Google: Triada backdoors were pre-installed on Android devices

For the first time, Google detailed the tenacity and temporary success of the Triada malware, which in 2017 was pre-installed on Android devices at some point in the supply chain process.

The story of Triada began when Kaspersky Lab researchers discovered it in early 2016, and at that time the main purpose of the Android malware was "to install spam apps on a device that displays ads," according to Google. Last week, Lukasz Siewierski, a reverse engineer on the Android security and privacy team at Google, explained that Triada was much more advanced than previously thought.

"The methods Triada used were complex and unusual for these types of apps," Siewierski wrote in a blog post. "Triada apps started as rooting Trojans, but as Google Play Protect strengthened defenses against rooting exploits, Triada apps were forced to adapt, progressing to a system image backdoor."

While Google added features to Android to protect against threats like Triada, the threat actors behind the malware took another unusual approach in the summer of 2017 and performed a supply chain attack to get the backdoor malware preinstalled on budget phones. According to analytics from antimalware vendor Dr. Web, the backdoors were found on devices from Chinese manufacturers Leagoo and Nomu, which don't sell to the U.S.

None of the researchers involved were able to say how the supply chain attack occurred, but the threat actors succeeded in getting Triada preinstalled as part of the system image on these devices. With this level of access, the malware had access to manipulate legitimate apps, download more malicious code, initiate click fraud and infect SMS messages with further scams.

The Triada Trojan targeted older devices -- Android 4.4.2 and earlier, according to Kaspersky -- because newer versions of Android blocked the process by which the malware gained root access. According to Google, even after Triada transitioned to a preinstalled backdoor, Google blocked the code injection methods it used as of Android Marshmallow. Triada had to be rewritten to circumvent further protections introduced in Android Nougat.

"By working with the OEMs and supplying them with instructions for removing the threat from devices, we reduced the spread of preinstalled Triada variants and removed infections from the devices through the OTA updates," Siewierski wrote in the blog post. "The Triada case is a good example of how Android malware authors are becoming more adept. This case also shows that it's harder to infect Android devices, especially if the malware author requires privilege elevation."

Google has an automated system in place called the "Build Test Suite," which scans system images against threats like Triada. Additionally, Google says it is constantly assessing devices already on the market to look for supply chain attacks.

Even with these actions, Google suggested enterprises perform a security review of devices in their network and monitor for any suspicious activity. It's possible to detect Triada by signals related to the backdoor, such as odd installs, which should be blocked in enterprise networks. And according to Google, the devices affected would not comply with recommended guidance to enterprise customers through Google's Android Enterprise Recommended program.

Casey Ellis, CTO and founder of Bugcrowd, said Google's report is fascinating because it "highlights the tenacity of motivated attackers who'll persist even as defenses are introduced."

"Again, if attackers have a will, they will find a way. With enough time, money and reward, they have enough incentive to find a way in," Ellis told SearchSecurity. "Google has a solid history of educating the market on what the bad guys are up to, and what the true risks actually look like. Given the scale of what they do, they're in a unique position to comment on those issues and this is an extension of that."

According to Google, the discussion of Triada -- itself part two in a new series about potentially harmful app (PHA) families -- was published because malware supply chain attacks on Android weren't described in such detail previously. Google decided to expand on the previous research done to provide additional information in terms of the technical aspects of the backdoor as well as attribution and the details of the supply chain attack.

Ellis noted that as supply chains get more complex -- as with the Android ecosystem -- "more avenues exist for an attacker to exploit it."

"Most supply chains are already complex, so developers need to test their code, and then test it again," Ellis said. "To mitigate the threat of software supply chain attacks, organizations must question the assumption that suppliers are secure and vet their processes when it comes to identifying and patching bugs. Suppliers that prioritize security are less risky partners than those that don't."