Two years after a banking Trojan called Triada was spotted on some budget Android smartphones, Google has confirmed that criminals did actually manage to get an advanced backdoor pre-installed devices before they even left the manufacturing facilities.
Triada's chief purpose was to install apps that could be used to send spam and display ads using tools that bypassed Android's built-in security protections, thus allowing the malware to directly tamper with every installed app, Ars Technica reported on Saturday.
Triada first came to light in 2016 in articles published by Kaspersky that said the malware was "one of the most advanced mobile Trojans" the security firm's analysts had ever encountered.
In July 2017, security firm Dr. Web reported that its researchers had found Triada built into the firmware of several Android devices.
And while Google did confirm the Dr. Web report, it did not name the original equipment manufacturers.
The report also said the supply chain attack was pulled off by one or more partners the manufacturers used in preparing the final firmware image used in the affected devices.
According to Lukasz Siewierski, a member of Google's Android Security and Privacy Team, Triada infects device system images through a third party during the production process when the manufacturer turns to a third party developer to add a feature that does not come part of the Android Open Source Project, like face unlock.