Back to 2016, a malware that is is called Triada, was first discovered by Kaspersky Lab. According to security experts who studied it, it is a rooting Trojan, which operates a machine, gaining access to sensitive parts of its operating system.
Once the Trojan is installed, it installs applications that are downloaded from a command and control server. These applications in turn display ads on affected devices and when the user clicks on one of them, hackers earning money.
However, Triada does not only install applications. It also introduces code into four different browsers, so it can replace ads that appear on websites with others that bring money to the malicious agent. Some of the browsers that may be affected by Triada are AOSP, 360 Secure, Cheetah and Oupeng.
To ensure that a device has enough space to install spam applications, Triada takes advantage of a feature called weight watching, which scores an application or a file depending on the installation date and the certificate. Any applications that are not preinstalled on a device are usually the first to be removed from the malware to create space for applications that want to install it.
To deal with it, Google has introduced improvements to Google Play Protect, which allow the software to automatically detect the Trojan. In addition, the improvements made to the Android operating system have reduced the impact of malware on devices that use older versions of the Google operating system.
However, malicious agents were not prepared to give up so easily. So they found the way to continue to distribute the Triada on devices before they are available for sale.
To do this, they take advantage of the process by which third-party vendors are introducing additional features into the device system, making sure that the Triada vendor records are also in place.
To respond to the newer versions of the software, Triada introduces code to the Google Play app. In this way, malware can install spam applications without seemingly not coming from the Play Store and without having to change the device settings and enable "Install from unknown sources".
To resolve this problem, Google needed to develop updates that remove files related to the Triada malware, and to avoid future cases of malware distribution, the company also offers the Test Build suite to mobile phone makers.