Backdoor Built into Android Firmware

In 2017, some Android phones came with a backdoor pre-installed:

Criminals in 2017 managed to get an advanced backdoor preinstalled on Android devices before they left the factories of manufacturers, Google researchers confirmed on Thursday.

Triada first came to light in 2016 in articles published by Kaspersky here and here, the first of which said the malware was “one of the most advanced mobile Trojans” the security firm’s analysts had ever encountered. Once installed, Triada’s chief purpose was to install apps that could be used to send spam and display ads. It employed an impressive kit of tools, including rooting exploits that bypassed security protections built into Android and the means to modify the Android OS’ all-powerful Zygote process. That meant the malware could directly tamper with every installed app. Triada also connected to no fewer than 17 command and control servers.

In July 2017, security firm Dr. Web reported that its researchers had found Triada built into the firmware of several Android devices, including the Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20. The attackers used the backdoor to surreptitiously download and install modules. Because the backdoor was embedded into one of the OS libraries and located in the system section, it couldn’t be deleted using standard methods, the report said.

On Thursday, Google confirmed the Dr. Web report, although it stopped short of naming the manufacturers. Thursday’s report also said the supply chain attack was pulled off by one or more partners the manufacturers used in preparing the final firmware image used in the affected devices.

This is a supply chain attack. It seems to be the work of criminals, but it could just as easily have been a nation-state.

Posted on June 21, 2019 at 11:42 AM23 Comments


Alejandro June 21, 2019 1:38 PM

Doesn’t it seem like this example is just the beginning maybe or even the tip of the iceberg?

China manufactures all the phones for the world now, so if any government gets involved in mass produced factory installed backdoors, China will be the leader and primary source by default.

(Are any phones made anywhere else except China? I can’t think of any off hand.)

The Pull June 21, 2019 1:51 PM

We can definitely assume that governments are doing this, and their rootkits are quiet, and effective.

China has a long history of filling up some of their products with spyware/adware. Not what scares me.

But, the technical expertise of this attack is impressive, that is for sure.

R. June 21, 2019 1:52 PM

This is one of the reasons I refuse to use any Android phone which doesn’t have official LineageOS support and a fully unlockable boot; the safest thing is to burn the vendor install to the ground and pave it over with something else.

Sadly even lineageOS is a bit of a gamble for other reasons, such as the maintainer of a given port just losing interest and stopping updates, at which point the downloads for said device just go ‘poof’ from their downloads page — always archive your images locally!

dvv June 21, 2019 5:12 PM

Damn. So NSA expanded their bugging program from Cisco routers to consumer phones, too… Your tax dollars at work!

Sophisticated? June 22, 2019 12:05 AM

From the ARStechnica post,

    features that made Triada so sophisticated. For one, it used XOR encoding and ZIP files to encrypt communications.

ZIP file and XOR encoding is sophisticated? Since when?

Whilst the order you apply compression (ZIP) and stream encryption (XOR encoding) is important, it’s not exactly new or for that matter sophisticated. Using compression to “flatten the statistics” prior to encryption has been a recomendation since before @Bruce wrote his first cryto book with the blue cover back last century.

As for using “XOR encoding” it can mean little or nothing for encoding through to everything for encryption, it all depends on what you XOR with.

If you just XOR the plaintext byte by byte with the same value, such encoding is barely different from a Ceaser Cipher or the much mentioned in jokes ROT13. However using a string of truly random numbers is almost the equivalent of a One Time Pad, it’s security rests on the size of the pad, reuse and access to the pad.

Even using a complex encryption algorithm to generate a “Key Stream” is not exactly appropriate for malware use security wise. Because all the parts including the key are often embedded in some way into the malware code or downloaded thus available to malware researchers.

But for those who know how the XOR gate works this from a researcher must surely raise a wry smile,

    “The apps were downloaded from the C&C server, and the communication with the C&C was encrypted using the same custom encryption routine using double XOR and zip,” Siewierski wrote.

For those old enough to know what “.com” files were and who “Dr Solomon” was back in the 1980’s the use of XOR encoding was one of the first ways used to “morph malware”[1]. Back then it was considered “the new way” to avoid the then common “signature” based Anti-Virus detection. It was thus only used for obfuscation not secrecy of any kind.

I would have hoped the world has kind of moved on a bit since then or has such knowledge in effect become “forgotten knowledge”?

So if it is “forgotten” the question is by who?

That is, is it the researchers, journalists, both or worse it’s not been taught to several generations of software writers. Because people have treated it like “Forbidden Fruit” knowledge. If the latter it’s realy a little pointless because it’s neither difficult to find the parts of the information or for someone with a slight degree of curiosity to work it out.

[1] A “.com” file was a hang over from the C/PM days of the 1970’s, put simply, in essense it was a memory image of the executable code that got loaded directly into memory at a known offset (100h). MS-DOS then jumped to that address and started executing the code. Thus all a malware writer had to do was start the .com code with a three byte jump instruction to get past a block of “random bytes” to the start of the XOR decryption engine. The block of random bytes could likewise be any length even random as it’s length could be easily calculated from the the jump address. The decryption engine then walked it’s way down the image in memory decrypting it’s self as it went repeatedly using the “random bytes”. Thus the payload would be decrypted and then executed. In turn the first payload could be a “Run Length Decoder” or similar to expand a second payload, as long as it all stayed within the 64Kbyte limit it would work. Most ASM programers of the time –and if you wrote PC Code back then you were an ASM programer– could cut their own version of such XOR code in at most an afternoon using[2] and the run length coder in a day as it was most certainly not “Rocket Science”.

