As Android remains the most popular mobile operating system in the world, there are quite a few low-budget devices available to consumers across the globe that are delivered to them with a pre-installed firmware dubbed as Triada Trojan.
Android devices are one of the most vulnerable mobile OS due to its open source nature, but what can a user do if not all companies behind these cheaper options are taking security very seriously.
IT security researchers at Dr. Web, a Russian cyber security firm have found malware inside the firmware of several low-cost Android smartphones, such as Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20. Only a small portion of the available models in circulation came with a version of the Triada malware hidden inside the Android OS Zygote core process as part of their out-of-the-box firmware, which is disconcerting. This hints at a supply chain compromise more than anything else.
Zygote component’s system process function is to launch apps and programs on a device. By infecting Zygote, the trojan downloads and executes additional modules on targeted devices – All this is done without the knowledge of the user.
Although the Android ecosystem is prone to malware of all types, malicious software is often installed after the devices are shipped. It is unclear how this occurred exactly, but an investigation is underway. The researchers further noticed that Triada is embedded into libandroid_runtime.so system library which is used by every Android app. This means millions of devices could be infected.
The Triada trojan was first discovered in March 2016 and was initially designed to work as an Android banking trojan. Across time, Triada gained more feature becoming an all-around threat that could be used to steal all sorts of credentials, browser history, download and install new apps in adware-like schemes.