Earlier this year, Forbes reported how a banking Trojan called Triada had been found on a bunch of brand new budget Android smartphones. Google has now confirmed that threat actors did, indeed, manage to compromise Android smartphones with the installation of a backdoor as part of a supply chain attack.
To understand what has happened here, we need to go back to 2016 when Kaspersky Lab researchers first uncovered what they called one of the most advanced mobile Trojans Kaspersky malware analysts had ever seen. They named that Trojan “Triada” and explained how it existed mainly in the smartphone’s random access memory (RAM) using root privileges to replace system files with malicious ones.
The story evolved, along with the Triada malware itself, during the summer of 2017. Researchers at Dr. Web found that instead of relying upon being able to root the smartphone to elevate privileges, the threat actors had moved on to even more advanced attack methodologies.
Triada had, the researchers found, used a call in the Android framework log function instead. In other words, the infected devices had a backdoor installed. This meant that every time an app, any app, attempted to log something the function was called and that backdoor code executed. The Triada Trojan could now execute code in pretty much any app context courtesy of this backdoor; a backdoor that came factory-fitted.
Google had remained relatively quiet concerning Triada until this week when Lukasz Siewierski from the Android security and privacy team posted a detailed analysis of the Trojan on Google’s security blog. This not only filled in the missing parts of the puzzle but confirmed that a backdoor did indeed exist in brand new Android smartphones.
The Android system images were infected through “a third-party during the production process,” Siewierski explained. When a device manufacturer wants to include features that aren’t part of the Android Open Source Project itself, and Siewierski uses the example of face unlock here, it might engage a third-party to develop this and so sends the entire system image to them for that development process.
This is how the backdoor came to be pre-installed on straight from the factory smartphones. It’s a classic supply chain attack. “Based on the analysis,” Siewierski continues, “we believe that a vendor using the name Yehuo or Blazefire infected the returned system image with Triada.” A full list of the 42 budget model smartphones, mostly sold in China, can be found in this Bleeping Computer report from earlier this year.
It is unlikely that you will have been impacted by this backdoor, given that the devices concerned were value brands primarily sold in China. However, if you are concerned that you may have imported such a smartphone, Google is confident that it has dealt with the threat.
Google says that “by working with the OEMs and supplying them with instructions for removing the threat from devices, we reduced the spread of pre-installed Triada variants and removed infections from the devices through the over-the-air (OTA) updates.” Siewierski adds that Google is now performing a security review of system images, with Triada indicators of compromise being one of a number of signatures that are included in the scan. Google Play Protect also tracks, and removes, Triada and any related apps it detects on user devices.