Sockbot malware
Are you aware of this data-stealing malware that comes with the phone?Creative Commons

There are more than 2 billion Android smartphones in the world, making Google's mobile operating system the world's largest in comparison to iOS and others. While that's a great achievement for the world's largest internet search company, it's also a reason for concern as Android's open source nature welcomes a higher risk of malware and virus attacks.

Several attacks on Android platform have been reported from time to time, but the latest one is rather intimidating than the ones previously cited. Security researchers at Russia-based security firm Doctor Web discovered a malware that infects Android smartphones while manufacturing. This means that certain Android smartphones are already infected from the box.

Triada is the name of the data-stealing malware that's so advanced that it can perform various malicious activities without alerting the owner of the device. Making things worse, Triada is also stealthy in nature and nearly impossible to detect or even remove. But it has now come to light after Doctor Web researchers detected to malware in a Leagoo M9 smartphone.

"Our analysts' research showed that the Trojan's penetration into firmware happened at the request of the Leagoo partner, the software developer from Shanghai. This company provided Leagoo with one of its applications to be included into an image of the mobile operating system, as well as with an instruction to add third-party code into the system libraries before their compilation. Unfortunately, this controversial request did not evoke any suspicions from the manufacturer," Doctor Web researchers said in a blog dated March 1.

What is Triada malware?
What is Triada malware?

This is quite an alarming revelation, which forces us to question the security practices followed by Android OEMs. Could this be an error or is it an overlooked practice on behalf of OEMs? It's hard to tell, but International Business Times India reached out to Leagoo, which has at least 10 infected models, for a statement on the matter. In response, the company's spokesperson said "we are very seriously focusing on this issue" and make an official annoucement on how to solve the problem soon. 

Since Triada infects a core Android component called Zygote, it gets privileged access. Zygote is responsible to launch all applications in an Android system, which gives Triada the ability to infect other apps as well.

More than 40 Android smartphones have been discovered so far, but experts warn the number of infected smartphones could be higher. To begin with, take a look at the smartphones infected by Triada out-of-the-box.

Leagoo M5

Leagoo M5 Plus

Leagoo M5 Edge

Leagoo M8

Leagoo M8 Pro

Leagoo Z5C

Leagoo T1 Plus

Leagoo Z3C

Leagoo Z1C

Leagoo M9

ARK Benefit M8

Zopo Speed 7 Plus


Doogee X5 Max

Doogee X5 Max Pro

Doogee Shoot 1

Doogee Shoot 2

Tecno W2

Homtom HT16

Umi London

Kiano Elegance 5.1

iLife Fivo Lite

Mito A39

Vertex Impress InTouch 4G

Vertex Impress Genius

myPhone Hammer Energy

Advan S5E NXT

Advan S4Z

Advan i5E



Tesla SP6.2

Cubot Rainbow


Haier T51

Cherry Mobile Flare S5

Cherry Mobile Flare J2S

Cherry Mobile Flare P1


Pelitt T1 PLUS

Prestigio Grace M5 LTE

BQ 5510

This is also not the first time Triada has come under the radar. Kaspersky Lab discovered the sly malware in 2016 and warned of its advanced operating methods.

"The complexity of the Triada Trojan's functionality proves the fact that very professional cybercriminals, with a deep understanding of the targeted mobile platform, are behind this malware," Kaspersky Lab researchers wrote.

Does it mean the owners of infected Android smartphones are doomed? Not necessarily. Researchers at Doctor Web say that rooting the device and deleting the malware by installing a clean copy of the OS will help affected users get rid of the malware.

Updated on March 6, 2018, at 1 PM IST to include Leagoo's statement on the matter.