Low-cost Android models are being sold with pre-installed Triada banking Trojan
The research team from the Russia-based anti-virus firm Dr.Web reported 42 low-cost Android smartphone models to be infected with Android.Triada.231 banking Trojan and sold globally. Initially found in 2016, Triada Trojan is a severe Android infection, which modifies Zygote, the core process of the Android. This way, the Trojan gets full control over every app that is launched on the device:
By infecting Zygote, Trojans embed into processes of all running applications get their privileges and function as part of applications. Then, they secretly download and launch malicious modules.
It's essential to stress the fact that Triada Trojan has been developed with a sole purpose – to initiate financial frauds, including bank account hack or SMS transactions. Since this Android infection penetrates the device firmware during manufacture, the only way to get rid of it is to reinstall the OS from scratch.
Infected devices are sold all around the world
Dr.Web found 42 Android smartphones infected with Triada banking Trojan. While the bulk of the devices are sold for the Russian market, the company warns that users located in Poland, Indonesia, China, the Czech Republic, Mexico, Kazakhstan, and Serbia who are using one of the following Android smartphone models should check their devices for this Trojan:
Leagoo M5 Plus
Leagoo M5 Edge
Leagoo M8 Pro
Leagoo T1 Plus
ARK Benefit M8
Zopo Speed 7 Plus
Doogee X5 Max
Doogee X5 Max Pro
Doogee Shoot 1
Doogee Shoot 2
Kiano Elegance 5.1
iLife Fivo Lite
Vertex Impress InTouch 4G
Vertex Impress Genius
myPhone Hammer Energy
Advan S5E NXT
STF AERIAL PLUS
STF JOY PRO
Cherry Mobile Flare S5
Cherry Mobile Flare J2S
Cherry Mobile Flare P1
Pelitt T1 PLUS
Prestigio Grace M5 LTE
Close investigation of this illustrates that smartphones manufactured with a Trojan by default feature lesser-known brands most of which are manufactured in China and distributed via Chinese-based online shopping websites.
Android manufacturers to be blamed for not checking their devices properly
Judging from the past events (Triada infected Androids in 2017 or Android.MulDrop adware infection), the distribution of Android devices infected with adware or other malware is gathering momentum and will not surprise anyone soon.
A thorough analysis has been conducted to find out who is to be blamed for the Triada malware-infected Android smartphones. The fact that devices manufacturers are not directly guilty of infecting Leagoo, Doogee, Cherry, and other models is clear. However, the fault that infected devices were sold in huge numbers globally is at the manufacturer's end since they failed to check the software supply chain properly.
Dr.Web research team points out to the Shanghai-based software development firm, which supplies Leagoo with apps like the one who is most likely to be injecting Android.Triada.231 into Android systems.
This company, which is not yet specified due to the ongoing investigation, is suspected of injecting the Trojan into the libandroid_runtime.so system library as a separate application. Thus, there are no obstacles for it to be executed.