Triada Malware Affecting Smartphones Before Shipped

Last updated:

Google has detailed how Triada malware continues to infect Android devices despite efforts to resolve this issue over the last few years.

Kaspersky Lab first discovered the Triada malware back in 2016, and cybersecurity experts describe the software as a rooting trojan, which means that the software exploits the device by gaining access to sensitive portions of the operating system.

This software installs spam apps downloaded from a command and control server.  These spam applications display advertisements on the device and the developers of the malware gain revenue when users click on the show ads.

Aside from installing apps, Triada malware also inserts codes to four different browsers, allowing the malware to replace the ads shown on websites with advertisements that gain revenue for the malware developers. Among the affected browsers include AOSP, 360 Secure, Cheetah, and Oupeng browsers.

The software also takes advantage of a mechanism called weight watching to ensure that the device has sufficient space for the spam apps that the malware will install. This mechanism rates a file or an app depending on the date of the app installation and the certificate used to sign the software.

Apps that did not come pre-installed with the device will be among the first files to be removed to make way for the spam apps that the malware will install.

However, improvements made to the Google Play Protect allowed the search giant’s software to detect the malware automatically. Furthermore, improvements made to the Android operating system limited the impact of the malicious software to devices running older versions of Google’s OS.

Nonetheless, developers of Triada malware found a new way to infect devices, with the malicious software getting distributed even before the handsets are shipped.

triada malwareThe infection occurs as third-party vendors add additional features to the proprietary skin of OEMs, and among the files that these vendors introduce to the system image is the Triada malware. These vendors return the modified system image to the handset manufacturer, although these third-party firms fail to disclose that it had included malicious software into the system image.

Aside from changes in how the malware infects the device, there are also changes made to how the Triada malware works. With the newer versions of the software, Triada now injects code to the Google Play application. This tactic allows the malware to install applications and make them look like the apps came from the Google Play Store.

This method also permits the malware to install apps without the need to change device settings and activate the “Installation from Unknown Sources” option. However, in reality, these applications came from the command and control server operated by the malware developers.

To resolve this problem, Google had to coordinate with OEMs to roll out updates that remove files associated with the Triada malware. To prevent future instances of malware distribution, the search giant is also offering its Build Test Suite to handset makers.

My Cart Close (×)

Your cart is empty
Browse Shop

Rapid Mobile

Rapid Mobile uses cookies, tokens, and other third party scripts to recognise visitors of our sites and services, remember your settings and privacy choices, and - depending on your settings and privacy choices - enable us and some key partners to collect information about you so that we can improve our services and deliver relevant ads.


By continuing to use our site or clicking I Accept, you agree that Rapid Mobile and our key partners may collect data and use cookies for personalised ads and other purposes, as described more fully in our privacy policy.


You can change your settings at any time by clicking Manage Settings or by visiting our Privacy Centre for more detailed information.


Privacy Settings saved!
Cookie Services

We need your consent so that we and our trusted partners can store and access cookies, unique identifiers, personal data and information about your browsing behaviour on your device. This enables us to serve relevant content and advertising to you, and to improve the service that we provide to our readers. This only applies to we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

These cookies allow us to count visits and traffic sources, so we can measure and improve the performance of our site.

We track anonymized user information to improve our website.
  • _ga
  • _gid
  • _gat

Save my preferences