My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to the news list

Doctor Web: over 40 models of Android devices delivered already infected from the manufacturers

March 1, 2018

In the middle of 2017, Doctor Web analysts discovered a new Trojan Android.Triada.231 in the firmware of some cheap models of Android devices. Since this detection, the list of infected devices has been constantly increasing. At the moment, the list contains over 40 models. Doctor Web specialists have monitored the Trojan’s activity and now we can publish the results of this investigation.

Android.Triada.231—one of the dangerous Android.Triada Trojans. These Trojans infect the process of an important Android system component, Zygote. This process is used to launch all applications. Once the Trojans inject into this module, they penetrate other running applications. In doing so, they obtain the ability to carry out various malicious activities without a user’s intervention: they covertly download and launch software. The key feature of Android.Triada.231 is that cybercriminals inject this Trojan into the system library. They do not distribute the Trojan as a separate program. As a result, the malicious application penetrates the device firmware during manufacture. Users receive their devices already infected from the box.

In the past summer, following detection of Android.Triada.231, Doctor Web security researchers notified manufacturers who produced infected devices. However, new smartphones models continue getting infected with this malware. For example, it was detected on the Leagoo M9 smartphone that was announced in December 2017. Additionally, our analysts’ research showed that the Trojan’s penetration into firmware happened at request of the Leagoo partner, the software developer from Shanghai. This company provided Leagoo with one of its applications to be included into an image of the mobile operating system, as well as with an instruction to add third-party code into the system libraries before their compilation. Unfortunately, this controversial request did not evoke any suspicions from the manufacturer. Ultimately, Android.Triada.231 got to the smartphones without any obstacles.

The analysis of this application showed it is signed with the same certificate as Android.MulDrop.924. Doctor Web previously wrote about this Trojan in 2016. We can presume the developer that requested adding the additional program into the mobile operating system image can be connected expressly or implicitly with the distribution of Android.Triada.231.

At the moment, security researchers have detected Android.Triada.231 in the firmware of over 40 Android device models:

  • Leagoo M5
  • Leagoo M5 Plus
  • Leagoo M5 Edge
  • Leagoo M8
  • Leagoo M8 Pro
  • Leagoo Z5C
  • Leagoo T1 Plus
  • Leagoo Z3C
  • Leagoo Z1C
  • Leagoo M9
  • ARK Benefit M8
  • Zopo Speed 7 Plus
  • UHANS A101
  • Doogee X5 Max
  • Doogee X5 Max Pro
  • Doogee Shoot 1
  • Doogee Shoot 2
  • Tecno W2
  • Homtom HT16
  • Umi London
  • Kiano Elegance 5.1
  • iLife Fivo Lite
  • Mito A39
  • Vertex Impress InTouch 4G
  • Vertex Impress Genius
  • myPhone Hammer Energy
  • Advan S5E NXT
  • Advan S4Z
  • Advan i5E
  • Tesla SP6.2
  • Cubot Rainbow
  • Haier T51
  • Cherry Mobile Flare S5
  • Cherry Mobile Flare J2S
  • Cherry Mobile Flare P1
  • NOA H6
  • Pelitt T1 PLUS
  • Prestigio Grace M5 LTE
  • BQ-5510 Strike Power Max 4G (Russia)

This is not a comprehensive list. The number of infected smartphones models could be much bigger.

Such widespread distribution of Android.Triada.231 shows that many Android device manufacturers pay little attention to security questions and penetration of the Trojan code into system components. This can be due to error or malicious intent and is likely common practice.

Dr.Web for Android detects all possible modifications to Android.Triada.231. To find out whether your mobile device is infected, scan it completely. With root privileges, Dr.Web Security Space for Android can neutralize Android.Triada.231 by curing an infected system component. If root privileges are not available on the device, you can remove this malware by installing a clean image of the operating system. Contact your device manufacturer to receive the clean image.

More about this Trojan

March 15, 2018 Update

Shortly after Doctor Web informed manufacturers of infected mobile devices about the Trojan Android.Triada.231 in their Android smartphone firmware, some of these companies reported successfully solving the detected issue. At the moment the Cubot and Leagoo companies claimed they deleted malicious applications from their devices. The list of smartphones with OS updates includes the following models:

  • Cubot Rainbow
  • Leagoo M5
  • Leagoo M5 Plus
  • Leagoo M5 Edge
  • Leagoo M8
  • Leagoo M8 Pro
  • Leagoo Z5C
  • Leagoo T1 Plus
  • Leagoo Z3C
  • Leagoo Z1C
  • Leagoo M9

However, while a new version of the Leagoo M9 firmware does not have Android.Triada.231 anymore, Doctor Web virus analysts have detected another malware dubbed Android.HiddenAds.251.origin installed on the device. It belongs to the Trojan family that displays annoying advertisements. Further analysis revealed that Android.HiddenAds.251.origin is also found on earlier versions of OS Android of the Leagoo M9 devices. The manufacturer of infected smartphones is currently dealing with the new issue.

It is recommended that users of infected devices check for available updates and install them in case new firmware for their phones has been released. After that, a full system scan should be done using Dr.Web for Android products in order to make sure that Android.Triada.231 was neutralized and there are no more malicious applications hidden on the device.

Your Android needs protection!
Use Dr.Web

Free download

  • First Russian anti-virus for Android
  • Over 135 million downloads—just from Google Play!
  • Available free of charge for users who purchase Dr.Web home products
#Android, #mobile #Trojan

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments