Google has confirmed that the recent mass infection of Android phones with an advanced variant of the Triada trojan (Android.Triada.231) was due to an extensive software supply chain compromise that pre-installed the malicious code on the devices before they were distributed for sale in the marketplace.
Modern supply chains are being greatly impacted by globalization, increasing the potential risk of compromise in software, firmware and hardware regardless of where a company is located.
Although multiple manufacturers of Android devices were affected by this variant of the Triada trojan, the attack did not bypass any of BlackBerry’s quality control measures or software development protocols. No BlackBerry devices were affected, either—a testament to the company’s aggressive approach to security assurance and our mission to build security into every product from the manufacturing level.
Chief Technology Officer Charles Eagan noted that BlackBerry frequently discusses the importance of securing the supply chain and employing only trusted components as part of a multi-phase approach to security.
“As part of our extensive quality checks, we make sure to follow a ‘trust but verify’ mode of operation. There are several examples of similarly undesirable behavior that we have detected in the past, and as a result would not sign or certify the software or device for release,” Eagan said.
“Mobile attacks are increasing and adapting as this example shows, and it highlights the importance of BlackBerry’s Seven Pillars of Cybersecurity, which suggests, amongst other best practices, that you only use trusted components in order to ensure good security hygiene.”
Triada was first identified in the wild back in 2016, with early iterations of the trojan infecting a targeted system’s RAM, then rooting the device to install malicious applications that generate adware revenue for the attackers.
The malware developers continued to introduce more advanced obfuscation capabilities over the next few years, evolving Triada into a stealthier backdoor trojan that employed anti-analysis techniques like function padding and SHA1-hashed filenames.
“Triada apps started as rooting trojans, but as Google Play Protect strengthened defenses against rooting exploits, Triada apps were forced to adapt, progressing to a system image backdoor,” Google researchers said in a blog post.
“During the summer of 2017 we noticed a change in new Triada samples. Instead of rooting the device to obtain elevating privileges, Triada evolved to become a pre-installed Android framework backdoor.”
Google researchers confirmed that the Triada developers were able to infect a wide-range of manufacturers’ system images during the production process by way of a third-party supply chain attack that resulted in the malware being pre-installed before the devices were sold to consumers.
“Sometimes OEMs want to include features that aren’t part of the Android Open Source Project, such as face unlock. The OEM might partner with a third-party that can develop the desired feature and send the whole system image to that vendor for development,” Google researchers stated.
“Based on analysis, we believe that a vendor using the name Yehuo or Blazefire infected the returned system image with Triada.”
The infected smartphone models were identified by Dr.Web in early March of this year. The successful compromise of the system images during the manufacturing process underscores the importance of robust supply-chain security protocols—something BlackBerry takes very seriously at every stage of the development and manufacturing process.
“Any request of that nature regarding BlackBerry devices or our licensee’s devices would have been reviewed by our security teams and subsequently denied when found to be suspect,” said Adam Schieman, senior director, software security at BlackBerry.
“BlackBerry retains strict controls over what software is added to the system image, or any requests from third-party vendors to configure applications with additional privileges.”
Additionally, solutions such as BlackBerry 2FA offer strong, high-security user authentication that safeguards your critical mobile systems while providing a superior end user experience. This illustrates our commitment to not only building security into devices from inception, but proactively securing and protecting them throughout their lifecycle.