Google this week detailed a disturbing case of hackers loading up Android devices with adware by tampering with pre-installed software.
The mysterious hackers masqueraded as a software vendor that phone makers believed would help them add features to the standard Android OS. “Sometimes OEMs (original equipment manufacturers) want to include features that aren’t part of the Android Open Source Project, such as face unlock,” Google security engineer Lukasz Siewierski said in a Thursday blog post. “The OEM might partner with a third party that can develop the desired feature and send the whole system image to that vendor for development.”
Those desired features, however, came with a side of adware known as Triada.
Google has not revealed which product models were affected. But the hackers appear to frequently use the Chinese language, and went by the vendor name “Yehuo” or “Blazefire.”
“The Triada case is a good example of how Android malware authors are becoming more adept,” Siewierski wrote.
Google says it coordinated with the affected products to send out software updates, which removed the adware. In 2018, “Google identified all Triada variants, including new ones, and all devices infected with Triada,” the company said in March.
But on Thursday, Germany’s information security agency warned about firmware-based malicious software circulating on several Android smartphone models, including the Doogee BL7000, the M Horse Pure 1, and the Keecoo P11. It isn’t clear if the phones were affected by the same Triada adware or a different malware family. But German authorities have detected more than 20,000 affected devices in the country alone.
In the Triada case, the hackers hid the adware, which was capable of communicating with a command and control server on the internet, on the system images as a backdoor. The mysterious culprits then leveraged the backdoor to install unwanted apps on the affected devices to display ads.
Triada dates back to 2016 when security firm Kaspersky Lab highlighted malicious software that masqueraded as legitimate apps. Once installed, it gained root access to a phone, and modified SMS messages and the data on certain mobile browsers from China.
In response, Google added protections to Android to detect and block Triada. But the hackers behind it were quick to adapt. In 2017, security firm Dr. Web noticed the Triada program inside the firmware of several obscure Android devices, including the Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20.
In 2018, security firm Avast also uncovered hackers circulating adware to lesser-known Android devices through the firmware. Over 140 product models, many of them tablets, were affected.
“This highlights the need for thorough ongoing security reviews of system images before the device is sold to the users as well as any time they get updated over-the-air,” Siewierski said this week.