Trojan found pre-installed on Android phones being sold on Amazon

Updates are essential. But oh wait…

David bisson
David Bisson
@
@DMBisson

Trojan found pre-installed on Android phones being sold on Amazon

Security researchers have discovered malicious software built into the firmware of several Android devices.

Embedded into the firmware of the affected Android devices isn’t any ordinary trojan. The culprit is a threat called Triada.

Triada, which supplanted Hummingbad as the top mobile malware in January 2017, hides within the infected phones’ Zygote component.

Sign up to our free newsletter.
Security news, advice, and tips.

This feature is responsible for launching programs on devices running Android OS. By embedding itself into the ibandroid_runtime.so system library specifically, the malware makes its way into the memory of all installed applications and relies on Zygote for initialization.

The initial launch of Triada performed by the Zygote component. (Source: Dr. Web)
The initial launch of Triada performed by the Zygote component. (Source: Dr Web)

Russian anti-malware company Dr Web describes what Triada does once it successfully executes on an infected device:

“The main function of Android.Triada.231 is to secretly run additional malicious modules that can download other Trojan components. To run additional modules, Android.Triada.231 checks if there is a special subdirectory in the working directory previously created by the Trojan…. It if [sic] finds the file, the Trojan decrypts it, saves it as libcnfgp.so, then loads it into RAM using one of the system methods and deletes the decrypted file from the device. If the malicious program does not find the required object, it seeks the file 36.jmd. Android.Triada.231 decrypts the file, saves it as mms-core.jar, runs it using the class DexClassLoader and then deletes the created copy.”

TriadaUsing this type of setup, Triada can affect any app’s functionality and download modules designed to steal users’ banking credentials, login details, and other information. Such activity would raise red flags among mobile anti-virus solutions under ordinary circumstances. But because it has infected the Zygote component, the malware evades detection by traditional means.

Fortunately, there’s some good news. Dr Web’s researchers found Triada pre-installed on only a limited number of Android devices (the Leagoo M5 Plus, the Leagoo M8, the Nomu S10, or the Nomu S20) produced by Chinese OEMs. As a result, only a limited number of users are likely to be affected by this threat.

Dr Web doesn’t go so far as saying that the manufacturers themselves are responsible for the malware being planted on the Android smartphones, but instead points the finger of suspicion at “insiders or unscrupulous partners.”

Sadly, at the time of writing – the affected smartphones are all freely for sale online, on stores such as Amazon.

Infected Android devices on Amazon

The security firm has contacted the manufacturers with the request that they push out updates to the affected devices and review their production processes for malicious actors. But as we all know by now, updates are too few and far between on too many Android devices.

With that said, if you were thinking of purchasing an affected device, you might want to think twice. If you already own one, you should delete all personal information from your device and await an update.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

2 comments on “Trojan found pre-installed on Android phones being sold on Amazon”

  1. DarpGosaNiled

    Hi,
    What's about Leagoo M5 ?
    Thx :)

    1. Mark Jacobs · in reply to DarpGosaNiled

      That's on the list! It's infected!

Leave a Reply to Mark Jacobs Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.