Triada Trojan Infects Android’s Zygote Core Process

Share this…

Kaspersky considers Triada a top Android threat. In the past month, mobile security companies have come across new Android trojans that rival, in terms of sophistication, many desktop viruses. The list includes Acecard, Xbot, Mazar BOT, and Asacub, but if we’re to believe Kaspersky, the most dangerous of all is their latest discovery, a trojan called Triada, capable of infecting one of Android’s core processes, Zygote.

Besides the Triada trojan, Kaspersky researchers are also noting a general trend adopted by all malware distributors on Android devices. In the past months, the standard mode of operation was for attackers to distribute a less complex trojan for the sole purpose of gaining root privileges on the device.

Outside rooting capabilities, these simpler trojans (Leech, Ztorg and Gopro) had only one other thing to do, and that was to download more dangerous threats. Kaspersky says it has seen many of these trojans distribute Asacub and Acecard, but in a more recent campaign, they’ve come across a new threat, which they’ve named Triada.

Triada can replace system files, infect Zygote process

This new trojan is far more dangerous than previous Android malware, not because it comes with lots of malicious capabilities, but because of its modular infrastructure and the ability to infect Android’s Zygote core process.

By managing to alter Zygote, the Android process that controls what and when apps are started and stopped, the malware can practically control everything that’s happening on the phone.

Even worse, Triada was designed to work with stealth in mind. As soon as one of the rooting trojans downloads and installs Triada, it immediately infects the Zygote process by substituting system files, and then moving its operation in the device’s RAM, a place where security product’s can’t scan.

It then moves to collect data about the device, sends it to a C&C server, which creates a profile for each victim and sends a so-called “configuration” file back to Triada.

This file holds information about Triada’s specific settings for each device, the malicious operations it needs to carry out, and the modules it requires to download to be able to execute its commands.

Triada hides in the RAM, is harder to detect

All installed modules are also deployed in the device’s RAM, and if the user restarts their device, Triada will always boot up again whenever the infected Zygote process starts, requesting a new config file, and re-installing its modules after each restart.

Because Zygote controls details regarding ongoing processes, Triada is also able to hide malicious operations from the user and debug software.

As Kaspersky reports, in the most recently detected Triada instances, the trojan was used to secretly send SMS messages to premium numbers for the purpose of defrauding users and making a profit for the trojan’s authors.

Taking into account that the ability to infect Zygote can be leveraged in many ways, the trojan’s future capabilities are only limited by the number of devices Triada’s operators can infect.

Kaspersky says that recent security updates added in the Android OS since version 4.4.4 make stepping-stone trojans like Leech, Ztorg and Gopro less effective in taking root on Android devices and then downloading Triada.

How Triada infects Android’s Zygote process

How Triada infects Android's Zygote process