{
	"id": "c732b565-b99e-459f-b5e2-b734e37d70c7",
	"created_at": "2026-04-06T00:16:30.210933Z",
	"updated_at": "2026-04-12T02:22:04.725385Z",
	"deleted_at": null,
	"sha1_hash": "9a30e9b605897db71cb04c5230bafb762316cc05",
	"title": "Google confirms that advanced backdoor came preinstalled on Android devices",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 500124,
	"plain_text": "Google confirms that advanced backdoor came preinstalled on\r\nAndroid devices\r\nBy Dan Goodin\r\nPublished: 2019-06-06 · Archived: 2026-04-05 18:43:47 UTC\r\nSkip to content\r\nAfter Google successfully beat back Triada in 2017, its developers found a new way in.\r\nCriminals in 2017 managed to get an advanced backdoor preinstalled on Android devices before they left the\r\nfactories of manufacturers, Google researchers confirmed on Thursday.\r\nTriada first came to light in 2016 in articles published by Kaspersky here and here, the first of which said the\r\nmalware was “one of the most advanced mobile Trojans” the security firm’s analysts had ever encountered. Once\r\ninstalled, Triada’s chief purpose was to install apps that could be used to send spam and display ads. It employed\r\nan impressive kit of tools, including rooting exploits that bypassed security protections built into Android and the\r\nmeans to modify the Android OS’ all-powerful Zygote process. That meant the malware could directly tamper\r\nwith every installed app. Triada also connected to no fewer than 17 command and control servers.\r\nhttps://arstechnica.com/information-technology/2019/06/google-confirms-2017-supply-chain-attack-that-sneaked-backdoor-on-android-devices/\r\nPage 1 of 7\n\nIn July 2017, security firm Dr. Web reported that its researchers had found Triada built into the firmware of\r\nseveral Android devices, including the Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20. The attackers\r\nused the backdoor to surreptitiously download and install modules. Because the backdoor was embedded into one\r\nof the OS libraries and located in the system section, it couldn’t be deleted using standard methods, the report said.\r\nOn Thursday, Google confirmed the Dr. Web report, although it stopped short of naming the manufacturers.\r\nThursday’s report also said the supply chain attack was pulled off by one or more partners the manufacturers used\r\nin preparing the final firmware image used in the affected devices. Lukasz Siewierski, a member of Google’s\r\nAndroid Security \u0026 Privacy Team, wrote:\r\nTriada infects device system images through a third party during the production process. Sometimes\r\nOEMs want to include features that aren’t part of the Android Open Source Project, such as face\r\nunlock. The OEM might partner with a third party that can develop the desired feature and send the\r\nwhole system image to that vendor for development.\r\nBased on analysis, we believe that a vendor using the name Yehuo or Blazefire infected the returned\r\nsystem image with Triada.\r\nProduction process with a third party used by affected manufacturers.\r\nProduction process with a third party used by affected manufacturers. Credit: Google\r\nThursday’s post also expanded on previous analysis of the features that made Triada so sophisticated. For one, it\r\nused XOR encoding and ZIP files to encrypt communications. And for another, it injected code into the system\r\nuser interface app that allowed ads to be displayed. The backdoor also injected code that allowed it to use the\r\nGoogle Play app to download and install apps of the attackers’ choice.\r\n“The apps were downloaded from the C\u0026C server, and the communication with the C\u0026C was encrypted using the\r\nsame custom encryption routine using double XOR and zip,” Siewierski wrote. “The downloaded and installed\r\napps used the package names of unpopular apps available on Google Play. They didn’t have any relation to the\r\napps on Google Play apart from the same package name.”\r\nhttps://arstechnica.com/information-technology/2019/06/google-confirms-2017-supply-chain-attack-that-sneaked-backdoor-on-android-devices/\r\nPage 2 of 7\n\nMike Cramp, senior security researcher at mobile security provider Zimperium, agreed with the assessments that\r\nTriada’s capabilities were advanced.