Triada Malware Affecting Smartphones Before Shipped

27,248

Google has detailed how Triada malware continues to infect Android devices despite efforts to resolve this issue over the last few years.

Kaspersky Lab first discovered the Triada malware back in 2016, and cybersecurity experts describe the software as a rooting trojan, which means that the software exploits the device by gaining access to sensitive portions of the operating system.

This software installs spam apps downloaded from a command and control server.  These spam applications display advertisements on the device and the developers of the malware gain revenue when users click on the show ads.

Aside from installing apps, Triada malware also inserts codes to four different browsers, allowing the malware to replace the ads shown on websites with advertisements that gain revenue for the malware developers. Among the affected browsers include AOSP, 360 Secure, Cheetah, and Oupeng browsers.

The software also takes advantage of a mechanism called weight watching to ensure that the device has sufficient space for the spam apps that the malware will install. This mechanism rates a file or an app depending on the date of the app installation and the certificate used to sign the software.

Apps that did not come pre-installed with the device will be among the first files to be removed to make way for the spam apps that the malware will install.

However, improvements made to the Google Play Protect allowed the search giant’s software to detect the malware automatically. Furthermore, improvements made to the Android operating system limited the impact of the malicious software to devices running older versions of Google’s OS.

Nonetheless, developers of Triada malware found a new way to infect devices, with the malicious software getting distributed even before the handsets are shipped.

triada malware - Triada - Triada Malware Affecting Smartphones Before ShippedThe infection occurs as third-party vendors add additional features to the proprietary skin of OEMs, and among the files that these vendors introduce to the system image is the Triada malware. These vendors return the modified system image to the handset manufacturer, although these third-party firms fail to disclose that it had included malicious software into the system image.

Aside from changes in how the malware infects the device, there are also changes made to how the Triada malware works. With the newer versions of the software, Triada now injects code to the Google Play application. This tactic allows the malware to install applications and make them look like the apps came from the Google Play Store.

This method also permits the malware to install apps without the need to change device settings and activate the “Installation from Unknown Sources” option. However, in reality, these applications came from the command and control server operated by the malware developers.

To resolve this problem, Google had to coordinate with OEMs to roll out updates that remove files associated with the Triada malware. To prevent future instances of malware distribution, the search giant is also offering its Build Test Suite to handset makers.

Via Google

Rapid Mobile uses cookies, tokens, and other third party scripts to recognise visitors of our sites and services, remember your settings and privacy choices, and - depending on your settings and privacy choices - enable us and some key partners to collect information about you so that we can improve our services and deliver relevant ads.

 

By continuing to use our site or clicking Agree, you agree that Rapid Mobile and our key partners may collect data and use cookies for personalised ads and other purposes, as described more fully in our privacy policy.

 

You can change your settings at any time by clicking Manage Settings or by visiting our Privacy Centre for more detailed information.

 

Privacy Settings saved!
Cookie Services

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

These cookies are necessary for the website to function and enable essential services and functonality, including identify verification, service continuity and site security. Opt out is not availabe.

Essential Session management cookies for logged in users
  • wordpress_test_cookie
  • wordpress_logged_in_
  • wordpress_sec

For perfomance reasons we use Cloudflare as a CDN network. This saves a cookie "__cfduid" to apply security settings on a per-client basis. This cookie is strictly necessary for Cloudflare's security features and cannot be turned off.
  • __cfduid

Used by Spamshield to stop spam signups
  • _wpss_h_
  • _wpss_p_

NewsWire Service
  • BIGipServerwidget2_www_http

Decline all Services
Accept all Services