Your browser is obsolete!

The page may not load correctly.

Free trial
Dr.Web for Android

Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support

Send a message

Call us

+7 (495) 789-45-86

Forum
Profile

Back to news

Dr.Web: Trojan preinstalled on Android devices infects applications’ processes and downloads malicious modules

July 27, 2017

Virus analytics from Dr.Web detected a malicious program built into the firmware of several mobile devices running Android. The Trojan called Android.Triada.231 is embedded into one of the system libraries. It penetrates processes of all running applications and can secretly download and run additional modules.

Trojans of Android.Triada family embed in the system process of the Zygote component, which is used to launch programs on mobile devices. By infecting Zygote, Trojans embed into processes of all running applications get their privileges and function as part of applications. Then, they secretly download and launch malicious modules.

Unlike other Trojans of this family that try to get root privileges to perform malicious actions, Android.Triada.231 detected by the Dr.Web Virus Analytics is embedded into libandroid_runtime.so system library. Its modified version was found on several mobile devices, including Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20. Libandroid_runtime.so is used by all Android applications, thus the malicious code in the infected system is found in the memory of all running applications.

Android.Triada.231 is embedded into the source code of the library. It can be assumed that insiders or unscrupulous partners, who participated in creating firmware for infected mobile devices, are to be blamed for the dissemination of the Trojan.

Android.Triada.231 is embedded into libandroid_runtime.so in a way that it gets control each time when an application on the device makes a record to the system log. As Zygote is launched before other applications, the initial launch of the Trojan is performed by Zygote.

screenshot Android.Triada.231 #drweb

After the initialization, the malicious program sets up some parameters, creates a working directory, and checks in what environment it is running. If the Trojan is in the Dalvik environment, it intercepts one of the system methods, which allows it to track the start of all applications and perform malicious activity immediately after they start.

The main function of Android.Triada.231 is to secretly run additional malicious modules that can download other Trojan components. To run additional modules, Android.Triada.231 checks if there is a special subdirectory in the working directory previously created by the Trojan. The subdirectory name should include the MD5 value of the software package name of the application, into the process of which the Trojan is infiltrated. If Android.Triada.231 finds this directory, it seeks files 32.mmd or 64.mmd (for 32-bit and 64-bit operating systems respectively) in it. It if finds the file, the Trojan decrypts it, saves it as libcnfgp.so, then loads it into RAM using one of the system methods and deletes the decrypted file from the device. If the malicious program does not find the required object, it seeks the file 36.jmd. Android.Triada.231 decrypts the file, saves it as mms-core.jar, runs it using the class DexClassLoader and then deletes the created copy.

As a result, Android.Triada.231 can infiltrate various Trojan modules in processes of any application and affect its operation. For example, virus writers can make Trojan to download and run malicious plugins for stealing confidential information from bank applications, cyberespionage modules and for intercepting of correspondence from social media clients and messengers, etc.

Moreover, Android.Triada.231 can extract the module Android.Triada.194.origin from libandroid_runtime.so, which is stored in the library in the encrypted form. Its main function is downloading additional malicious components from the Internet, as well as ensuring their interaction with each other.

Since Android.Triada.231 is embedded into one of the libraries of the operating system and located in the system section, it cannot be deleted using standard methods. The only safe and secure method to get rid of this Trojan is to install clean Android firmware. Dr.Web specialist notified manufacturers of compromised smartphones of an existing problem, so users are advised to install all possible updates that will be released for such devices.

More about the Trojan

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2017

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040