Google on Thursday posted a study of its PHA (Potentially Harmful Applications) series and highlighted about ‘Triada family’ apps that were designed to install spam apps which display ads on the device. The study provided a history of how it all started in early 2016 and explained the process of how early versions worked. It noted that Google realised Triada had devised a backdoor way through which malware can be put in an Android smartphone at the factory.
This means that even before a user had purchased the phone from the shop and opened the box or installed an app, the malware was already present in the phone.
Now, how did this happen? For those who are unaware, there are various smartphone companies which do not have the necessary equipments and expertise to build all the features of a smartphone on their own, Therefore these companies depend on various other third-party vendors to develop special features such as face-unlock. It is here that these vendors can become the vector of a malware attack. The same way, the feature can carry the malware through an over-the-air (OTA) system update.
Google in its latest study said that that it worked with the concerned manufacturers to eliminate this malware from their devices. However, the company has not named which all companies did it connect with in this regard and neither has it named which devices have been affected by the Triada malware.
According to a report by Ars Technica, the 2017 Dr. Web research report “had found Triada built into the firmware of several Android devices, including the Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20”.
In the way the Android ROMs work, it is difficult even for large smartphone makers to build ROMs which do not have some kind of third-party vendor code. Google said it provides smartphone makers with a “Build Test Suite” which can scan for Triada and other similar malware.