Google’s cybersecurity team has been tracking a malware in Android devices, known as Triada, which mutated from being a harmless Trojan to infecting the production chain of some models of mobile phones, which came onto the market infected by default.
Triada is a mobile virus discovered by the cybersecurity company Kaspersky Lab in 2016. Originally, it was a Trojan that installed additional applications on the devices, for ‘spam’ functions and to deceive statistics. Triada’s threat was eliminated by Google’s automatic security mechanisms through Play Protect, but now Google has explained in its security blog that, around 2017, the virus mutated and became a backdoor for Android.
Cybercriminals modified the malware to allow it to run a code as standard, infect devices, in any application of the system, regardless of the permissions required to do so. It affected Android in versions earlier than Marshmallow. Through this mutation, Triada was introduced into the production chain of some mobile models with the Google system, so that they reached the market already infected.
“Triada was included without knowledge in the image of the system as a third party code for additional functions requested by device manufacturers”, explained Lukasz Siewierski, from Android’s security and privacy team. According to Google, a vendor from China, identified as Yehuo or Blazefire, was responsible for introducing the vulnerability into the production chain, thus infecting the entire process.
To address this, Google experts worked with device manufacturers and provided them with instructions to remove the threat from the devices and reduce the spread of the various Triada variants through automatic ‘over the air’ (OTA) updates.