Google has confirmed that some Android devices had come with pre-installed backdoors right out of the box.
As first reported by the Russia-based cybersecurity provider Kaspersky Lab back in 2016, the malware, called Triada, was initially a Trojan that would obtain root privileges and display intrusive ads on a user's phone.
Google virus analysts managed to wipe it out from all Android devices, but in the summer of 2017 it became clear that Triada had evolved from a rooting Trojan into a pre-installed Android framework backdoor.
The new, more elusive and sophisticated iteration of the virus was embedded into the source code of the system library on Android phones, according to Russian anti-malware company Doctor Web.
It became more dangerous as well, capable of "smuggling" various Trojan modules into the processes of any application; they could steal personal data from bank applications, or intercept correspondence on social media.
Given that the new Trojan was now installed deep in the system section, it became impossible to remove it with special apps and the only way to get rid of it was to erase the phone and install clean firmware.
But how did it get to Android devices in the first place? According to Lukasz Siewierski from the Android security and privacy team, Triada was pre-installed during the production process.
He assumed that a vendor using the name Yehuo or Blazefire, which provided additional features to the original manufacturer, had been supplying an infected Android application.
It is unclear from the blog post which smartphone manufacturers and which models were affected, but an earlier Bleeping Computer report said the virus was present in more than 40 models, primarily low-cost smartphones sold in China and also in Poland, the Czech Republic, Indonesia, Mexico, Kazakhstan, and Serbia.
"We coordinated with the affected OEMs to provide system updates and remove traces of Triada," Siewierski added. "We also scan for Triada and similar threats on all Android devices. OEMs should ensure that all third-party code is reviewed and can be tracked to its source," Lukasz Siewierski wrote.
"The Triada case is a good example of how Android malware authors are becoming more adept. This case also shows that it's harder to infect Android devices, especially if the malware author requires privilege elevation."