The infection was through malware known as Triada which was first described by Kaspersky in posts in March and June 2016; it described Triada as sophisticated at the time.
The malware communicated with numerous command and control centres and permitted the installation of apps that could be used to send spam and display advertisements.
Triada was discovered to be built into the firmware of a number of Android devices by anti-virus vendor Dr Web in July 2017. These included the Leagoo M5 Plus, Leagoo M8, Nomu S10 and Nomu S20. As it was within the operating system itself, it could not be removed easily.
|
|
How Triada gained access to the Android devices. Courtesy Google
"The creators of Triada collected revenue from the ads displayed by the spam apps. The methods Triada used were complex and unusual for these types of apps.
"Triada apps started as rooting trojans, but as Google Play Protect strengthened defences against rooting exploits, Triada apps were forced to adapt, progressing to a system image backdoor.
"However, thanks to OEM co-operation and our outreach efforts, OEMs prepared system images with security updates that removed the Triada infection."
While Siewierski was silent on the models that were infected, he named the vendor where the infection had taken place.
"Triada infects device system images through a third-party during the production process. Sometimes OEMs want to include features that aren’t part of the Android Open Source Project, such as face unlock," he said.
"The OEM might partner with a third-party that can develop the desired feature and send the whole system image to that vendor for development. Based on analysis, we believe that a vendor using the name Yehuo or Blazefire infected the returned system image with Triada."
iTWire has contacted Google to find out why the company suddenly decided to issue details about Triada so long after the malware was first unearthed.
