Security researchers have stumbled upon pre-installed malware and spyware on devices many times. Unfortunately, there’s new malware of the pre-installed kind that was just discovered by security company Dr. Web. The malware, which in fact is a Trojan horse called Android.Triada.231, comes pre-installed on Android devices and allows attackers to download and run more malware on users’ phones.
Android.Triada.231: Technical Details about the Pre-Installed Trojan
According to the researchers, the malicious code is built into the firmware of specific Android phones.
Virus analytics from Dr.Web detected Android.Triada.231 that was built into the firmware of several mobile devices running Android. The Trojan is embedded into one of the system libraries and penetrates processes of all running applications. It can silently download and run additional modules.
More specifically, Android.Triada.231 takes over the libandroid_runtime.so module. In addition, the Trojan can inject files into Zygote, the core process of Android running at system boot. This means that the malware can load itself each time the device starts.
Who is affected by Android.Triada.231?
The Trojan was detected on several Chinese Android mobile phones such as Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20.
The worst thing about the pre-installed malware is that it can compromise any app on the device. That being said, it’s no wonder that the Trojan is used mainly for installing additional malware on Android systems. The authors of Android.Triada.231 can gain control over the targeted device via specifically chosen malware. Moreover, the malware can also help disable security products on Android.
Since Android.Triada.231 is embedded into one of the libraries of the operating system and located in the system section, it cannot be deleted using standard methods. The only safe and secure method to get rid of this Trojan is to install clean Android firmware, researchers say.
The only good news here is that the devices shipped with the pre-installed Trojan are not big on the market. The manufacturers have already been informed about the issue so that they can clean their firmware. It’s still unknown whether the manufacturer has done anything to countermeasure this infection.