Banking Trojan Triada Detected on 42 Models of Cheap Android Devices

If you are about to purchase a cheap Android device, think twice before you act because it might come with pre-installed malware. Researchers at Doctor Web come across Android.Triada.231, a nasty banking Trojan, in the middle of 2017 for the first time. This malicious application was detected exclusively on low-cost Android devices, and it was clear from the beginning that ordinary users were not responsible for the installation of this infection on their devices. To be more specific, devices were already infected from the box. Right after the disturbing discovery was made, Doctor Web specialists contacted manufacturers producing infected devices and informed them about the problem, but it seems that nothing has changed since then because new Android devices with pre-installed Android.Triada.231 are being manufactured. For example, a new Leagoo M9 smartphone came with malware in its firmware as well. It seems that device manufacturers are not directly responsible for malware on Android devices they sell globally. Of course, these companies should have checked all their products more carefully, so we cannot say that they are not guilty at all. According to Doctor Web analysts, it is very likely that the software developer from Shanghai that provides device manufacturers with apps is responsible for these infected devices. Since the investigation continues, its name has not been revealed yet.


Android.Triada.231, malware found pre-installed on 42 models of Android devices, is known to be a dangerous Trojan infection. It is considered dangerous because, unlike less sophisticated infections targeting Android devices, it infects Zygote, a major Android system component that is responsible for launching all applications. Once this Trojan affects it, it penetrates other applications stealthily as well. As a consequence, it can perform various malicious activities without the user’s knowledge. What distinguishes Android.Triada.231 from other Trojan infections is that this Trojan is injected into, which is an Android system library. To put it differently, it is not distributed as a separate program and it affects the device’s firmware during manufacturing processes. Consequently, users purchase a device with malware already installed on it. It goes without saying that they do not know about that.

The thorough analysis of the Trojan Android.Triada.231 has shown that it uses the same certificate as Android.MulDrop.924, another nasty Trojan for Android distributed via Google Play. Consequently, specialists suspect that the same Shanghai-based software company might be the developer of both these threats. This clearly shows that companies still fail to validate their software supply chain.


Since Android.Triada.231 is known to be a banking Trojan, malware researchers say that it might be involved in financial frauds. For example, it might be used to gain access to users’ bank accounts or steal and send personal data to unknown cyber criminals. At the time of writing, there were 42 models of Android devices infected with this malicious application (you can find them all listed below), but this list is still growing, so specialists recommend users being careful with cheap Android devices (especially if they are manufactured in China). It should be emphasized that these devices are not only sold online, but can also be purchased in Russia, Poland, the Czech Republic, Mexico, Kazakhstan, and Serbia.

  • Leagoo M5
  • Leagoo M5 Plus
  • Leagoo M5 Edge
  • Leagoo M8
  • Leagoo M8 Pro
  • Leagoo Z5C
  • Leagoo T1 Plus
  • Leagoo Z3C
  • Leagoo Z1C
  • Leagoo M9
  • ARK Benefit M8
  • Zopo Speed 7 Plus
  • UHANS A101
  • Doogee X5 Max
  • Doogee X5 Max Pro
  • Doogee Shoot 1
  • Doogee Shoot 2
  • Tecno W2
  • Homtom HT16
  • Umi London
  • Kiano Elegance 5.1
  • iLife Fivo Lite
  • Mito A39
  • Vertex Impress InTouch 4G
  • Vertex Impress Genius
  • myPhone Hammer Energy
  • Advan S5E NXT
  • Advan S4Z
  • Advan i5E
  • Tesla SP6.2
  • Cubot Rainbow
  • Haier T51
  • Cherry Mobile Flare S5
  • Cherry Mobile Flare J2S
  • Cherry Mobile Flare P1
  • NOA H6
  • Pelitt T1 PLUS
  • Prestigio Grace M5 LTE
  • BQ 5510

Users who can locate devices they use listed above should take action right away. Unfortunately, the removal of Android.Triada.231 is a great challenge. Without a doubt, it cannot be removed like an ordinary application. Specialists say that it might be impossible to get rid of it without wiping devices and reinstalling their OS. Needless to say, ordinary users might not be able to do that without specialists’ assistance.

The detection of Android.Triada.231 on so many Android devices shows that manufacturers of Android devices still do not pay enough attention to security. If nothing changes, it is not likely at all that a number of infections targeting Android devices will stop growing anytime soon.


Android.MulDrop.924. Dr. Web

Android.Triada.231. Dr. Web

Cimpanu, C. Banking Trojan Found in Over 40 Models of Low-Cost Android Smartphones. BleepingComputer

Doctor Web: over 40 models of Android devices delivered already infected from the manufacturers. Dr. Web

Free Images. Pixabay

Millman, R. Triada trojan on Android devices “complex as Windows malware. SC Media