Triada Malware Preinstalled on Low-Cost Android Phones – Here’s How to Beat It

The smartphone world has its fair share of manufacturing giants in constant competition to make the best smartphone available. Not everyone has the funds for such a phone, however, and they often have to rely on a budget smartphone in order to catch up with today’s world.

Companies such as Leagoo, Doogee, and Cherry Mobile sell cheaper phones that appeal more to people who don’t have the money for the more premium options.

Recently there’s been a nasty spike of malware that has hit forty models of these phones. The real kicker is this malware is installed during the manufacturing process of the phone, meaning phones are infected before the consumer even puts down money for one.

What’s Infecting Android Phones?


The malware in question is called Triada. It’s is a modular malware capable of a lot of features, such as granting additional malware super-user privileges so it can perform its actions unhindered. However, it’s mostly known as a banking trojan, reading bank transaction SMS messages for vital info and using them to perform financial fraud.

Usually this malware would need a payload in order to get itself installed on phones, usually via an infected app being installed. However, Triada is being installed in the production line, meaning there’s no real way to prevent the phone from being infected in the first place.

How Did This Happen?


This may seem like an odd move by the phone manufacturer whose reputation would definitely tank the moment they were caught lacing smartphones with malware. However, while they’re not the ones installing the malware, they definitely have a share of the blame on why Triada made it onto phones. The original press release from Dr. Web explains where Triada came from:

Additionally, our analysts’ research showed that the Trojan’s penetration into firmware happened at request of the Leagoo partner, the software developer from Shanghai. This company provided Leagoo with one of its applications to be included into an image of the mobile operating system, as well as with an instruction to add third-party code into the system libraries before their compilation. Unfortunately, this controversial request did not evoke any suspicions from the manufacturer. Ultimately, Android.Triada.231 got to the smartphones without any obstacles.

Essentially, a software developer talked to the Leagoo manufacturer about having an app pre-installed on Leagoo’s phones. The developer asked Leagoo for a file to be installed within the system’s important files, which Leagoo accepted without a second thought. This file turned out to be Triada, which went on to infect every phone the software developer’s app was pre-installed on.

What Was Infected?

Dr. Web also goes on to list every phone that was hit with this wave of Triada. It includes the following:

  • Leagoo M5
  • Leagoo M5 Plus
  • Leagoo M5 Edge
  • Leagoo M8
  • Leagoo M8 Pro
  • Leagoo Z5C
  • Leagoo T1 Plus
  • Leagoo Z3C
  • Leagoo Z1C
  • Leagoo M9
  • ARK Benefit M8
  • Zopo Speed 7 Plus
  • UHANS A101
  • Doogee X5 Max
  • Doogee X5 Max Pro
  • Doogee Shoot 1
  • Doogee Shoot 2
  • Tecno W2
  • Homtom HT16
  • Umi London
  • Kiano Elegance 5.1
  • iLife Fivo Lite
  • Mito A39
  • Vertex Impress InTouch 4G
  • Vertex Impress Genius
  • myPhone Hammer Energy
  • Advan S5E NXT
  • Advan S4Z
  • Advan i5E
  • Tesla SP6.2
  • Cubot Rainbow
  • Haier T51
  • Cherry Mobile Flare S5
  • Cherry Mobile Flare J2S
  • Cherry Mobile Flare P1
  • NOA H6
  • Pelitt T1 PLUS
  • Prestigio Grace M5 LTE
  • BQ 5510

Dr. Web goes on to mention that while the above were confirmed to be infected, every device may not have been hit by this new wave of Triada.

Beating Triada


Of course, the most obvious way to dodge Triada is to not purchase one of the above infected phones. If you’re buying a budget phone, be ready to double-check to see if it came with anything nasty pre-installed.

If you’ve bought one of the above phones, see if you can get a refund or purchase a different phone. If you can’t, or don’t want to, do either of those two options, it is possible to clean your phone of Triada. A factory reset won’t do it; after all, Triada was installed as part of the factory defaults. Doing a factory reset will simply clean everything, then use the infected system files to re-infect the phone.

The best way to do this is to clean the phone, then flash a virus-free image onto the phone instead. This prevents the phone from using an infected image to set up the phone, thus wiping the malware away and giving you a clean phone.

Preinstalled Perils

With the new wave of Triada hitting phones before users can even purchase them, it can be worrying for those who purchase budget smartphones. However, with a little care and some DIY work, you can avoid the Triada threat or remove it from a compromised system.

Does this news make you a little warier of buying budget-brand smartphones? Let us know below.

Image credit:Malware Infection

Simon Batt
Simon Batt

Simon Batt is a Computer Science graduate with a passion for cybersecurity.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox