Google confirms some Android devices were infected with malware even before they shipped

It isn’t uncommon for malware and adware to sneek into Android devices. In the past, numerous reports have highlighted how malicious actors use apps in the Google Play Store to infect the Android smartphones with malicious codes in a bid to bombard them with ads to gain monetary benefits. Google has responded to such threats by removing the infected apps from its Play Store. But now, the tech giant has learnt of a new vulnerability – in the form of a code – that affected some Android devices even before they shipped.

Google, in an elaborate blog post, has explained how some clever hackers managed to put Tirada, a malware that is designed to display ads and spam on a smartphone, on countless Android smartphones undetected for long.

“Triada infects device system images through a third-party during the production process. Sometimes OEMs want to include features that aren’t part of the Android Open Source Project, such as face unlock. The OEM might partner with a third-party that can develop the desired feature and send the whole system image to that vendor for development…Based on analysis, we believe that a vendor using the name Yehuo or Blazefire infected the returned system image with Triada,” Google wrote in its blog post.

The michievious workings of Tirada were first discovered by Kaspersky Labs back in March 2016 and then in a subsequent post in June 2016. The two posts had dwelled deep into the workings of Tirada.

“Once downloaded and installed, the Triada Trojan first tries to collect some information about the system – like the device model, the OS version, the amount of the SD card space, the list of the installed applications and other things. Then it sends all that information to the Command & Control server,” Kaspersky had written in one of its blogposts.

What make Tirada so hard for security apps to detect Tirada is the fact that it modifies Android’s Zygote process. In simply words, it modifies the basic template that Google uses for all apps on Android OS. Once Tirada become a part of this template it becomes a part of every single app that runs on the infected Android device.

What makes this Trojan more dangerous is the fact that it hides itself from the list of apps running and installed on the Android smartphone, which makes it impossible for the anti-virus apps and anti-malware apps to detect it. It also makes it difficult for the system to detect if a strange or an unwanted process is running in the background.

Google, upon knowing about the workings of Tirada back in 2016, had removed this malware from all devices using Google Play Protect. However, malicious actors amped up their efforts and released a smarter version of the trojan in 2017, workings of which were uncovered by Dr Web in a blog post in July 2017.

Dr Web reported that its analysts had found Tirada built into the firmware of several Android devices. Since it was embedded in the system libraries it could secretly download and run malicious modules. What’s particularly concerning is that since it cannot be deleted using standard methods. “The only safe and secure method to get rid of this Trojan is to install clean Android firmware,” Dr Web wrote in its blog post.

Google’s latest blog was a confirmation of the report by Dr Web. Although Google didn’t name the mobile devices that were infected by the malware, Dr Web said that the modified version of Tirada was found on several mobile devices, including Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20.