An analysis by Google Security on the Triada malware family found a vendor going by the name of either Yehuo or Blazefire was most likely responsible for malware that came preinstalled on some Android phones.
Google’s research revealed Triada was most likely implanted on a device during the manufacturing process when the vendor opted to use third-party software to deliver features not found in the Android Open Source Project, such as face unlock.
“The OEM might partner with a third-party that can develop the desired feature and send the whole system image to that vendor for development. Based on analysis, we believe that a vendor using the name Yehuo or Blazefire infected the returned system image with Triada,” Google wrote.
The company did not offer any further details on the vendor in question.
The backdoor trojan Triada was first uncovered by Kaspersky in 2016 and was being used to obtain super user privileges to intercept URLs being opened by the user and redirect them to another URL. In 2017 Dr Web found Triada built into Android phones firmware enabling an attacker to download and run malicious modules such as spam apps. The creators of Traida then collected money from the ads displayed on the spam apps.
Google has since set up a system with the affected OEM device makers to update their systems and remove Triada and Google now scans for the malware on all Android devices.
“Triada was inconspicuously included in the system image as third-party code for additional features requested by the OEMs. This highlights the need for thorough ongoing security reviews of system images before the device is sold to the users as well as any time they get updated over-the-air (OTA),” Google said.