Over a million developers have joined DZone.

Supply Chains Strike Again

DZone 's Guide to

Supply Chains Strike Again

This isn't the first time that supply chains have been compromised.

· Security Zone ·
Free Resource

Triada is back in the news.

In 2017, Triada first started infecting Android devices. Then, it would entrench itself into the Zygote system code, used to launch apps on Android devices. It would copy itself into the libandroid_runtime.so library, and gain control of the device whenever an app sends a message to the system log. It would do usual malware things, creating a working area, and checking the running environment. If Dalvik, it would hook system method calls, and could then track the start of any app, executing arbitrary code immediately after app startup.

It can also download and run the additional, arbitrary malicious code once installed. How useful!

Many more advanced malware variants do this kind of thing today actually, so it's nothing new. Just as botnets could have been rented to interested users a few years ago, now criminals are beginning to recognize new markets in malware. We've seen specialization in malware markets in the past, where hackers will gain and then sell access to organizations, for example. This is the same kind of thing, where one group is actually getting access to a platform, and perhaps using for their own purposes, but also making the compromised platform available to others. With the ability to run arbitrary code on a compromised device, the sky's the limit really – stealing banking credentials, intercepting phone calls or text messages, committing large scale advertising fraud, you name it.

Well, it ends up that Triada came pre-installed on your phone, built into the phone's firmware image. This affected a few different phones, ranging from the League M5 Plus, the Leagoo M8, and the Nomu S10 and S20. Apparently, according to Google, it seems that a third-party vendor going by the name Yehuo or Blazefire was given the system image in order to develop some specific, unnamed feature, and the firmware that was returned was infected.

This isn't the first time that supply chains have been compromised, or have been suspected to have been compromised. Last year, Bloomberg wrote a detailed expose on SuperMicro and alleged supply chain infiltration resulting in hardware implants in certain SuperMicro logic boards. In that case, Bloomberg reported that specific third-party manufacturers used by SuperMicro for overflow work were inserting these implants in specific boards that found their way to major customers in the US, including, allegedly, Apple and Amazon. Bloomberg stood by their story, but there was little other collaborating reporting at the time.

This kind of compromise is certainly a strong argument in favor of Apple's much more controlled manufacturing and distribution model. Not that Apple can't similarly be compromised, but they have the ability to be much more diligent than Google can by the nature of Android v. iOS licensing, if by nothing else.

malware ,triada ,security ,threats ,hack ,android ,cyberattacks

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}