In this instance, the likeliest point of insertion was via a third-party vendor, somewhere in the phone manufacturer’s supply chain.
This type of attack is becoming increasingly commonplace as hackers gain ever more sophistication and attempt more complex hacking operations.
What is not known at this point is whether the hack originated from some outside agency, invading and infecting a third-party firmware vendor and then piggybacking on their code, or the attack originated from some third-party vendor itself. In recent months, we’ve seen instances of both.
For example, the companies Adups and Ragentek have both been found to embed backdoors into the firmware they sell to low-cost Android smartphone vendors. Then, they use those backdoors for their own ends at some point down the road, which causes the smartphone manufacturer to lose both credibility and market share when the word gets out.
The matter is still under investigation, and it should be noted that the Trojan has only been found on a select few phones, so the infection is quite small in scale and scope. Nonetheless, if you own one of the following models, check it to see if you’re infected:
• Leagoo M5 Plus
• Leagoo M8
• Nomu S10
• Nomu S 20
As to Triada itself, the malware began life as a fairly simple Android banking Trojan. Since its initial discovery in March of 2016, the hackers who own and control it have been busy making improvements and adding a range of features, making it increasingly more robust and dangerous.These days, it’s considered an all-around threat, capable of not only stealing your banking data, but also looking through your browser history and even downloading other malicious apps without your input or knowledge.
Because the Trojan infects the phone’s core process, it’s got root-level access, and could be directed to do anything the hackers want. Thankfully, the number of infections is quite small at the moment, but as we have seen, that can change quickly.