Many Android Devices Had a Pre-Installed Backdoor, Google Reveals

The list of affected devices includes Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20.

Share on Facebook Tweet Snapchat Share Reddit Comment
Many Android Devices Had a Pre-Installed Backdoor, Google Reveals

Android phones were spotted to have Triada as a preloaded backdoor in 2017

  • Google has confirmed Dr. Web report revealing malware on Android devices
  • It worked with handset makers to fix the backdoor access
  • Google provides OEMs with a "Build Test Suite" examine Android ROMs

Android phones had a pre-installed framework backdoor that made them vulnerable even before they hit stores, Google revealed in a detailed study on Thursday. The story starts with the "Triada family" of trojans that was first discovered early in 2016. The Mountain View, California-headquartered company initially removed Triada samples from all Android devices using Google Play Protect. But in 2017, it was found that Triada evolved and ultimately became a preloaded backdoor on Android devices. Notably, the latest phones aren't likely to be affected by what has been discovered by Google. The vulnerability did have an impact on various models in the past, though.

Security researchers at Kaspersky highlighted the presence of Triada back in 2016 when it was noted as a rooting trojan designed to exploit hardware after getting elevated privileges. The key aim of the trojan was found to install apps that could be used to send spam and display ads. Google implemented detection through its Play Protect to remove Triada samples.

However, as per a blog post detailing the backdoor access, Google's in-house researchers in 2017 spotted a backdoored log function version of Triada that was used to download and install modules. The preloaded log function was importantly placed in the system section that wasn't noticed by many smartphone manufacturers at the initial stage.

"Triada was inconspicuously included in the system image as third-party code for additional features requested by the OEMs," wrote Lukasz Siewierski from Android Security and Privacy team at Google in the blog post. "This highlights the need for thorough ongoing security reviews of system images before the device is sold to the users as well as any time they get updated over-the-air (OTA)."

Google worked with original equipment manufacturers (OEMs) and provided them with instructions to remove the threat from devices. It also eventually pushed OTA updates to reduce the spread of pre-installed Triada variants and removed infections from the affected phones.

It is worth noting here that Google hasn't mentioned the names of devices that had the questionable backdoor access. However, security firm Dr. Web in a report published in late July 2017 revealed that several Android devices had Triada within their firmware. The devices including Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20. Moreover, Google confirmed the findings of the Dr. Web report.

To ensure the security of devices, Google is claimed to have provided OEMs with a "Build Test Suite" that helps them examine Android ROMs before launching the hardware publicly and scan for malware like Triada to reduce their impact.


For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel.

Further reading: Triada, Android, Google
Jagmeet Singh Jagmeet Singh writes about consumer technology for Gadgets 360, out of New Delhi. Jagmeet is a senior reporter for Gadgets 360, and has frequently written about apps, computer security, Internet services, and telecom developments. Jagmeet is available on Twitter at @JagmeetS13 or Email at Please send in your leads and tips. More
Destiny 2 Becomes Free-to-Play, Cross Save Support and Shadowkeep Expansion Announced
Netflix Indian Series Leila Release Date, Cast, Directors, Trailer, Review, and More



© Copyright Red Pixels Ventures Limited 2020. All rights reserved.
Listen to the latest songs, only on