Lately Kaspersky Lab reported that it spotted the most advanced Android Malware called as TRIADA TROJAN. One of the most sophisticated Android RAT ever
Reversing Triada (Backdoor.AndroidOS.Triada) made the engineers feel shocked after they saw the way the malware used stealth methods to compromise Android devices. The method used by Triada is not seen in any malwares till date. What makes it more special is the vast majority of android users it can target. Welcome to 2016, were you will see such malwares affecting android security .
The Triada Trojan is able to infiltrate all process running on the mobile devices gaining persistence, as explained by researchers Nikita Buchka and Mikhail Kuzin from Kaspersky Lab. Read for more details here.
“Considering the aforementioned modular architecture and privileged access to the device, the malware can create literally anything. The capabilities of the uploaded modules are limited only by the imagination and skills of the virus writers. These malicious programs (the app loader and the modules that it downloads) belong to different types of Trojans, but all of them were all included in our antivirus databases under the name Triada.” read it here – blogpost
Triada is using the advertising botnet to quickly spread around devices. Previous malwares like Leech, Ztorg, AndroidOS.Iop.and Gorpo. Used the same attack vector, which can be deployed easily.
How Triada infects Zygote process
The malware can run on each application by establishing its code using the Zygote parent process on all the apps on the device
“A distinctive feature of the malicious application is the use of the Zygote process to implement its code in the context of all the applications on the device. The Zygote process is the parent process for all Android applications. It contains system libraries and frameworks used by almost all applications. This process is a template for each new application, which means that once the Trojan enters the process, it becomes part of the template and will end up in each application run on the device. This is the first time we have come across this technique in the wild; Zygote was only previously used in proof-of-concepts.”
Triada is programmed to attain sophisticated untraceable financial fraud, mostly by hijacking the SMS transactions. The capabality of the malware is very huge and its architecture can be learned here.
Whats puzzling the researchers is that this malware is very hard to detect because it majorly operates in RAM with root privileges with which it alters system files, it then hides its next modules from the running services and processes.
In this year 2016 we will see more on these malware kinds mostly exploiting the mobile devices. May be this may the year cyber criminals bring more sophisticated ransomware and malwares to mobile devices like Triada. Andorid security has always been under questions. To keep out of these infections, do take special care when using 3rd party applications. Stay safe. Stay secure.
Special Thanks to Kaspersky Lab