A data-stealing Android malware has been found infecting various Android models over the past few months. Since mid-2017, the malware has steadily kept at it, infecting more and more devices. Currently, over 40 Android models have been affected, though security researchers suspect that the actual number of infected models may be much higher than this.

According to security researchers at Doctor Web, a Russia-based security firm, the malware infects an important component of the Android operating system called Zygote, which is used to launch all applications. This allows Triada the ability to infect other applications and perform various malicious activities without the knowledge of the user.

The malware has been designed to penetrate a device's firmware while manufacturing. According to Doctor Web security experts, this means that users "receive their devices already infected from the box".

According to a previous report by Kaspersky Lab, the Triada malware is highly advanced and stealthy, performing various malicious activities without alerting the targeted users. The malware is also considered to be nearly impossible to detect and/or remove.

"The complexity of the Triada Trojan's functionality proves the fact that very professional cybercriminals, with a deep understanding of the targeted mobile platform, are behind this malware," Kaspersky Lab researchers said in a previous report.

It is still unclear if the malware is being operated by the same cybercriminals as before. It also remains unknown whether the hackers made any updates to the malware. Doctor Web researchers said that they alerted the Android devices' manufacturers who were producing infected phones.

"It was detected on the Leagoo M9 smartphone that was announced in December 2017. Additionally, our analysts' research showed that the Trojan's penetration into firmware happened at request of the Leagoo partner, the software developer from Shanghai," Doctor Web researchers said in a blog. "This company provided Leagoo with one of its applications to be included into an image of the mobile operating system, as well as with an instruction to add third-party code into the system libraries before their compilation. Unfortunately, this controversial request did not evoke any suspicions from the manufacturer."

Researchers say that those affected by the malware can get rid of it by rooting the device and deleting the malware manually.

Below is the list of all known Android models affected by the Triada malware.

  • Leagoo M5
  • Leagoo M5 Plus
  • Leagoo M5 Edge
  • Leagoo M8
  • Leagoo M8 Pro
  • Leagoo Z5C
  • Leagoo T1 Plus
  • Leagoo Z3C
  • Leagoo Z1C
  • Leagoo M9
  • ARK Benefit M8
  • Zopo Speed 7 Plus
  • UHANS A101
  • Doogee X5 Max
  • Doogee X5 Max Pro
  • Doogee Shoot 1
  • Doogee Shoot 2
  • Tecno W2
  • Homtom HT16
  • Umi London
  • Kiano Elegance 5.1
  • iLife Fivo Lite
  • Mito A39
  • Vertex Impress InTouch 4G
  • Vertex Impress Genius
  • myPhone Hammer Energy
  • Advan S5E NXT
  • Advan S4Z
  • Advan i5E
  • Tesla SP6.2
  • Cubot Rainbow
  • Haier T51
  • Cherry Mobile Flare S5
  • Cherry Mobile Flare J2S
  • Cherry Mobile Flare P1
  • NOA H6
  • Pelitt T1 PLUS
  • Prestigio Grace M5 LTE
  • BQ 5510