Android phones with pre-installed malware: affected models, real risks, and how to protect yourself

  • Triada and other malware may come pre-installed in the firmware of low-cost Android phones, active from the first power-up.
  • These Trojans integrate into critical processes like Zygote, control apps, steal data, hijack accounts, and are part of botnets.
  • The real solution requires clean firmware from the manufacturer and more transparency in the supply chain and system images.
  • To reduce risks, buy from authorized stores, keep your system updated, and install a reliable security solution.
Nacho Teso (@nachoteso)Updated on

8 minutes

Android phones with pre-installed malware

La Android security is often compromised by the system fragmentationthe existence of multiple unsupported versions and the lack of security patches by some manufacturers. However, in the case of these more than 40 phones, the problem goes far beyond a simple malicious app downloaded from outside Google Play: the The malware came pre-installed. in the device's firmware, integrated into the operating system itself and active from the first power-up.

More than 40 Android phones with malware pre-installed from the factory

List of Android phones with pre-installed malware

Security for Android users is a recurring problem due to the open nature of Google's operating system and the large number of manufacturers that use it. This diversity facilitates innovation, but it also opens the door for malicious actors to infiltrate the system. supply chainThat's exactly what happened with dozens of low and mid-range mobile phone models, most of them of Chinese origin, in which it was detected that the Triad Trojan It was integrated into the stock firmware.

In these cases, the origin of the problem points to a collaboration with a Shanghai software companywhose manufacturer customization package included the malware that was responsible for stealing user data and turn the devices into part of a remotely controlled network. This isn't just a suspicious app that can be uninstalled: the malicious code is embedded in the system libraries and it is executed in a privileged manner.

The Trojan, named Android.Triada.231 One of its identifiers has been found on terminals of companies such as Leagoo, Doogee, Umi or CubotWe're even talking about devices launched very recently compared to when the problem was detected, such as the Leagoo M9This shows that the attack was not limited to older models, but affected... active production lines from various manufacturers.

Regarding the data that this Trojan stole from its users, it includes not only basic personal data (contacts, SMS, device identifiers), but also bank account detailsOnline service credentials and access tokens for messaging and social media apps. By design, Triada can be integrated into virtually any system process and constantly monitor user activity.

The Trojan horse is injected into Zygotea key Android operating system process required to launch applications. This is how the Trojan infiltrates all active applicationsSince Zygote is the starting point for the creation of each new app process, this technique allows malware to have visibility and the ability to modify almost everything that happens on the device.

How Triada works and what it can do on the device

Triada Trojan on Android Mobiles

From that injection into the Zygote process, the Trojan is able to perform virtually unlimited actions within the compromised device. It can download and activate software without consent, modify the behavior of legitimate applications, and communicate with command and control servers (C2) to receive real-time instructions. The most serious issue is that this malicious code is introduced into the system during the manufacturing phase and it reaches the user already integrated into the system partitions.

Triada camouflages itself in one of the Android libraries and it starts stealing information from the moment the phone is first turned on. From there, the threat can:

  • Control SMS and callsintercepting verification codes and subscribing the user to paid services.
  • Manipulating browsers such as Chrome, Opera, or Firefox, redirecting legitimate links to advertising pages or phishing sites.
  • Hijack accounts from apps like Telegram, WhatsApp, Facebook, Instagram or TikTok, by stealing session tokens and authentication cookies.
  • Stealing cryptocurrencies through clipper-type modules that replace wallet addresses in the clipboard or in QR codes.
  • Turn your phone into a reverse proxy controlled by the attackers, who use it to conceal their identity and launch other malicious operations.

This modular capability makes Triada not just a simple advertising Trojan, but a fraud platform and highly sophisticated data theft. Different modules are activated depending on the installed apps: if it detects Telegram, WhatsApp, LINE, or Facebook, it injects additional code to take control of the accounts or to send messages on behalf of the user without their knowledge.

Security researchers have also documented that recent variants of Triada are capable of interfere with online banking operations and the handling of cryptocurrencies, even replacing background wallet addresses and capturing two-step authentication codes sent via SMS or notifications.

