Google highlights the significance of Play Services against Triada trojan and other threats in a blog post published recently. Triada is a family of trojans that had infected some Android phones a few years back. Kaspersky Labs, who discovered it in 2016 called it, “one of the most advanced mobile Trojans”. Next year, Dr. Web reported few affected devices namely “Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20.”
How Triada managed to creep in?
Some device manufacturers who lack the necessary resources for the entire end-to-end software development delegate the task to third-party vendors. These parties may tinker with the base software and customize it with additional features. The problem arose when the miscreants managed to embed the trojan right into the system libraries. The OEMs unaware of the same packed it within their phones.
Now, Triada was a system module that had all the admin privileges to tamper with any app in the device. It could exploit the core of the Android OS- Zygote Process, which handles the initiation of each new application process.
Triada apps managed to copy the package names of Google Play apps. The attackers used it as a backdoor to secretly install additional modules and scripts, push ads like adware. They could even siphon out important bank credentials and private data.
Worse, Triada couldn’t be deleted simply like any user application. To eliminate the threat, the entire ROM had to be reflashed. So, you get the gist of the gravity.
Ok, Google: Are our devices safe?
Google acknowledged the Dr. Web report on Thursday, although the manufacturer names were swept under the rug. The case study alleges the chance of multiple culprits on the vendor side.
Lukasz Siewierski, a member of Google’s Android Security & Privacy Team, wrote:
Triada infects device system images through a third party during the production process. Sometimes OEMs want to include features that aren’t part of the Android Open Source Project, such as face unlock. The OEM might partner with a third party that can develop the desired feature and send the whole system image to that vendor for development. Based on the analysis, we believe that a vendor using the name Yehuo or Blazefire infected the returned system image with Triada.
The silicon valley giant has patched the aforementioned security issues. Google has helped the manufacturers to remove the malicious app from the firmware image. It puts the emphasis on Google Play Protect also that allowed the company to remotely disinfect compromised phones.
Mike Cramp, the senior security researcher at mobile security provider Zimperium, agreed with the assessments that Triada’s capabilities were advanced.
“From the looks of it, Triada seems to be a relatively advanced piece of malware including C&C capabilities, and in the beginning, shell execution capabilities,” Cramp wrote in an email. “We do see a lot of adware, but Triada is different in that it uses C&C and other techniques that we would usually see more in the malicious malware side of things. Yes, this is all used to ultimately deliver ads, but the way they go about it is more sophisticated than most adware campaigns. It pretty much is an ‘adware on steroids.”
Google admits that it’s an arduous task to secure Android devices due to the involvement of OEMs, especially in cases involving third-party vendors. However, as a precautionary measure, it offers a “Build Test Suite” to scan malware like Triada to help alleviate security risks.
The company stresses the significance of Google Play Services in the safety and security of our data. Play Protect which is part of it, frequently scans for threats. This could prove a valid argument and an effective armor during its ongoing strife with the EU.