Dangerous Malware Came Pre-Installed on Android Phones, and No One Did Anything for Years

When you purchase a new smartphone, it always comes with plenty of apps pre-installed. These are meant to make your experience easy and fun from the get-go. Depending on the phone and the operating system running on it, you should find call, messenger, browser, camera, and other essential apps, along with some popular social networking apps (e.g., Facebook or Twitter), and, of course, the app store. If you are not a first-time phone user, you should already be familiar with most of these apps. However, you might find a few obscure ones too. You should never ignore those because they could turn out to be malicious.

Pre-installed malware apps do not affect all smartphones

It is a scary thought that pre-installed malware apps on Android phones is a thing to begin with. Does that mean that the manufacturers or the distributors of smartphones are deliberately exposing Android users to malware apps? That might not be the exact case. The thing is that tons of new apps are developed every single day. At the beginning of 2018, more than 6,000 new apps were added to the Google Play Store daily, and it is very likely that this number has grown since. Of course, not all of these apps gain attention, and many are deleted before anyone gets the chance to download them. That is because cyber criminals are exploiting such platforms as the Google Play Store to push malware apps through. For example, not too long ago, Google deleted 46 malware apps that were proven to commit ad-fraud, and 200 additional malware apps were deleted that same month because they were infected with adware.

Overall, malware apps are quite prevalent. That, of course, does not mean that they are everywhere. If you purchase a reputable device from a trusted vendor, and if you take all security precautions, you might live your entire life without facing a malware app. Of course, you have to start with a reputable device. We are not talking about Samsungs, OnePluses, Xiaomis, or Google Pixels, of course. It is the more obscure and less popular devices that we need to think about. Triada – which is a Trojan we need to take a closer look at – has been found as a pre-installed malware app on Android devices you might not have heard of at all. You can find a full list here, and some of the compromised devices include Leagoo, Doogee, Vertex Impress, Haier, and Cherry Mobile Flare. If you own any of the devices you can find in the list, you might need to rethink your entire virtual security.

What is Triada and how did it add itself to your smartphone?

Triada is not a singular application. In fact, it is a family of malware apps that have been around since at least 2016. According to Google researchers, who analyzed this malware and shared their findings in a blog post, Triada apps act as spam apps that flood the device with random ads. That means that if this clandestine Trojan was pre-installed on your smartphone, you are likely to face numerous flashy ads that, at times, might even prevent you from using your phone normally. According to researchers, in 2017, the infection turned from rooting to using pre-installed apps that could open backdoors.

If Triada was successful at opening a backdoor, it could execute malware code. It could also check the running apps to see which were running on top. If, for example, a browser app was active, the Trojan could feed ads from the background. It also could download apps from the C&C server and make it look as if they were being downloaded from the Google Play app. It's all fascinating, but it does not explain how exactly this malware app came to be pre-installed on so many devices. According to the researchers at Google, a third-party actor injected the infection during the production process, at some point. It is believed that a party that goes by names Yehuo and Blazefire is to blame. The crazy thing is that we are learning about this NOW, at least two years after Triada injected itself as pre-installed malware app on Android first. The good news is that Google is working with the manufacturers to solve the issue, and many of the previously affected devices should have the Trojan removed by now.

What now?

Regular smartphone users cannot do much to solve the Triada problem, and they certainly cannot impact the processes and procedures introduced by manufacturers. Basically, the ball is in their hands, and it is they who need to ensure that devices do not come with malware apps pre-installed. On the other hand, it is the responsibility of consumers to consume responsibly. Whenever you are about to purchase a new gadget, install a new app, or subscribe to a new service, you need to do your homework. Research is always important, and, without a doubt, you want to go with trusted product and service providers. The more reputable they are, the more important their reputation is to them, and to uphold it, companies need to invest in security. That means that you are likely to purchase a more secure smartphone if you purchase it from a reputable manufacturer and vendor.

If you have purchased a Triada-impacted device in, at least, the last three years, you need to think about your virtual security. First and foremost, check with the manufacturer if they have removed the Trojan. If they have not, you will need to look for another device. Second, reset your device to ensure that no malware apps or malware modules potentially downloaded by the Trojan remain active. Third, do not ignore other threats. Triada is only one of many threats that you might face if you do not take security measures. Sure, the proliferation of this Trojan is attention-worthy, but there are threats that can do worse. To ensure that your Android devices are ALWAYS safe, make sure you use strong passwords, enable two-factor/multi-factor authentication, employ VPN services, install reliable security apps, beware of phishing scams, stick to reputable app sources, and, of course, always use your head.

July 31, 2019

Leave a Reply