[2] Like much else Microsoft sold was not originally developed or even purchased by them. It was written in 1980 by Tim Paterson who put it into the public domain. So Microsoft just used it in MS-DOS 2.X onwards, with as far as I remember no acknowledgment at all. For those of use that knew that, the Bill Gates “rant” letter about people copying BASIC struck us as hypocritical at best.

Gerard van Vooren June 22, 2019 2:33 AM

@ Gunter Königsmann,

I guess that every country will want to be able to listen what you talk on your phone,

Okay, that means that in your view they did the right thing?

The only thing that pops up in my mind is that we should all flash our computer hardware and replace that with (F)OSS software, and do it fast, but controlled. Not that anyone cares.

not just China. Most of the times even for completely legit reasons.

Why did you introduce China? Why not the good old NSA?

But your “completely legit reasons” are not mine.

You see, all the legislation has been worked out by now so that they can sniff everything without being caught but that doesn’t mean that that is necessary. In the contrary. Have you watched the movie Snowden? And are you still having your same mind set after watching that movie?

TRX June 22, 2019 10:24 AM

> This is one of the reasons I refuse to use any Android phone which doesn’t have official LineageOS support and a fully unlockable boot

Same here, but note that all LineageOS builds still depend on binary device drivers, which are unknown risks. LineageOS reduces the attack face, but even with that and limiting yourself to apps from F-Droid, that’s the best you can do.

In the normal Android ecosystem the spyware is embedded all the way from the CPU backdoors to the apps. And then your phone provider will sell your call and internet history…

James June 22, 2019 1:04 PM

@R : What makes you think Lineage is any good security wise ?
– They support unsupported hardware. Having the Android-based OS mostly up to date is only a part of it. The other part is closed source drivers and low lever firmware that almost never get updated (especially if a device is EOL) and that contain known security vulnerabilities.
– They are lying about the monthly patch level. They display the latest patch level even though it’s impossible to have it without firmware updates.
– They roll back significant security improvements like Selinux.
– They don’t support verified boot. (Because they can’t. As i’m aware the only devices that support verified boot with custom keys are Google Pixels.) Verified boot is very important as an adversary won’t be able to achieve persistence. Touching any system / firmware partition would break verified boot.
Sure, Lineage adds a bit of privacy, but security ? Not really.

@all: Why would anyone in their right mind would buy a weird device made in some shithole in China ? I mean, yeah, they maybe are cheap, but is the risk worth it ?

Clive Robinson June 22, 2019 8:23 PM

@ James,

Why would anyone in their right mind would buy a weird device made in some shithole in China ?

As opposed to made in some other “shithole” where?

The point is most mobile phones are made in part or whole in China. Where they might be assembled and boxed is just the other end of the manufacturing supply chain, that in quite a few cases if you go far enough back actually started in the US and UK amongst other places.

Bong-Smoking Primitive Monkey-Brained Spook June 22, 2019 9:36 PM

@Mr. Schneier:

criminals, but it could just as easily have been a nation-state.

Sir: the two aren’t necessarily mutually exclusive.

This is a supply chain attack

“Supply Chain Attack”, my bong! This description is only true if the manufacturers weren’t in on it! Otherwise it’s a “Subversion with a Logistics Network Invasion vector of plausible deniability”… or something like that.

James June 23, 2019 3:49 AM

@Clive Robinson: Yes, you are right, but sane manufacturers do audit the software they put on their phones (or at least they should). This was not an “advanced” attack concerning low level firmware by any chance. Someone simply added some “extra features” to the system image. Allowing just about anybody to mess with the OS of a phone you make and sell is anything but a good practice … Sane manufacturers should implement verified boot, protect their signing keys, audit what they put on their devices, and so on. Obviously sometimes this doesn’t happen. Some of those devices don’t even ship the Android monthly security updates.
Yeah, i guess bad devices are just bad devices, no matter where they are made ..

1&1~=Umm June 23, 2019 6:03 PM


Nice to see you are still clicking away at the Kby. I trust you are in better health these days, and getting a little more shut eye.

Bong-Smoking Primitive Monkey-Brained Spook June 23, 2019 6:16 PM


Hey there! Been here all along. Just didn’t feel I can contribute much.

I trust you are in better health these days

Improving 🙂 Got a little burnt out. The candle that lights twice as long, lasts …

getting a little more shut eye.

Old habits are hard to drop!

Pseudorandom Guy June 24, 2019 2:22 AM

“It seems to be the work of criminals, but it could just as easily have been a nation-state.”

Criminals. How convenient plausible deniability.

VRK June 24, 2019 1:30 PM

I have no idea where the Librem is built, but its interesting to note the various hardware vendors and software references (see
) Dropping names like this, it sounds like the old school cookbookery that SHOULD be on everyone’s workbench: Mouser, RS Components, Projects Unlimited (insecure), CUI, ST Microelectronics, Goodix, NXP

not all Chinese. What’s the difference. Frankly, I hope the Chinese DO produce an OS for android phones.

But, the problem here is as much local jamming and hacking as anything. Now “they” are demanding location headers* even before accepting mac registration. Q: why should even 3G need location? …and with 4G beam forming cant you INFER location within a few centimeters?… Regardless, if they have a signal lock, ANY of these towers should be fine. Worked fine for years without location info. Frankly THAT is another back door, among the other dozen or so oddly intrusive bugs* I can list. [*]IT SEEMS

No One, hacked again... June 25, 2019 11:04 AM

So I downloaded Dr. Web’s security program onto my Chinese OPPO R7 (Android).

It had the malware spoken about in the article. Purchased in Jiangsu Province, PRC. March, 2019. Quite old as phones go. Had been sitting on the shelf.


Murking July 16, 2019 9:33 PM

I don’t understand how one would trust lineageos , especially if the only thing stopping it from being trojanned is https which in the past decade has proven to be breakable

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.