Despite Google's best efforts to improve Android's security, the platform's malware situation is still quite a mess. Just a few days ago, security researchers at Google revealed 'Lippizan', a strain of malware that is capable of recording calls, capture photos and monitor other activity. This time, another security research firm has shed some light on a pre-loaded Trojan discovered in several Chinese smartphones.
The Triada Trojan found by researchers at Dr. Web is said to be one of the most sophisticated malware strains, as it injects itself into Android's parent process called Zygote. Since, Zygote is active throughout the phone's uptime, the Trojan gets access to the context of any application that is running at the time. In its latest incarnation, the Trojan is updated to become untraceable, with the help of a sandboxing mechanism.
Dr. Web researchers have revealed that the core Android library "libandroid_runtime.so" on smartphones such as Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20 was found to be injected with this Triada Trojan. It is suspected that the ROM makers, or someone else with access to the Android code used on these devices, could have added the malicious bits to the library before shipping it on to the devices.
The manufacturers have been notified about the malware, but it remains to be seen whether these low-cost devices will see any updates. It is of concern that many Chinese manufacturers use a common ROM and customize it to fit their needs, making it easier for miscreants to target a wide set of users with such malware.
Source: Security Week