Dr. Web security researchers found that Triada Trojan was preinstalled on some low-cost Android device models.
Triada was developed as a financial threat which has been placed among the most advanced mobile malware during the past year. The virus was capable of injecting itself into the Zygote parent process, thus running code in the context of all applications.
In order to improve its detection evasion capabilities, the Triada trojan adopted the so called “sandbox technology” (specifically, the open source sandbox DroidPlugin) this year.
The security experts from Dr. Web claim that the virus was recently found embedded in libandroid_runtime.so system library, thus being able to penetrate the processes of all running apps without requiring root privilages.
The researchers also reported that the modified library was found on several mobile devices, including Leagoo M8, Leagoo M5 Plus, Nomu S10, and Nomu S20.
“[Triada] is embedded into the source code of the library. It can be assumed that insiders or unscrupulous partners, who participated in creating firmware for infected mobile devices, are to be blamed for the dissemination of the Trojan,” state the experts from Dr. Web.
The Triada Trojan was installed in the library in a way that allows it to get control “each time when an application on the device makes a record to the system log.”
According to the experts, the initial launch of the malware is performed by Zygote, which is launched before other applications.
Being installed on the system, Triada sets up parameters, creates a working directory, and checks the environment. If running in the Dalvik environment (the discontinued process virtual machine in Android), the virus intercepts a system method to keep track of when the applications start and inject its malicious code in them right after the start.
The malware is capable of running additional malicious modules for downloading some other Trojan components. The experts claim that this method can be used to run malicious plugins for stealing confidential information and bank credentials, running cyber-espionage modules, or intercepting messages from messengers and social media clients.
The other malicious module the trojan can extract and decrypt from libandroid_runtime.so was developed to download additional malicious components from the Internet and to ensure they can interact with each other.
“Since [Triada] is embedded into one of the libraries of the operating system and located in the system section, it cannot be deleted using standard methods. The only safe and secure method to get rid of this Trojan is to install clean Android firmware,” the experts say.
According to Dr. Web, the Android users should keep their devices updated at all times to keep safe from the infection.