Many Android devices had a backdoor preinstalled, Google reveals

The list of affected devices includes Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20.

 

 Android phones had a pre-installed backdoor framework that made them vulnerable even before they hit stores, Google revealed in a detailed study on Thursday. The story begins with the "Triada family" of trojans first discovered in 2016. The California-based Mountain View company originally removed Triada samples of all Android devices using Google Play Protect . But in 2017, it was found that Triada evolved and eventually became a backdoor preloaded on Android devices. Notably, the latest phones are not likely to be affected by what has been discovered by Google. This vulnerability has had an impact on various models in the past.

Security researchers at Kaspersky pointed to Triada's presence back in 2016 when he was noted as a rooting trojan designed to exploit the material after getting elevated privileges. The main purpose of the Trojan has been found to install applications that could be used to send spam and display ads. Google has implemented detection through its Play Protect to remove Triada samples.

However, as noted in a blog post detailing access through the backdoor, Google's internal researchers spotted in 2017 a version of Triada's log function that was used to download and install modules. The preloaded log function was placed in the System section which was not noticed by many early stage smartphone manufacturers.

"Triada has been quietly included in the system image as a third-party code for additional features requested by OEMs," wrote Lukasz Siewierski of Google's Android Security and Privacy Team in the post blog. "This underscores the need for extensive and continuous security checks of system images before the device is sold to users, as well as each time they are updated live (OTA)."

Google worked with OEMs and provided instructions to remove the threat on the devices. It also eventually pushed OTA updates to reduce the spread of preinstalled Triada variants and removed infections from affected phones.

It is interesting to note here that Google did not mention the names of devices that had dubious backdoor access. However, the security company Dr.Web in a report released in late July 2017 revealed that several Android devices had Triada in their firmware. The devices, including Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20. In addition, Google has confirmed the conclusions of Dr.Web's report.

To ensure device security, Google is expected to have provided OEMs with a "build test suite" that helps them review Android ROMs before launching the hardware publicly and scanning for malware like Triada to reduce their impact.