Google revealed in a detailed study on Thursday that Android phones have a pre-installed back frame that makes them vulnerable even before they hit stores. The story begins with the "Triada family" of Trojans that were first discovered in early 2016. Mountain View, California, initially removed Triada samples from all Android devices that use Google Play Protect. But in 2017, it was found that Triada had evolved and eventually became a pre-loaded backdoor on Android devices. It is worth noting that the latest phones are not likely to be affected by what Google has discovered. The vulnerability did not affect different models in the past, though.
Kaspersky security researchers highlighted the Triada's existence in 2016 when it was referred to as a Trojan horse that was designed to exploit elevated privileged devices. The main goal of the Trojan is found to install applications that can be used to send spam and display ads. Google implemented detection through the Play Protect app to remove Triada samples.
However, according to a blog post detailing backdoor access, in 2017 Google in-house researchers discovered a Triada backdoor log function version that was used to download and install modules. The preloaded log function was placed in the system partition which many smartphone manufacturers had not noticed at the initial stage.
"Triada is inconspicuously included in the system image as a third-party icon for additional features required by OEMs," wrote Lukasz Siewierski of Google's Android Security and Privacy team in the blog post. "This highlights the need for comprehensive and continuous security reviews of system images prior to selling the device to users as well as any time they are updated over the air (OTA)."
Google has worked with original equipment manufacturers (OEMs) and provided them with instructions to remove the threat from devices. It also eventually pushed OTA updates to reduce the prevalence of preinstalled Triada variants and remove infections from affected phones.
It's worth noting here that Google hasn't mentioned the names of devices that have questionable backdoor access. However, the security company Dr. Web in a report published in late July 2017 that many Android devices have Triada within their firmware. Devices including Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20. Moreover, Google confirmed the results of Dr. Web.
To ensure hardware security, Google allegedly provided OEMs with a "Build Test Suite" that helps them scan Android ROMs before devices generally run and scan for malware like Triada to reduce its impact.
Comments
Post a Comment