When we buy a new smartphone, pre-installed malware is the last what we expect. Unfortunately, this is not always the case. Researches of anti-virus software Dr.Web have discovered Android.Triada.231 malware pre-installed on many smartphones from China. The worst fact is that this virus can hide from any antivirus software installed from Google Play.
People choose smartphones from China not only because of the lower price, but also the lack of all kinds of applications installed by the manufacturer. These unnecessary programs can not be uninstalled by user without rooting. The only thing you can do is lock them using the application manager. After this, you will not be able to see them at all, and they will not unnecessarily devour RAM, but will occupy space on the smartphone. The alternative are Google’s flagship smartphones, but they are very expensive. Therefore, people began to buy smartphones from China which have attractive price and good hardware specification.
Dr.Web alerts about pre-installed Android virus called Triada.231.
Once to catch a smartphone virus, you had to download a suspicious installation file containing e.g. a cracked version of your favourite mobile game. Recently, more and more people have come across infected apps in the Google Play store. However, the discovery of Dr.Web staff is even better. Malware Android.Triada.231 is installed on some smartphones that have just been pulled out of the box. Currently, this problem concerns: Leagoo M5 Plus, Leagoo M8, Nomu S10 and Nomu S20.
Triada.231 infects the Zygote system deamon, which is responsible for running all applications.
The virus creators will attack one of the most important components of the Android operating system. Zygote deamon launches all applications, so Triada.231 can hide from any antivirus software. In addition, malware can secretly download and install any application that will spy on the user. The smartphone does not even have to be rooted, because the virus makers have decided to modify the libandroid_runtime.so system library. It is used by every application, so the malicious code will be found in every program installed by us.
At this moment no one knows how Chinese smartphones were infected by Android.Triada.231 malware. Almost certainly, the company preparing and updating the factory firmware is responsible for this problem. I do not want to believe that the virus was on the Leagoo and Nomu smartphones at the will of the manufacturer. Perhaps one of the developers used an infected development tool, and so the smartphones came with a modified library. This would not be the first time. Two years ago the XcodeGhost virus got into the App Store in this way.