Security researchers have found malware inside the firmware of several low-cost Android smartphones, such as Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20.
Not all devices of these specific model lines are affected, but only a few, presumably the result of a supply chain compromise that affected a small number of users.
Phones came preinstalled with Triada banking trojan
Discovered by Russian cyber-security vendor Dr.Web, the affected phone models came with a version of the Triada malware hidden inside the Android OS Zygote core process.
The Triada trojan was first discovered in March 2016 and was initially designed to work as an Android banking trojan. Across time, Triada gained more feature becoming an all-around threat that could be used to steal all sorts of credentials, browser history, download and install new apps in adware-like schemes.
Because the trojan was designed to get root access and infect the Zygote core OS process, Triada’s attack capabilities were untethered and the malware’s operator had the ability to take any actions he wanted.
Triada most likely a result of supply chain compromise
This is not the first time that a smartphone maker’s supply chain has been compromised. Something like this has happened before, and can usually be attributed to shady distributors. A similar case happened last year in December. This problem also affects high-end devices, not only low-cost models.
It’s worse when malware or backdoors originate with firmware vendors themselves, and not because of third-party distributors.
This has happened before because of companies like Adups and Ragentek, both which embedded data-stealing backdoors into the firmware they sold to low-cost Android smartphone vendors. The smartphone makers ended up losing credibility because of the actions of one of their contractors.