Android firmware shipped Triada backdoor
Triada moved from an advanced Android trojan into the firmware supply chain for low-cost Android devices.
Story
Triada did not start as a firmware incident. Kaspersky first described it as a modular Android trojan that used root privileges, hid much of its work in memory, and pushed code into Zygote, the parent process Android uses to launch applications. That made Triada less like a nuisance adware bundle and more like a platform for whatever modules its operators wanted next.
The supply-chain turn came when Dr.Web found Android.Triada.231 built into firmware images on low-cost Android phones, including Leagoo and Nomu models. The malicious code was embedded in libandroid_runtime.so, a system library used by Android applications. Dr.Web traced the hook to the Android log path: when an application wrote to the system log, the modified library could run Triada code from system context.
From there the backdoor could enter app processes, decrypt module files, load native code as libcnfgp.so, or run Java payloads through mms-core.jar. Securelist's 2016 browser-spoofing write-up shows why that mattered: once Triada lived inside another app's process, a module could intercept URLs and swap destinations without the user seeing a separate malicious app.
The suspected insertion point was not the Android Open Source Project itself. It was the commercial layer where device makers and partners customize firmware images before shipping; Dr.Web explicitly pointed to insiders or unscrupulous firmware partners as plausible sources. A factory reset does not remove malware from the system partition, so the real fix was a clean firmware image from the manufacturer.
This record keeps the early OEM/firmware-supply-chain Triada cases separate from the 2025 counterfeit-smartphone wave. They share malware lineage and tactics, but the public facts are different: older reports centered on legitimate low-cost device firmware and partner customization, while the later Kaspersky report described fake devices sold through online marketplaces.
Affected Artifacts
- Observed
- 2016-01-20 to 2019-06-06
- Compromised Versions
- Unknown
- Fixed
- Not listed
- Evidence
- pkg://android/com.android.system.DataStorage, mirror: source.android.com/static/docs/security/overview/reports/Google_Android_Security_2018_Report_Final.pdf, malware: Android/Triada, malware: Android.Triada.231 , +12 more
- Public reporting identifies the insertion point as the firmware customization and partner supply chain, not the Android Open Source Project itself.
- User impact is left at zero because public sources describe broad exposure but do not give one reliable count for the early OEM-firmware cases.
Incident Context
- Motive
- Financial Gain Credential Theft Account Takeover
- Attribution
- Group
- Cause
- Firmware Supply Chain Compromise
- Transitive
- No
- Actor
- Cybercriminal group
External References
- PHA Family Highlights: Triadasecurity.googleblog.com
- Android Security and Privacy 2018 Year in Reviewsource.android.com
- Android.Triada.231 comes pre-installed on Android smartphonesnews.drweb.com
- Triada: organized crime on Androidkaspersky.com
- Everyone sees not what they want to seesecurelist.com
- Trojan preinstalled on Android devices infects applications' processes and downloads malicious modulesnews.drweb.com
- Android.Triada.231vms.drweb.com
Source record: proprietary/android_triada/meta.yaml