Malware researchers at Kaspersky Lab have discovered a new strain of malware, dubbed Triada (Backdoor.AndroidOS.Triada), targeting Android devices, which they consider the most advanced mobile threat seen to date. The range of techniques used by the threat to compromise mobile devices is not implemented in any other known mobile malware.
Triada was designed with the specific intent to implement financial frauds, typically hijacking the financial SMS transactions. The most interesting characteristic of the Triada Trojan apart is its modular architecture, which gives it theoretically a wide range of abilities.
The Triada Trojan is able to infiltrate all process running on the mobile devices gaining persistence, as explained by researchers Nikita Buchka and Mikhail Kuzin from Kaspersky Lab.
“Considering the aforementioned modular architecture and privileged access to the device, the malware can create literally anything. The capabilities of the uploaded modules are limited only by the imagination and skills of the virus writers. These malicious programs (the app loader and the modules that it downloads) belong to different types of Trojans, but all of them were all included in our antivirus databases under the name Triada.” reads a blog post published by the researchers.
The Android malware is spread through an “advertising botnet” that was used by crooks to spread also other threats, including Leech, Ztorg, and Gorpo and AndroidOS.Iop.
The Triada Trojan makes use of the Zygote parent process to implement its code in the context of all software on the device, this means that the threat is able to run in each application.
“A distinctive feature of the malicious application is the use of the Zygote process to implement its code in the context of all the applications on the device. The Zygote process is the parent process for all Android applications. It contains system libraries and frameworks used by almost all applications. This process is a template for each new application, which means that once the Trojan enters the process, it becomes part of the template and will end up in each application run on the device. This is the first time we have come across this technique in the wild; Zygote was only previously used in proof-of-concepts.”
The trojan is hard to detect, it mainly operates in RAM and exploiting root privileges it substitutes system files, it also hides its modules from the list of running/installed services and applications.
Below the list of features for the Triada Trojan.
(Security Affairs – Android , Triada Trojan)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.