Earlier this month, Google, via their security blog, outlined the details behind the Triada family of malware that was discovered back in 2016. In the post, Google highlighted how the malware evolved over the years, going from being embedded into apps to effectively being pre-installed on Android devices at the factory before they were ever even shipped to customers.
How is that even possible? Well, not every phone manufacturer can build everything they want into the OS, and they often have to rely on third-party partners to add specific features. Google used the example of face-unlock in its breakdown post, as that is something that is not part of the Android Open Source Project. That means handing off the base Android image to someone else and letting them add what they need to and sending it back when done. Essentially, opening up an attack vector by third-parties through the production process.
Now, BlackBerry has published a blog post highlighting the issue and noting that BlackBerry devices are unaffected by the Triada malware while also shedding light on the importance of having a secure supply chain, using only trusted components, and employing a multi-phase approach to security.
Although multiple manufacturers of Android devices were affected by this variant of the Triada trojan, the attack did not bypass any of BlackBerry's quality control measures or software development protocols. No BlackBerry devices were affected, either—a testament to the company's aggressive approach to security assurance and our mission to build security into every product from the manufacturing level.
Those quality control measures go well beyond just merely running Google's Build Test Suite, trusting that everything is OK and loading the images onto devices. Any changes that get made to BlackBerry software are carefully vetted under the 'trust but verify' philosophy.
BlackBerry retains strict controls over what software is added to the system image, or any requests from third-party vendors to configure applications with additional privileges.
While that has always been the case, we started hearing about it more when the Priv was released. A lot has changed since then, and we now have BlackBerry devices being built different licensee's, so it's more important than ever to know those strict controls are in place.
If you're looking for more details, you can check out the full BlackBerry blog post for yourself right here. But if you're interested in the higher level details surrounding Triada, and what Google does to prevent it, be sure to dig into Google's post.