The Triada Malware Introduction The Malware’s proper name is Android.Triada.231. It is classified as Trojan. It was first detected in December 2017 on a Leagoo M9 Android . Further research revealed that the Trojan was embedded into the system code by oversight of the Leagoo Company. This was done by a third party software vendor who supplied the Trojan to Leagoo by asking if they could preinstall it in their phones. The Trojan has since been replicating itself and self-installing on many android devices. As of December 2019, it was estimated that over 40 million users had been affected by the Trojan. The numbers must be higher than that by now. Around 40 devices are known to contain the Trojan during manufacturing List of Known Compromised Phones Leagoo M5, Doogee Shoot 1, Advan i5E, Leagoo M5 plus, Doogee Shoot 2, STF Aerial Plus, Leagoo M5 Edge, Tecno W2, STF joy Pro, Leagoo M8, Homtom HT16, Tesla SP6.2, Leagoo M8 Pro, Umi London, Cuboit Rainbow, Leagoo Z5C, Kiano Elegance 5.1, EXTREME 7, Leagoo T1 Plus, iLife Fivo Lite, Haier T51, Leagoo Z3C, Mito A39, Flare P1, Leagoo Z1C, Vertex Impress InTouch Cherry Mobile Flare J2S, Leagoo M9, , NOA H6, ARK Benefit M8, Vertex Impress Genius, Pelitt T1 Plus, Zpo Speed 7 Plus, myPhone Hammer Prestigio Grace M5 LTE, UHANS A101, Energy, BQ 5510 Doogee X5 Max, Advan S5E NXT, Doogee X5 Max Pro, Advan S4Z,

And many of the “cheap” on the market. What is Triada  It is a modular Trojan that targets android devices.  It is embedded in firmware during manufacturing  It penetrates firmware and leverages root access. It attacks and modifies the Zygote process. Zygote is a special process in Android which handles the forking (process of copying an app from storage onto main memory (RAM) to run it) of each new application process.  Once the gadget is switched on, the Trojan exists within RAM, making it difficult to detect  Once on the gadget, it infects the android device and downloads additional modules for malicious activities  The Trojan scans and sends device information to a C&C server (A command-and-control [C&C] server is a computer controlled by an attacker or cybercriminal which is used to send commands to systems compromised by malware and receive stolen data from a target network).  The attacker sends the desired payload through the C&C server Examples of payloads  Financial payload – devices can subscribe and pay for apps without the owner’s knowledge. The Trojan can intercept SMS alerts, email alerts sent as confirmation of payment, and the payment is redirected to the attacker.  Identify payload – security information (passwords, National ID info, Passport info, etc) that is kept on the devices can be passed on to the attacker, who may use them and cause malicious damage to the device owner Defenses against Triada  Avoid buying the mentioned phones, usually grouped as cheap android phones, or any known infected devices  When infection is realized, a complete format with a clean android image is necessary  Keep devices constantly updated and patched, Triada has problems gaining root access on Android 4.4.4 or newer. MACRA’s Role We will carry out a Sensitization campaign to all mobile phone selling outlets to ensure they stock only phones containing Android 4.4.4 or above. Currently, the latest Android on the market is Android 9. We shall use the same exercise to ensure the players have the right android images that can be reinstalled in phones requiring upgrades, so that we can direct people failing to upgrade to their offices. We thrive to update the nation against all vulnerabilities and prevention ways on out National CERT website, https://mwCERT.mw, and we have various services like registering an incident, registering a vulnerability and many more. We still have a reporting portal operational. In case of any attack, we request the citizenry to report any incidences to the national CERT at [email protected]. Our Incidence Response Officers, and the entire CERT team, will gladly assist.