Security company finds malware in Android device firmware. Security company Dr. Web has discovered new malware that comes pre-installed on a number of Android devices, warning that cybercriminals can use the infection to download and install additional payloads on compromised smartphones.
The most important part of the story is without a doubt the list of devices that ship with the pre-loaded malware, but fortunately, only a few number of customers are likely to be affected.
The malicious program was discovered on a number of Chinese Android smartphones, the security firm says, including Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20.
Called Android.Triada, the Trojan horse is embedded into the firmware of the mobile devices by “insiders or unscrupulous partners,” Dr. Web says, and it takes control of the libandroid_runtime.so module. The malware can inject its files into Zygote, the core Android process that runs at system boot, which means that the Trojan horse itself is loaded every time when the device is started.
Can be used to take control of your phone
Triada can thus compromise pretty much any application installed on the device since it’s running all the time, and Dr. Web notes that it’s primarily aimed at allowing attackers to deploy additional malware on a compromised Android smartphone. This means that virus writers can take control of the entire device with the right malware, especially because Triada can help disable security software on your device.
“Android.Triada.231 can infiltrate various Trojan modules in processes of any application and affect its operation. For example, virus writers can make Trojan to download and run malicious plugins for stealing confidential information from bank applications, cyberespionage modules and for intercepting of correspondence from social media clients and messengers, etc,” Dr. Web explains.
Fortunately, the list of devices that are shipping with the malware pre-installed is not that huge, and the security company says it has already notified the manufacturers to clean their firmware and remove the infection. No official response has been issue by one of the involved companies, so it’ll be interesting to see If any action is being taken to clean their devices.