{"id":5280,"date":"2016-03-14T16:50:24","date_gmt":"2016-03-14T16:50:24","guid":{"rendered":"https:\/\/kasperskydaily.com\/b2b\/?p=5280"},"modified":"2020-02-26T11:05:58","modified_gmt":"2020-02-26T16:05:58","slug":"rise-of-the-triada","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/rise-of-the-triada\/5280\/","title":{"rendered":"Rise of the Triada: mobile malware becomes very sophisticated"},"content":{"rendered":"

In late February, Kaspersky Lab reported the emergence of one of the most dangerous Android-oriented malware known as Acecard, and now there\u2019s a new discovery<\/a>: a complex, stealthy, and professionally written malware suite codenamed \u201cTriada\u201d. While this is mostly a consumer-level threat, Triada is also potentially dangerous to mobile apps-related businesses.<\/p>\n

Not just one but three<\/strong><\/p>\n

Triada is now an \u201cumbrella\u201d name, covering\u00a0three mobile Trojan families which share an application loader and installation modules. These Trojans \u2013 Ztorg, Gorpo, and Leech \u2013 work in cooperation with each other, and the infected devices are getting organized into a sort of advertising botnet that threat actors can use to install different kinds of adware.<\/p>\n

However, the most outstanding feature of Triada is that it gains super-user (root) privileges.<\/p>\n

Going for the brain<\/strong><\/p>\n

Last year Securelist pointed out<\/a>\u00a0the increasing popularity of malware for Android that gains root access to a device and uses it to install apps and display aggressive advertising.\u00a0Sometimes it is so aggressive that the device becomes nearly unusable due to the sheer number of annoying ads and apps being installed without a user\u2019s consent.<\/p>\n

Rise of the #Triada: mobile #malware becomes really sophisticated. #security<\/p>Tweet<\/a><\/blockquote>\n

Securelist authors predicted that one day these advertising Trojans would start spreading malicious, money-stealing malware.\u00a0This proved to be true.<\/p>\n

\u201cRooting malware has begun spreading the most sophisticated mobile Trojans we have ever seen\u201d, said<\/a> Securelist\u2019s Nikita Buchka and Mikhail Kuzin.<\/p>\n

The aforementioned advertising botnet is now serving the victims with a unique Trojan that has modular functionality with active use of superuser privileges. Its main part exists in device RAM only, which makes it almost impossible to detect and delete using antimalware solutions. Triada also implements itself into all processes running on the device.<\/p>\n

Disturbingly, Triada uses Zygote<\/a> \u2013 the parent of the application process on an Android device \u2013 that contains system libraries and frameworks used by every application installed on the device.<\/p>\n

In other words, it\u2019s a daemon whose purpose is to launch Android applications. This is a standard app process that works for every newly installed application. It means that as soon as the Trojan gets into the system, it becomes part of the app process and will be pre-installed into any application launching on the device, and can even change the logic of the application\u2019s operations. The primary goal of this is absolute persistence.<\/p>\n

Securelist authors also point out that there are \u201cindustrial approaches\u201d used in Triada\u2019s development, which suggest very high qualification of its authors.<\/p>\n

These people know very well what they want and how to achieve it.<\/p>\n

And what they want is money<\/strong><\/p>\n

The main function of the Trojan is to redirect financial SMS transactions when the user makes online payments to buy additional content in legitimate apps. The money goes to the attackers rather than to the software developer.<\/p>\n

Depending on whether or not the user gets the content he pays for, the Trojan either steals the money from the user (if the user does not receive the content) or from the legitimate software developers (if the user receives the content).<\/p>\n

In other words, Triada is potentially damaging to the entire mobile apps market.<\/p>\n

Securelist says that the range of techniques Triada employs so far hasn\u2019t been found in any other known mobile malware: \u201cThe methods of concealing and achieving persistence used by Triada can effectively avoid detection and removal of all malware components after installation on the infected device; the modular architecture allows attackers to extend and alter the functionality so they are limited only by the capabilities of the operating system and applications installed on the device.\u201d<\/p>\n

And the fact that Triada penetrates all applications installed in the system means the criminals can implement new attack vectors against users and further maximize their profits.<\/p>\n

Securelist authors compare Triada\u2019s complexity to Windows malware, saying that the evolution of Android threats has just moved to a new level.<\/p>\n

The full text of Securelist\u2019s report on Triada is available here<\/a>.<\/p>\n

\"tentacles2\"<\/p>\n

Mitigation and removal<\/strong><\/p>\n

Kaspersky Lab products detect Triada\u2019s components as:<\/p>\n