Google confirms: there was a backdoor pre-installed on some (rare) Android devices

in google •  6 years ago 

Over the previous few hours, Google has released a case study of a extremely skilled hacker group that has consistently attempted to inoculate malware on Android smartphones over the years. In the location reference is created to the "Triada Family" adware, intended to fraudulently put spam and advertising campaigns on the machine. In the article, Google briefly told the tale that started in 2016, describing how each version of the malware worked and admitting something decidedly surprising.

In reality, the team developed a technique for installing their malware on some Android devices practically even before they were delivered to the customer and the latter opened the box or installed their first application. The trick outlined in the chart above is based on the reality that separate smartphone companies delegate the creation of certain characteristics to third parties in the lack of know-how and particular software abilities. Third parties who have become the vector of the assault unknowingly.

Not only can the latter exploit sensitive characteristics on Android smartphones, it can also attack over - the-air update packages. Google points out that it has been compelled to work with the same hardware suppliers to eliminate Triada from Android devices. What instruments were susceptible to Triada? Google does not mention them, but Ars Technica relates to an article in 2017 that reads the names of some (unusual) Chinese smartphones: Leagoo M5 Plus, Leagoo M8, Nomu S10 and Nomu S20.

The concept behind the Triada team is definitely one of the smartest we've experienced on Android devices over the years, and perhaps even among the most dangerous. Even on a technical level, and not just a conceptual level, these are highly advanced attacks: the app utilizes XOR encoding to safeguard encrypted files and conceal their contents in conjunction with ZIP compression. The code is also injected in a particularly strategic way into the first start app pertaining to the indispensable user interface, which enables the banners to be displayed. Moreover, the exploit compelled the installation of the app selected by the attacker through the Android Play Store itself through the backdoor current.

According to the article: "The applications were downloaded via a Command & Control server and interaction with the server was secured by encryption using the same double custom encryption via XOR and ZIP files. The downloaded and installed applications used names for the app packages not common but accessible on Google Play. But they had no link with the latter, except for the product name only." Therefore, Triada was not a straightforward "adware," since in fact it used methods that we have already seen on far more advanced and complicated attacks intended for possibly more hazardous malware.

It is not simple for companies to create a custom ROM without third-party techniques, particularly for larger products, but Google emphasizes how it is feasible to use the "Build Test Suite" to scan all the third-party software inserted to confirm the existence of hazards such as those of the Triada adware family.

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

Congratulations @joined! You have completed the following achievement on the Steem blockchain and have been rewarded with new badge(s) :

You published a post every day of the week

You can view your badges on your Steem Board and compare to others on the Steem Ranking
If you no longer want to receive notifications, reply to this comment with the word STOP

To support your work, I also upvoted your post!

Vote for @Steemitboard as a witness to get one more award and increased upvotes!