Android/Triada
Android firmware shipped with sophisticated Triada trojan.
The complex, modular Triada trojan was repeatedly found pre-installed deep within the firmware (sometimes infecting core Android processes like Zygote or system libraries) of numerous, often budget or counterfeit, Android devices. This likely occurred via supply chain compromise during manufacturing or firmware integration, granting attackers persistent, high-privilege access for credential theft, app modification, financial fraud, and further malware delivery.
- Date
- 2016-01-01
- Category
- Commercial
- Target Surface
- Build/CI
- Insertion Phase
- CI/CD
- Impact
- Backdoor
- Cause
- Manufacturing compromise
What Was Affected
Package
Android/Triada
ComponentFirmware
Artifact typehardware
Domain typeproject download host
Domain
Various Android OEMs / Unbranded Manufacturers / Firmware Integrators
Compromised Versions
- Numerous budget/unbranded/counterfeit Android device models firmware
Incident Context
- Motive
- Financial gain
- Attribution
- Cybercriminal group
- Transitive
- No
- User Impact
- 1000000
Evidence
Compromised Artifacts
- Embedded in firmware of counterfeit/unbranded Android devices during manufacturing.
- pkg://android/com.android.system.DataStorage
Current Artifacts and Analysis
Indicators and Changes
Hashes
md5:f468a29f836d2bba7a2b1a638c5bebf0md5:89c3475be8dba92f4ee7de0d981603c1md5:fce117a9d7c8c73e5f56bda7437bdb28md5:308e35fb48d98d9e466e4dfd1ba6ee73
External References
Source Data
Source record: proprietary/android_triada/meta.yaml