51
Cherry Mobile Flare S5
Cherry Mobile Flare J2S
Cherry Mobile Flare P1
NOA H6
Pelitt T1 PLUS
Prestigio Grace M5 LTE
BQ 5510

Close investigation of this illustrates that smartphones manufactured with a Trojan by default feature lesser-known brands^[3] most of which are manufactured in China and distributed via Chinese-based online shopping websites.

Android manufacturers to be blamed for not checking their devices properly

Judging from the past events (Triada infected Androids in 2017^[4] or Android.MulDrop adware infection), the distribution of Android devices infected with adware or other malware is gathering momentum and will not surprise anyone soon.

A thorough analysis has been conducted to find out who is to be blamed for the Triada malware-infected Android smartphones. The fact that devices manufacturers are not directly guilty of infecting Leagoo, Doogee, Cherry, and other models is clear. However, the fault that infected devices were sold in huge numbers globally is at the manufacturer's end since they failed to check the software supply chain properly.

Dr.Web research team points out to the Shanghai-based software development firm, which supplies Leagoo with apps like the one who is most likely to be injecting Android.Triada.231 into Android systems.

This company, which is not yet specified due to the ongoing investigation, is suspected of injecting the Trojan into the libandroid_runtime.so system library as a separate application. Thus, there are no obstacles for it to be executed.