Android phones had a pre-installed framework backdoor that made them vulnerable even before they hit stores, Google revealed in a detailed study on Thursday. The story starts with the "Triada family" of trojans that was first discovered early in 2016. The Mountain View, California-headquartered company initially removed Triada samples from all Android devices using Google Play Protect. But in 2017, it was found that Triada evolved and ultimately became a preloaded backdoor on Android devices. Notably, the latest phones aren't likely to be affected by what has been discovered by Google. The vulnerability did have an impact on various models in the past, though.
Security researchers at Kaspersky highlighted the presence of Triada back in 2016 when it was noted as a rooting trojan designed to exploit hardware after getting elevated privileges. The key aim of the trojan was found to install apps that could be used to send spam and display ads. Google implemented detection through its Play Protect to remove Triada samples.
However, as per a blog post detailing the backdoor access, Google's in-house researchers in 2017 spotted a backdoored log function version of Triada that was used to download and install modules. The preloaded log function was importantly placed in the system section that wasn't noticed by many smartphone manufacturers at the initial stage.
"Triada was inconspicuously included in the system image as third-party code for additional features requested by the OEMs," wrote Lukasz Siewierski from Android Security and Privacy team at Google in the blog post. "This highlights the need for thorough ongoing security reviews of system images before the device is sold to the users as well as any time they get updated over-the-air (OTA)."
Google worked with original equipment manufacturers (OEMs) and provided them with instructions to remove the threat from devices. It also eventually pushed OTA updates to reduce the spread of pre-installed Triada variants and removed infections from the affected phones.
It is worth noting here that Google hasn't mentioned the names of devices that had the questionable backdoor access. However, security firm Dr. Web in a report published in late July 2017 revealed that several Android devices had Triada within their firmware. The devices including Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20. Moreover, Google confirmed the findings of the Dr. Web report.
To ensure the security of devices, Google is claimed to have provided OEMs with a "Build Test Suite" that helps them examine Android ROMs before launching the hardware publicly and scan for malware like Triada to reduce their impact.