Kaspersky Lab recently spotted a new Android malware dubbed Triads Trojan, which they say is the most advanced mobile malware seen to date.
Malware researchers at Kaspersky Lab have discovered a new strain of malware, dubbed Triada (Backdoor.AndroidOS.Triada), targeting Android devices, which they consider the most advanced mobile threat seen to date. The range of techniques used by the threat to compromise mobile devices is not implemented in any other known mobile malware.
Triada was designed with the specific intent to implement financial frauds, typically hijacking the financial SMS transactions. The most interesting characteristic of the Triada Trojan apart is its modular architecture, which gives it theoretically a wide range of abilities.
The Triada Trojan is able to infiltrate all process running on the mobile devices gaining persistence, as explained by researchers Nikita Buchka and Mikhail Kuzin from Kaspersky Lab.
“Considering the aforementioned modular architecture and privileged access to the device, the malware can create literally anything. The capabilities of the uploaded modules are limited only by the imagination and skills of the virus writers. These malicious programs (the app loader and the modules that it downloads) belong to different types of Trojans, but all of them were all included in our antivirus databases under the name Triada.” reads a blog post published by the researchers.
The Android malware is spread through an “advertising botnet” that was used by crooks to spread also other threats, including Leech, Ztorg, and Gorpo and AndroidOS.Iop.
The Triada Trojan makes use of the Zygote parent process to implement its code in the context of all software on the device, this means that the threat is able to run in each application.
“A distinctive feature of the malicious application is the use of the Zygote process to implement its code in the context of all the applications on the device. The Zygote process is the parent process for all Android applications. It contains system libraries and frameworks used by almost all applications. This process is a template for each new application, which means that once the Trojan enters the process, it becomes part of the template and will end up in each application run on the device. This is the first time we have come across this technique in the wild; Zygote was only previously used in proof-of-concepts.”
The trojan is hard to detect, it mainly operates in RAM and exploiting root privileges it substitutes system files, it also hides its modules from the list of running/installed services and applications.
Below the list of features for the Triada Trojan.
- Modular functionality with active use of superuser privileges
- Main part of malicious functionality exists in device RAM only.
- Trojan modifies Zygote system process in the memory to achieve persistence.
- Industrial approaches used in its development, suggesting its authors are highly qualified.