Rise of the Triada: mobile malware becomes very sophisticated

Triada is a complex, stealthy, and professionally written malware suite. While it is mostly a consumer-level threat, Triada is also potentially dangerous to mobile apps-related businesses.

In late February, Kaspersky Lab reported the emergence of one of the most dangerous Android-oriented malware known as Acecard, and now there’s a new discovery: a complex, stealthy, and professionally written malware suite codenamed “Triada”. While this is mostly a consumer-level threat, Triada is also potentially dangerous to mobile apps-related businesses.

Not just one but three

Triada is now an “umbrella” name, covering three mobile Trojan families which share an application loader and installation modules. These Trojans – Ztorg, Gorpo, and Leech – work in cooperation with each other, and the infected devices are getting organized into a sort of advertising botnet that threat actors can use to install different kinds of adware.

However, the most outstanding feature of Triada is that it gains super-user (root) privileges.

Going for the brain

Last year Securelist pointed out the increasing popularity of malware for Android that gains root access to a device and uses it to install apps and display aggressive advertising. Sometimes it is so aggressive that the device becomes nearly unusable due to the sheer number of annoying ads and apps being installed without a user’s consent.

Securelist authors predicted that one day these advertising Trojans would start spreading malicious, money-stealing malware. This proved to be true.

“Rooting malware has begun spreading the most sophisticated mobile Trojans we have ever seen”, said Securelist’s Nikita Buchka and Mikhail Kuzin.

The aforementioned advertising botnet is now serving the victims with a unique Trojan that has modular functionality with active use of superuser privileges. Its main part exists in device RAM only, which makes it almost impossible to detect and delete using antimalware solutions. Triada also implements itself into all processes running on the device.

Disturbingly, Triada uses Zygote – the parent of the application process on an Android device – that contains system libraries and frameworks used by every application installed on the device.

In other words, it’s a daemon whose purpose is to launch Android applications. This is a standard app process that works for every newly installed application. It means that as soon as the Trojan gets into the system, it becomes part of the app process and will be pre-installed into any application launching on the device, and can even change the logic of the application’s operations. The primary goal of this is absolute persistence.

Securelist authors also point out that there are “industrial approaches” used in Triada’s development, which suggest very high qualification of its authors.

These people know very well what they want and how to achieve it.

And what they want is money

The main function of the Trojan is to redirect financial SMS transactions when the user makes online payments to buy additional content in legitimate apps. The money goes to the attackers rather than to the software developer.

Depending on whether or not the user gets the content he pays for, the Trojan either steals the money from the user (if the user does not receive the content) or from the legitimate software developers (if the user receives the content).

In other words, Triada is potentially damaging to the entire mobile apps market.

Securelist says that the range of techniques Triada employs so far hasn’t been found in any other known mobile malware: “The methods of concealing and achieving persistence used by Triada can effectively avoid detection and removal of all malware components after installation on the infected device; the modular architecture allows attackers to extend and alter the functionality so they are limited only by the capabilities of the operating system and applications installed on the device.”

And the fact that Triada penetrates all applications installed in the system means the criminals can implement new attack vectors against users and further maximize their profits.

Securelist authors compare Triada’s complexity to Windows malware, saying that the evolution of Android threats has just moved to a new level.

The full text of Securelist’s report on Triada is available here.


Mitigation and removal

Kaspersky Lab products detect Triada’s components as:

  • Trojan-Downloader.AndroidOS.Triada.a;
  • Trojan-SMS.AndroidOS.Triada.a;
  • Trojan-Banker.AndroidOS.Triada.a;
  • Backdoor.AndroidOS.Triada.

Preventing Triada from getting in is a bit easier than having to remove it after the infection. In fact, it’s next to impossible to uninstall this malware from the device. Users face two options to get rid of it. The first is to “root” their device and delete the malicious applications manually. The second option is to jailbreak the Android system on the device. This is not something that we would normally recommend, but Triada is not a “normal” case.

Take a look at pros and cons of rooting and jailbreaking at Kaspersky Daily.

It is important to note that Triada hits users of Android version 4.4.4 and earlier. Later versions have much fewer vulnerabilities that can be exploited by malware to gain root access. So if there is an option to upgrade the system, it is worth doing ASAP.

Historic parallels

While Securelist compares Triada to Windows malware due to its complexity, there are other parallels as well.

Windows has become the most malware-targeted system mostly due to its popularity among consumers and lax security. This attracted the hordes of malware writers, and though there was not much malware in the early 1990s, ten years later we have observed global pandemics of viruses attacking Windows-based machines, and now the number of malware samples discovered by Kaspersky Lab’s experts is well north of 300k pieces per day. Most of this is Windows malware.

Gradually the malware writers switched from general vandalism to profiting from their code, something that we’re seeing a lot of today.

Now, there’s Android. The most popular mobile platform around (Okay, Google, thanks), and, consequently, the most targeted one. Its early versions were launched when the mobile malware was few and far between. Now, it’s fair to say that Android turned out to be the richest soil for mobile malware to grow – in numbers, and now in sophistication as well. Reasons are multiple, and we touched on them earlier. Regardless, Google made grand efforts to improve security, but the adoption rate of newer versions yearns for improvement: as of March, 2016, around 36% of Android devices run version 5.x (Lollipop) released in 2014, while version 6.0 (Marshmallow), released in October 2015 has a slim share of 2.3%. 

Both consumers and businesses learned to protect their Windows-based endpoints with time. It is now necessary to understand that mobile malware is equally dangerous and damaging, and to see to it that it doesn’t slip onto our devices.

Kaspersky Endpoint Security for Business (Select, Advanced and Total editions) provides businesses with robust security of corporate mobile devices, protecting from the prevalent mobile-borne threats such as phishing, spam, malware and launch of unauthorized applications, etc. Importantly, rooting and jailbreaking incidents are detected automatically, which provides an extra layer of protection from Triada and other rooting malware, and the infected devices are getting blocked before any harm can be inflicted upon the corporate infrastructure. For more information on Kaspersky Endpoint Security please visit here.