On Thursday, Google on it’s effort to make the Android OS safe and better ,confirmed on that the Triada malware which was first detected by Kaspersky in 2015 and later by Google found in 2016 managed to find it way back into modern phones.
Google says it coordinated with the affected products to send out software updates, which removed the adware. In 2018, “Google identified all Triada variants, including new ones, and all devices infected with Triada,” the company said in March.
Some of the affected phones were Doogee BL7000, the M Horse Pure 1, Keecoo P11,Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20.
Once installed, Triada’s chief purpose was to install apps that could be used to send spam and display ads.
malware sends information about the infected device to a remote
command-and-control server and downloads a configuration file, which
contains the ID of the infected computer and configuration settings.
The main function of the Trojan is to redirect financial SMS transactions when the user is making online payments for purchasing additional content in legitimate applications. Instead of being sent to the developer of the additional content, the money is sent to the criminals.
versions of the Trojan modify the Zygote process. This process is one
of the core processes on Android devices. It contains system libraries
and frameworks that are used by every application on the device, and is
the basis for all other applications.
The main part of Backdoor.AndroidOS.Triada resides only in the device RAM, making the Trojan very difficult to detect. In addition, all Trojan processes that are separately launched are hidden from the user and other apps” ,a post on kaspersky‘s site from 09/30/2016 read.
“The Triada case is a good example of how Android malware authors are becoming more adept,” Siewierski wrote. “This case also shows that it’s harder to infect Android devices, especially if the malware author requires privilege elevation.”
Triada infects device system
images through a third party during the production process. Sometimes
OEMs want to include features that aren’t part of the Android Open
Source Project, such as face unlock. The OEM might partner with a third
party that can develop the desired feature and send the whole system
image to that vendor for development.
Based on analysis, we believe that a vendor using the name Yehuo or Blazefire infected the returned system image with Triada.