There is no dearth of Trojans for Android. Most of them activate themselves once they have root access and then inject ads. Google Researchers have confirmed that cybercriminals in 2017 got a backdoor preinstalled on Android devices and all of this happened before the Android phones left the factory.

Triada was first mentioned in an article by Kaspersky. According to the analyst, Triada was “one of the most advanced mobile Trojans” they had ever encountered. The main purpose of Triada was to install apps that send spam and display ads. The Trojan made use of rooting exploits that bypassed security protections in Android and modified the Android OS. In other words, the malware was now capable of tampering with any installed app.

The report further elucidates that, Triada was preinstalled on several Android phones like Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20. Attackers could easily download and install modules, especially since the backdoor was planted into one of the OS libraries. The worst part is that the malware could not be detected or removed using standard procedures.

Triada was not called the most sophisticated trojan for no reasons. It worked by encrypting communications and used the interface app that allowed ads to inject the code. The apps were downloaded from the C&C server and the downloaded apps used names of unpopular apps on the Google Play store.

Mike Cramp, senior security researcher at Zimperium said, “From the looks of it, Triada seems to be a relatively advanced piece of malware including C&C capabilities, and in the beginning, shell execution capabilities,” he further added that “We do see a lot of adware, but Triada is different in that it uses C&C and other techniques that we would usually see more in the malicious malware side of things. Yes, this is all used to ultimately deliver ads, but the way they go about it is more sophisticated than most adware campaigns. It pretty much is an ‘adware on steroids.”

Google has worked to ward off the backdoor. Firstly, they deployed mitigations that prevented its rooting mechanisms from working. Google also baked in a feature in Google Play Protect and this allowed the companies to remotely disinfect compromised apps. Google is continuously working with manufacturers to ensure that the malicious app was removed from the firmware image.