Android Trojan Hijacks Browsers to Redirect Users to Custom URLs

Share this…

Crooks use brand new potent feature to just show adware. A previously discovered and highly dangerous Android trojan has received an update in the form of a module that allows it to inject the phone’s Web browsers and intercept URLs, redirecting users to any link the crook wishes to.

The trojan in question is named Triada and was discovered by Kaspersky at the start of March. Researchers consider this trojan to be extremely dangerous because it can inject malicious operations in Zygote, a core Android operating system process, and run the code with system-level privileges.

According to Kaspersky’s staff, who’s been keeping an eye on Triada’s evolution, the crooks behind this malware have created a module capable of injecting four Android browser processes.

These are (the standard Android browser), com.qihoo.browser (360 Secure Browser), com.ijinshan.browser_fast (Cheetah browser), and com.oupeng.browser (Oupeng browser).

Crooks hijacked browsers to change homepage, default search engine

The crooks are injecting a binary in the processes of these browsers and are sniffing for newly supplied URLs. When they detected the browser receiving a new URL and attempting to load it, the Triada module (detected as Backdoor.AndroidOS.Triada.p/o/q) will stop it and make its own request instead.

The module tells its C&C server what URL the browser was trying to access, and if certain rules are met, it will let it pass, or will replace the URL, delivering the page crooks wanted the victim to access.

Kaspersky says they’ve detected this module for the first time on March 15, and criminals mainly used to deliver ads, in most cases hijacking the user’s browser homepage, or its default search engine provider. Basically, the module worked just like any other desktop adware, only on Android devices.

New Triada module mode of operation

New Triada module mode of operation

Fortunately, Kaspersky says the crooks behind this campaign dropped their efforts, and the technique hasn’t been sighted in the wild for quite some time.

The module is not used anymore, had so much potential

Nevertheless, its mode of operation would have allowed crooks to intercept login attempts and redirect users to phishing sites to collect the user’s credentials.

This case shows the creativity crooks displayed when creating the module, even if they didn’t show the same smarts when it came to using it to its full capabilities.

“We would like to note that cybercriminals specializing in Android are pretty lazy – it’s easier for them to steal money directly, for instance, with the help of Trojans that send text messages to premium-rate numbers, or spoof banking app windows,” Kaspersky malware analyst Anton Kivva noted.

“However, we have recently observed that some cybercriminals have begun to actively study the structure of the operating system, expand their repertoire of technical skills, and launch sophisticated attacks like the one we examined above.”

Kaspersky says it detected the module only on 247 devices where Triada had taken root, and most of them were located in Russia, India, the Ukraine, Indonesia, and Algeria.

Geographical distribution of new Triada module victims

Geographical distribution of new Triada module victims