In a detailed study post, Google has explained how some hackers cleverly managed to put Triada, a malware designed to install spam apps on a device that displays ads, on Android devices by tampering the pre-installed software. The creators of Triada collected revenue from the ads displayed by the spam apps. “Triada infects device system images through a third-party during the production process. Sometimes OEMs want to include features that aren’t part of the Android Open Source Project, such as face unlock. The OEM might partner with a third-party that can develop the desired feature and send the whole system image to that vendor for development…Based on analysis, we believe that a vendor using the name Yehuo or Blazefire infected the returned system image with Triada,” wrote Lukasz Siewierski, of the Android security and privacy team, in a blog post. The “Triada family” of trojans were first discovered by security researchers at Kaspersky Labs, which was described in a blog post on their website in March 2016 and then in a follow-up blog post in June 2016. Back then, it was noted as a rooting trojan designed to exploit hardware after getting elevated privileges. Once aware of about the workings of Triada back in 2016, Google had implemented detection through its Play Protect to remove Triada samples from all devices. However, the malicious actors behind the malware took another uncommon approach and released a smarter version of the trojan in summer of 2017, which were uncovered by antimalware vendor Dr. Web in July 2017. “During the summer of 2017 we noticed a change in new Triada samples. Instead of rooting the device to obtain elevating privileges, Triada evolved to become a pre-installed Android framework backdoor. The changes to Triada included an additional call in the Android framework log function, demonstrated below with a highlighted configuration string,” Siewierski added. “By backdooring the log function, the additional code executes every time the log method is called (that is, every time any app on the phone tries to log something). These log attempts happen many times per second, so the additional code is running non-stop. The additional code also executes in the context of the app logging a message, so Triada can execute code in any app context. The code injection framework in early versions of Triada worked on Android releases prior to Marshmallow.” However, the most worrying factor that it could not be deleted using standard methods. “The only safe and secure method to get rid of this Trojan is to install clean Android firmware,” Dr. Web wrote in its blog post. According to Dr. Web’s report, several Android devices were detected with the modified version of Triada, including devices such as Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20. Although Google did not reveal the mobile devices that were infected by the malware, it did confirm Dr. Web’s report in its blog post. Google has since coordinated with the affected OEMs (Original Equipment Manufacturers) to provide system updates and removed traces of Triada variant and closed the backdoor through OTA (over-the-air) updates. Google is also offering OEMs an automated system called the “Build Test Suite,” which scans system images against malware like Triada and similar threats on all Android devices. Further, the search giant has requested OEMs to carry out a security review of devices in their network for all third-party code and monitor for any suspicious activity. In addition, Google will be regularly assessing devices already on the market to look for supply chain attacks.