There are 42 cheap Android models currently infected with Triada banking trojan stealing data and intercepting chats from targeted devices.
The IT security researchers at Russia-based anti-virus firm Dr.Web have identified 42 low-cost Android devices infected with a dangerous banking trojan that was discovered by the firm in July 2017.
The malware aims at stealing personal and financial data from targeted devices.
Dubbed Android.Triada.231 by researchers, the malware carries the ability to download malicious plugins which steal banking credential from the user and intercept social media and messenger communication.
Furthermore, the malware can root devices, infect Zygote which is also known as the “app process,” that works as the parent of all Android application processes.
This means targeted users are left with no other choice but to reinstall the operating system and lose their personal data in case there is no backup.
“Once the Trojans inject into this module, they penetrate other running applications.
In doing so, they obtain the ability to carry out various malicious activities without a user’s intervention: they covertly download and launch software,” noted Dr. Web researchers.
Previously, Dr. Web found Triada malware in low-cost Android devices Leagoo M8, Leagoo M5 Plus, Nomu S20 and Nomu S10.
However, now the researchers have identified 42 more Android manufacturers whose smartphones have been infected by the malware but at that time the devices came with pre-installed malware.
“The key feature of Android.Triada.231 is that cybercriminals inject this Trojan into the libandroid_runtime.so system library.
They do not distribute the Trojan as a separate program.
As a result, the malicious application penetrates the device firmware during manufacture.
Users receive their devices already infected from the box.”
In this case, however, researchers analyzed the targeted vendors and tracked the culprit back to a software development firm in Shanghai, China and noted that the malware was penetrated into the firmware at the request of the Leagoo partner which happened to be the same Shanghai-based firm.
This company (Shanghai-based software development firm) provided Leagoo with one of its applications to be included into an image of the mobile operating system, as well as with an instruction to add third-party code into the system libraries before their compilation.
Unfortunately, this controversial request did not evoke any suspicions from the manufacturer. Ultimately, Android.Triada.231 got to the smartphones without any obstacles.
A list shared by Dr. Web shows companies and their model numbers which are currently infected.
Keep in mind that this is not a comprehensive list and researchers believe that the list of infected devices could be much bigger.
- Leagoo M5
- Leagoo M5 Plus
- Leagoo M5 Edge
- Leagoo M8
- Leagoo M8 Pro
- Leagoo Z5C
- Leagoo T1 Plus
- Leagoo Z3C
- Leagoo Z1C
- Leagoo M9
- ARK Benefit M8
- Zopo Speed 7 Plus
- UHANS A101
- Doogee X5 Max
- Doogee X5 Max Pro
- Doogee Shoot 1
- Doogee Shoot 2
- Tecno W2
- Homtom HT16
- Umi London
- Kiano Elegance 5.1
- iLife Fivo Lite
- Mito A39
- Vertex Impress InTouch 4G
- Vertex Impress Genius
- myPhone Hammer Energy
- Advan S5E NXT
- Advan S4Z
- Advan i5E
- STF AERIAL PLUS
- STF JOY PRO
- Tesla SP6.2
- Cubot Rainbow
- EXTREME 7
- Haier T51
- Cherry Mobile Flare S5
- Cherry Mobile Flare J2S
- Cherry Mobile Flare P1
- NOA H6
- Pelitt T1 PLUS
- Prestigio Grace M5 LTE
- BQ 5510
Currently, the malware is targeting users in Russia, China as well as other Central European countries. But it is only a matter of time before it possibly hits users in other countries who have been using low-cost Android devices.
Dr. Web claims that their “Security Space for Android Version 12” protects Android devices from threats like Triada.