Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
over 40 models of Android devices delivered already infected from the manufacturers
#1
https://news.drweb.com/show/?lng=en&i=11749&c=5       Doctor Web: over 40 models of Android devices delivered already infected from the manufacturers   March 1, 2018

In the middle of 2017, Doctor Web analysts discovered a new Trojan Android.Triada.231 in the firmware of some cheap models of Android devices. Since this detection, the list of infected devices has been constantly increasing. At the moment, the list contains over 40 models. Doctor Web specialists have monitored the Trojan’s activity and now we can publish the results of this investigation.

Android.Triada.231—one of the dangerous Android.Triada Trojans. These Trojans infect the process of an important Android system component, Zygote. This process is used to launch all applications. Once the Trojans inject into this module, they penetrate other running applications. In doing so, they obtain the ability to carry out various malicious activities without a user’s intervention: they covertly download and launch software. The key feature of Android.Triada.231 is that cybercriminals inject this Trojan into the libandroid_runtime.so system library. They do not distribute the Trojan as a separate program. As a result, the malicious application penetrates the device firmware during manufacture. Users receive their devices already infected from the box.

In the past summer, following detection of Android.Triada.231, Doctor Web security researchers notified manufacturers who produced infected devices. However, new smartphones models continue getting infected with this malware. For example, it was detected on the Leagoo M9 smartphone that was announced in December 2017. Additionally, our analysts’ research showed that the Trojan’s penetration into firmware happened at request of the Leagoo partner, the software developer from Shanghai. This company provided Leagoo with one of its applications to be included into an image of the mobile operating system, as well as with an instruction to add third-party code into the system libraries before their compilation. Unfortunately, this controversial request did not evoke any suspicions from the manufacturer. Ultimately, Android.Triada.231 got to the smartphones without any obstacles.

The analysis of this application showed it is signed with the same certificate as Android.MulDrop.924. Doctor Web previously wrote about this Trojan in 2016. We can presume the developer that requested adding the additional program into the mobile operating system image can be connected expressly or implicitly with the distribution of Android.Triada.231.

At the moment, security researchers have detected Android.Triada.231 in the firmware of over 40 Android device models:

Leagoo M5
Leagoo M5 Plus
Leagoo M5 Edge
Leagoo M8
Leagoo M8 Pro
Leagoo Z5C
Leagoo T1 Plus
Leagoo Z3C
Leagoo Z1C
Leagoo M9
ARK Benefit M8
Zopo Speed 7 Plus
UHANS A101
Doogee X5 Max
Doogee X5 Max Pro
Doogee Shoot 1
Doogee Shoot 2
Tecno W2
Homtom HT16
Umi London
Kiano Elegance 5.1
iLife Fivo Lite
Mito A39
Vertex Impress InTouch 4G
Vertex Impress Genius
myPhone Hammer Energy
Advan S5E NXT
Advan S4Z
Advan i5E
STF AERIAL PLUS
STF JOY PRO
Tesla SP6.2
Cubot Rainbow
EXTREME 7
Haier T51
Cherry Mobile Flare S5
Cherry Mobile Flare J2S
Cherry Mobile Flare P1
NOA H6
Pelitt T1 PLUS
Prestigio Grace M5 LTE
BQ-5510 Strike Power Max 4G (Russia)
This is not a comprehensive list. The number of infected smartphones models could be much bigger.

Such widespread distribution of Android.Triada.231 shows that many Android device manufacturers pay little attention to security questions and penetration of the Trojan code into system components. This can be due to error or malicious intent and is likely common practice. Dr.Web for Android detects all possible modifications to Android.Triada.231. To find out whether your mobile device is infected, scan it completely. With root privileges, Dr.Web Security Space for Android can neutralize Android.Triada.231 by curing an infected system component. If root privileges are not available on the device, you can remove this malware by installing a clean image of the operating system. Contact your device manufacturer to receive the clean image.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Trojans in AI models (KASPERSKY ) mrtrout 0 214 12-03-2024 , 09:52 PM
Last Post: mrtrout
  45,000 Android devices infected by unremovable malware sidemoon 1 3,523 11-30-2023 , 05:24 AM
Last Post: Pranav
  Android malware infected 300,000 devices to steal Facebook accounts tarekma7 0 696 12-05-2022 , 04:04 PM
Last Post: tarekma7
  8 New Android Apps Found Infected with Joker Malware mrtrout 0 935 06-22-2021 , 11:15 PM
Last Post: mrtrout
  Pre-installed auto installer threat found on Android mobile devices in Germany mrtrout 0 1,160 04-09-2021 , 12:15 AM
Last Post: mrtrout



Users browsing this thread: 1 Guest(s)