Two years later, on Thursday, Google has now admitted that criminals in 2017 indeed managed to get an advanced backdoor preinstalled on Android devices, even before these left the factories of manufacturers.
In 2017, a security firm discovered a severe vulnerability in Android OS. It was an advance Trojan ‘Triada’ built into the firmware of several Android devices, which could be used as the backdoor to download and install modules without permission. The firm, Dr. Web’s, researchers had found Triada embedded into one of the OS libraries and located in the system section. Not just that, the Trojan couldn’t be detected or deleted using standard methods.
Two years later, Google has now admitted that criminals in 2017 indeed managed to get an advanced backdoor preinstalled on Android devices, even before these left the factories of manufacturers, reports ArsTechnica. Google researchers confirmed the Dr. Web report and wrote, “Triada infects device system images through a third party during the production process. Sometimes OEMs want to include features that aren’t part of the Android Open Source Project, such as face unlock. The OEM might partner with a third party that can develop the desired feature and send the whole system image to that vendor for development. Based on analysis, we believe that a vendor using the name Yehuo or Blazefire infected the returned system image with Triada.”
‘Triada’ first came to light in 2016. Then it was described by the Kaspersky experts as “one of the most advanced mobile Trojans”. It was noted that Triada Trojan once downloaded and installed, first collected device’s system information. Things like your phone’s model, OS version, the amount of the SD card space, the list of installed applications and more such things. Then it used to send all that information to the Command & Control (C&C) server.
The primary purpose of Triada was to install apps that could be used to send spam and display ads. But since it was a modular Trojan, it could have been turned into literally everything on one command from the C&C server, noted Kaspersky in its blog from 2016.
Once Triada used to install and deploy the modules to the short term memory and deleted from the device storage, it was then a lot harder to catch this Trojan. There were two more reasons why Triada was hard to detect. First, it could modify Android’s core Zygote process, which Google uses as a template for every application. It meant the Triada could get into literally every app. Second, this Trojan could substitute the system functions and conceal its modules from the list of the running processes and installed apps. Which meant that the system couldn’t see any strange processes running.