Summary
Triada Trojan has been found in the firmware of various low-cost Android devices, which could be used to steal sensitive data and run cyber espionage modules.
Analysis
- First seen in March 2016 and labelled as the most advance mobile Trojan during that time specifically engineered as Android banking trojan.
- Android system images were infected while in production process. When a device manufacturer wants to include features that aren’t part of the Android Open Source Project itself.
- Added feature that eventually became adaptable threat that harvested credentials, browser history, download and install new apps in adware-like scheme.
- Rooted privileges used by random access memory (RAM) with malicious system files replacing OEM (Original Equipment Manufacturers).
- Compromised phones had a backdoor access installed. Backdoor code is called upon once log attempt made by any apps.
- Vendor such as Yehuo or Blazefire infected the returned system image with Triada a malware designed to install spam apps on a device that displays ads, on Android devices by tampering the pre-installed software. The creators of Triada collected revenue from the ads displayed by the spam apps.
- The Android Trojan Triada is being spread by other Trojans like Leech, Ztorg and Gopro that are capable of leveraging access privileges. Many are classified as Potentially Harmful Apps — apps that may adversely impact a device’s security or user’s privacy, such as displaying intrusive ads. However, the fact that they can obtain root access gives them the capability to download and install other applications, and Triada is becoming a favorite.
- Researcher believed that supply chain could also be found in brand new Android smartphones.
Conclusion and Recommendation
- Verify if your phone is listed from the 42 budget model smartphones online.
- Closing backdoor through Over-the-air (OTA) updates as supplied by Phone OEMs with instructions for removing the threat from devices, this will reduced the spread of pre-installed Triada variants and removed infections from the devices. systems, and deploy some form of mobile management or anti trojan solution to help keep users’ devices malware free.
- Enterprises should restrict access to their networks from users with out-of-date operating
- Users should only obtain apps from the Google Play Store, or the enterprise’s own app store, if it exists, as Triada is mainly spread by apps installed from unknown sources or third-party stores. Sadly, if a device is infected with the Triada Android Trojan, the only reliable way to remove it is to completely wipe and reimage the phone.