42 Android Models infected with data stealing banking trojan


There are 42 cheap Android models currently infected with Triada banking trojan stealing data and intercepting chats from targeted devices.

The IT security researchers at Russia-based anti-virus firm Dr.Web have identified 42 low-cost Android devices infected with a dangerous banking trojan that was discovered by the firm in July 2017.

The malware aims at stealing personal and financial data from targeted devices.

Dubbed Android.Triada.231 by researchers, the malware carries the ability to download malicious plugins which steal banking credential from the user and intercept social media and messenger communication.

Furthermore, the malware can root devices, infect Zygote which is also known as the “app process,” that works as the parent of all Android application processes.

This means targeted users are left with no other choice but to reinstall the operating system and lose their personal data in case there is no backup.

“Once the Trojans inject into this module, they penetrate other running applications.

In doing so, they obtain the ability to carry out various malicious activities without a user’s intervention: they covertly download and launch software,” noted Dr. Web researchers.

Previously, Dr. Web found Triada malware in low-cost Android devices Leagoo M8, Leagoo M5 Plus, Nomu S20 and Nomu S10.

However, now the researchers have identified 42 more Android manufacturers whose smartphones have been infected by the malware but at that time the devices came with pre-installed malware.

“The key feature of Android.Triada.231 is that cybercriminals inject this Trojan into the libandroid_runtime.so system library.

They do not distribute the Trojan as a separate program.

As a result, the malicious application penetrates the device firmware during manufacture.

Users receive their devices already infected from the box.”

In this case, however, researchers analyzed the targeted vendors and tracked the culprit back to a software development firm in Shanghai, China and noted that the malware was penetrated into the firmware at the request of the Leagoo partner which happened to be the same Shanghai-based firm.

This company (Shanghai-based software development firm) provided Leagoo with one of its applications to be included into an image of the mobile operating system, as well as with an instruction to add third-party code into the system libraries before their compilation.

Unfortunately, this controversial request did not evoke any suspicions from the manufacturer. Ultimately, Android.Triada.231 got to the smartphones without any obstacles.

A list shared by Dr. Web shows companies and their model numbers which are currently infected.

Keep in mind that this is not a comprehensive list and researchers believe that the list of infected devices could be much bigger.

  1. Leagoo M5
  2. Leagoo M5 Plus
  3. Leagoo M5 Edge
  4. Leagoo M8
  5. Leagoo M8 Pro
  6. Leagoo Z5C
  7. Leagoo T1 Plus
  8. Leagoo Z3C
  9. Leagoo Z1C
  10. Leagoo M9
  11. ARK Benefit M8
  12. Zopo Speed 7 Plus
  13. UHANS A101
  14. Doogee X5 Max
  15. Doogee X5 Max Pro
  16. Doogee Shoot 1
  17. Doogee Shoot 2
  18. Tecno W2
  19. Homtom HT16
  20. Umi London
  21. Kiano Elegance 5.1
  22. iLife Fivo Lite
  23. Mito A39
  24. Vertex Impress InTouch 4G
  25. Vertex Impress Genius
  26. myPhone Hammer Energy
  27. Advan S5E NXT
  28. Advan S4Z
  29. Advan i5E
  32. Tesla SP6.2
  33. Cubot Rainbow
  34. EXTREME 7
  35. Haier T51
  36. Cherry Mobile Flare S5
  37. Cherry Mobile Flare J2S
  38. Cherry Mobile Flare P1
  39. NOA H6
  40. Pelitt T1 PLUS
  41. Prestigio Grace M5 LTE
  42. BQ 5510

Currently, the malware is targeting users in Russia, China as well as other Central European countries. But it is only a matter of time before it possibly hits users in other countries who have been using low-cost Android devices.

Dr. Web claims that their “Security Space for Android Version 12” protects Android devices from threats like Triada.


Please enter your comment!
Please enter your name here

Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.