Triada malware came into firmware Android devices via supplier

The Triada malware that was pre-installed on dozens of Chinese Android smartphones in 2017, came via a supplier. This was determined by Google after an investigation. These are models that were not sold in the Benelux.

Google says that Yehuo or Blazefire put the malware in the firmware of the devices. It is unknown which functions those suppliers made for Android. According to Google, the manufacturer supplies the firmware to the supplier and delivers the firmware back with the requested function built in. However, one of those companies has built in the Triada malware. Since it was built-in, users couldn’t remove that either.

Kaspersky discovered Triada in 2016 and DrWeb found out in 2017 that it was in the firmware of Android devices. This involved forty different models, but none of them are well known in the Benelux. The best-known brand is Doogee, whose X5 phones and Shoot models are on the list.

The malware pulled the rogue apps it wanted to install from a command and control server, with file names similar to those of unpopular apps from the Play Store. A trick allowed it to install apps without asking the user to allow installing apps from unknown source.

The advanced malware aimed to send spam and display advertisements, presumably to earn money for the developers. With the report, Google confirms the previous findings of DrWeb from last year and 2017. Google has tightened the security of Play Protect to prevent such infections in the future. In addition, the search giant has teamed up with the smartphone maker to get the malware off the phones.