Android Phones Caught Selling with Pre-Installed Factory Malware

  • This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.


Malware Removal Specialist - Administrator
Jul 16, 2014
Windows 10
Windows 10
Firefox 58.0
Firefox 58.0
Malware injected in firmware of more than 40 models

More than 40 Android phone models, most of them manufactured by companies in China, ship with pre-installed malware that was injected into the firmware straight from the factory.

Security company Dr. Web says that it came across a new Trojan called Android.Triada.231 in the firmware of several Android devices back in mid-2017, and after an in-depth research, it discovered that over 40 models are likely to be affected.

Most of the compromised phones are in the low-end category, and they include devices from Leagoo, Doogee, Umi, and Cubot.
Newer models include the Leagoo M9 launched in December.

Dr. Web explains that it contacted the affected companies to report the problem, and it discovered that at least in one case, the culprit was a partnership with a software developing company in Shanghai which required Android OEMs to pre-install one of its apps into the image of the mobile operating system.

Stealing confidential information

As for how dangerous the malware can be for Android users purchasing these phones, the security firm says it can steal confidential information, like banking data and personal details.

These Trojans infect the process of an important Android system component, Zygote.
This process is used to launch all applications.
Once the Trojans inject into this module, they penetrate other running applications
,” Dr. Web explains in its analysis.

In doing so, they obtain the ability to carry out various malicious activities without a user’s intervention: they covertly download and launch software.
The key feature of Android.Triada.231 is that cybercriminals inject this Trojan into the system library.
They do not distribute the Trojan as a separate program.
As a result, the malicious application penetrates the device firmware during manufacture.
Users receive their devices already infected from the box

The security company warns that the number of Android phones possibly shipping with the same malware could be bigger, though for the time being, only the models below have been confirmed to be compromised.

Removing the malware from a phone isn’t possible without installing a clean version of the operating system, in which case the manufacturer is the only one that can help.
If the device is rooted, security applications can help clean the infection.

Leagoo M5
Leagoo M5 Plus
Leagoo M5 Edge
Leagoo M8
Leagoo M8 Pro
Leagoo Z5C
Leagoo T1 Plus
Leagoo Z3C
Leagoo Z1C
Leagoo M9
ARK Benefit M8
Zopo Speed 7 Plus
Doogee X5 Max
Doogee X5 Max Pro
Doogee Shoot 1
Doogee Shoot 2
Tecno W2
Homtom HT16
Umi London
Kiano Elegance 5.1
iLife Fivo Lite
Mito A39
Vertex Impress InTouch 4G
Vertex Impress Genius
myPhone Hammer Energy
Advan S5E NXT
Advan S4Z
Advan i5E
Tesla SP6.2
Cubot Rainbow
Haier T51
Cherry Mobile Flare S5
Cherry Mobile Flare J2S
Cherry Mobile Flare P1
Pelitt T1 PLUS
Prestigio Grace M5 LTE
BQ 5510
Android Phones Caught Selling with Pre-Installed Factory Malware