This type of functionality fits into a broader scenario in which other pre-installed malwareCompanies like BadBox or Guerrilla also integrate into inexpensive Android devices (mobile phones, TV boxes, tablets, and other IoT devices) to create massive botnetsThese networks of zombie devices are used for advertising fraud, generating fake traffic, sending spam, or even DDoS attacks, and often the device owners don't even notice anything beyond a abnormal data or battery consumption.

A supply chain problem and its difficult solutions

Android mobile supply chain with malware

The main problem with these types of infections is that They do not originate from the userbut at some point in the production or distribution chain of the device. It could be firmware manipulated by an intermediary vendor, a customization package installed by a software partner, or even counterfeit versions of popular models whose firmware differs from the official one by just one letter in the identifier.

When malware is embedded in the firmware, the only truly effective way to remove it is through a full system update that replaces the affected partitions with a clean version. That is, the manufacturer must release verified official firmware and the user has to install it (either via OTA or by manual flashing) to delete the infected parts.

From the user's side, some steps could be performed on devices rooted, such as manually deleting system files, but the definitive solution can only come from the manufacturer or distributorFurthermore, although only slightly more than 40 devices with Triada pre-installed have been confirmed in one of the most well-known cases, the infection could be more severe and extend to other less popular models or Android-based IoT devices.

To mitigate these risks, the security community and companies like Google have proposed mechanisms such as Android Binary TransparencyAn immutable and auditable firmware image registry system that would allow verification of whether a device is running an official build or a manipulated version. The use of Bill of Materials Software (SBOMs), a kind of software ingredient list that makes it easier to detect vulnerable or maliciously inserted components.

While these initiatives are being consolidated, the main recommendation for users is Always buy devices from authorized distributorsBe wary of deals that seem too good to be true from stores with a poor reputation and install security solutions that can detect suspicious behavior even when malware tries to hide in the system.

Confirmed list of infected devices

In the specific case of Triada pre-installed on commercial mobile phones, it was confirmed that at least the following models had been released to the market with the malware embedded in its firmware:

  • Leagoo M5
  • Leagoo M5 Plus
  • Leagoo M5 Edge
  • Leagoo M8
  • Leagoo M8 Pro
  • Leagoo Z5C
  • Leagoo T1 Plus
  • Leagoo Z3C
  • Leagoo Z1C
  • Leagoo M9
  • ARK Benefit M8
  • Zopo Speed ​​7 Plus
  • UHANS A101
  • Doogee X5 Max
  • Doogee X5 Max Pro
  • Doogee Shoot 1
  • Doogee Shoot 2
  • Tecno W2
  • Homtom HT16
  • Umi London
  • Kiano Elegance 5.1
  • iLife Fivo Lite
  • Mito A39
  • Vertex Impress InTouch 4G
  • Vertex Impress Genius
  • myPhone Hammer Energy
  • Advan S5E NXT
  • Advan S4Z
  • Advan i5E
  • STF AERIAL PLUS
  • STF JOY PRO
  • Tesla SP6.2
  • Cubot Rainbow
  • EXTREME 7
  • Haier T51
  • Cherry Mobile Flare S5
  • Cherry Mobile Flare J2S
  • Cherry Mobile Flare P1
  • NOA H6
  • Pelitt T1 PLUS
  • Prestigio Grace M5 LTE
  • BQ 5510

It is worth emphasizing that this list is based on models investigated and confirmedBut that doesn't guarantee they're the only ones affected. There are reports of other low-cost Android devices, including TV Boxes, tablets and media players, sold on large e-commerce platforms with similar pre-loaded malware, whether Triada or others like BadBox or Guerrilla.

The combination of inexpensive devices, complex supply chains, and a lack of firmware transparency creates the perfect breeding ground for the pre-installed malware It remains one of the most dangerous threats to Android users. Choosing the right place to buy, keeping your system updated, and relying on specialized security solutions are more important than ever if you want to minimize the risk of using a new phone that's already compromised from the factory.