\r\n“From the looks of it, Triada seems to be a relatively advanced piece of malware including C\u0026C capabilities, and\r\nin the beginning, shell execution capabilities,” Cramp wrote in an email. “We do see a lot of adware, but Triada is\r\ndifferent in that it uses C\u0026C and other techniques that we would usually see more in the malicious malware side\r\nof things. Yes, this is all used to ultimately deliver ads, but the way they go about it is more sophisticated than\r\nmost adware campaigns. It pretty much is an ‘adware on steroids.’”\r\nSiewierski said Triada developers resorted to the supply-chain attack after Google implemented measures that\r\nsuccessfully beat back the backdoor. One was mitigations that prevented its rooting mechanisms from working. A\r\nsecond measure was improvements in Google Play Protect that allowed the company to remotely disinfect\r\ncompromised phones.\r\nThe Triada version that came preinstalled sometime in 2017 didn’t contain the rooting capabilities. The new\r\nversion was “inconspicuously included in the system image as third-party code for additional features requested\r\nby the OEMs.” Google has since worked with the manufacturers to ensure the malicious app was removed from\r\nthe firmware image.\r\nNot the first time\r\nLast year, Google implemented a program that requires manufacturers to submit new or updated build images to a\r\nbuild test suite.\r\n“One of these security tests scans for pre-installed PHAs [potentially harmful applications] included in the system\r\nimage,” Google officials wrote in their Android Security \u0026 Privacy 2018 Year In Review report. “If we find a\r\nPHA on the build, we work with the OEM partner to remediate and remove the PHA from the build before it can\r\nbe offered to users.”\r\nStill, Thursday’s report acknowledges that, as Google tightens security in one area, attackers are sure to adapt by\r\nexploiting new weaknesses.\r\n“The Triada case is a good example of how Android malware authors are becoming more adept,” Siewierski\r\nwrote. “This case also shows that it’s harder to infect Android devices, especially if the malware author requires\r\nprivilege elevation.”\r\nhttps://arstechnica.com/information-technology/2019/06/google-confirms-2017-supply-chain-attack-that-sneaked-backdoor-on-android-devices/\r\nPage 3 of 7\n\nDan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer\r\nespionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking,\r\nand following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and\r\nhere on Bluesky. Contact him on Signal at DanArs.82.\r\nhttps://arstechnica.com/information-technology/2019/06/google-confirms-2017-supply-chain-attack-that-sneaked-backdoor-on-android-devices/\r\nPage 4 of 7\n\n116 Comments\r\nhttps://arstechnica.com/information-technology/2019/06/google-confirms-2017-supply-chain-attack-that-sneaked-backdoor-on-android-devices/\r\nPage 5 of 7\n\n1.\r\n2.\r\n3.\r\n4.\r\n5.\r\nhttps://arstechnica.com/information-technology/2019/06/google-confirms-2017-supply-chain-attack-that-sneaked-backdoor-on-android-devices/\r\nPage 6 of 7\n\nSource: https://arstechnica.com/information-technology/2019/06/google-confirms-2017-supply-chain-attack-that-sneaked-backdoor-on-android\r\n-devices/\r\nhttps://arstechnica.com/information-technology/2019/06/google-confirms-2017-supply-chain-attack-that-sneaked-backdoor-on-android-devices/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://arstechnica.com/information-technology/2019/06/google-confirms-2017-supply-chain-attack-that-sneaked-backdoor-on-android-devices/"
	],
	"report_names": [
		"google-confirms-2017-supply-chain-attack-that-sneaked-backdoor-on-android-devices"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-12T02:00:04.38342Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434590,
	"ts_updated_at": 1775960524,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9a30e9b605897db71cb04c5230bafb762316cc05.pdf",
		"text": "https://archive.orkl.eu/9a30e9b605897db71cb04c5230bafb762316cc05.txt",
		"img": "https://archive.orkl.eu/9a30e9b605897db71cb04c5230bafb762316cc05.jpg"
	}
}