Google confirms new Triada adware variant came preinstalled on some Android phones

• Hackers in 2017 had cleverly loaded adware into Android devices by tampering the pre-installed software.
• The process of installing the adware was done during the manufacturing process of Android phones.

An analysis by Google Security has revealed that hackers in 2017 had cleverly loaded adware into Android devices by tampering the pre-installed software. A variant of Triada adware family, the malware was inserted through apps and programs built by third-party vendors.

What’s the purpose?

The main purpose of this novel hacking technique was to load the phones with spam and unwanted advertisements before it even reached to the customers. The process of installing the adware was done during the manufacturing process of Android phones.

When phone manufacturers wanted to include features not approved by the Android Open Source Project - like a face unlock the program, they may hire it from unauthorized third-party companies. It is here that the hackers masqueraded as software vendors and provided the required software with preinstalled Triada adware variant.

Google has not revealed the product models that are affected by the adware, but it appears that the hackers involved in this campaign frequently used the Chinese language. They went by the vendor name ‘Yehuo’ or Blazefire’.

Also, research from the security vendor Dr.Web had disclosed that the Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20 had been affected by the Triada variant.

What’s new about the Triada variant?

Triada adware was first discovered in March 2016. However, Google has observed a new variant of the adware was being used to infect the smartphones. The malware authors of Triada have evolved the malware to a pre-installed Android framework backdoor.

“The changes to Triada included an additional call in the Android framework log function, demonstrated below with a highlighted configuration string,” explained the researchers from Google Security.

The main aspect of this new backdoor version is to execute code in another app’s context.

“The backdoor attempts to execute additional code every time the app needs to log something. Triada developers created a new file format, which we called MMD, based on the file header,” researchers added.

The malware authors targeted two apps to perform the code injection: the System UI app and the Google Play app.

What actions have been taken?

Google has coordinated with the affected OEMs to provide system updates and remove traces of Triada variant. In addition, it is also scanning for Triada and similar threats on all Android devices. It has requested OEMs to ensure that all third-party code is reviewed and can be tracked to its source.