40 Low Cost Android Smartphones infected with Triada Banking Trojan

Low-cost Android smartphones with over 40 models were found to be infected with an Android banking Trojan called Triada. These malware-laden smartphones were already sold globally. This banking Trojan was discovered by a research team from a Russia-based antivirus firm known as Dr. Web. A few days ago, this security firm published a list of all the 42 Android models that they have analyzed and found to be infected with the banking Trojan Android.Triada.231.

Triada is not a new Android malware and was first discovered in early 2016. This dangerous Android banking Trojan can root devices and then infect a core Android operating system process called “Zygote” that would make it impossible for a user to remove the banking Trojan without wiping the entire Android device and reinstalling the operating system.

According to Dr. Web, it had found the banking Trojan on newly shipped devices from not so popular brands that are based mostly in Chine like Doogee, Leagoo, Vertex, Advan, Cherry Mobile and so on. It turns out that the devices infected with the malware are sold not only in Russia but also all over the globe, according to a spokesperson from Dr. Web.

This recent discovery of Dr. Web isn’t new. However, it is a continuation of a previous research way back in July 2017. At that time researchers found the very same Triada banking Trojan on four low-cost Android models such as Leagoo M5 Plus, Leagoo M8, Nomu S10 and Nomu S20.

At the time of writing, researchers are still looking into the matter and found exactly 42 smartphone models that came with the pre-installed malware out of the box. Researchers said that their discovery at that time apparently did not dissuade whoever was behind this malware to stop. To prove this, they found Triada pre-installed on Leagoo M9 phones which were a model launched in December last year.

Dr. Web reached out to all the affected vendors as they believe that one of the vendors’ shared resellers is the one injecting the banking Trojan before they ship the devices. However, it turns out that a software developer from Shanghai was the one responsible for injecting the Triada banking Trojan.

“This company provided Leagoo with one of its applications to be included into an image of the mobile operating system, as well as with an instruction to add third-party code into the system libraries before their compilation,” stated the researchers from Dr. Web. “Unfortunately, this controversial request did not evoke any suspicions from the manufacturer. Ultimately, Android.Triada.231 got to the smartphones without any obstacles,” the researchers added.

Researchers from Dr. Web say that this Triada-laden application developed by the Shanghai company was signed with the very same certificate that was also seen in another malware back in November 2016 where an Android app that has reached over a million downloads in the Google Play Store was infecting users with the Android.MUIDrop adware.

At the end of the day, it’s still the very same old story where users are the ones who suffer the consequences of companies that fall short invalidating the supply chain of their software.

The list laid out below shows the Android smartphone models infected with the Triada banking Trojan discovered by Dr. Web: