Triada Android Malware

Have you been the most careful person who held an Android device?
Yes, you may be careful not to let any malware intrude your private device. However being careful about what you install on your device is not enough to secure your data. Why? It has been known that Triada already exists on some models of Android phones during the manufacturing stage which means it is possible that your phone came with a free malware.

Since mid-2017 an Android malware which aims to steal data by executing malicious activities without the users’ knowledge has been steadily infecting various models of Android devices.

So far an estimated 40 million users or possibly more were already infected by the malware, through a mix of downloaded Trojan’s and/or pre-installed on some devices.

What is the Triada Malware anyway?
It is a modular mobile device Trojan which specifically targets the Android platform that is capable of penetrating the firmware itself that actively uses root access to alter system files and exists mainly on the device’s RAM, which is why it is almost impossible to detect or remove.

Payload
After it attaches itself to the device it will scan and analyze the device first and then send the data to the server of the cybercriminals. Next thing is to stealth away from detection by installing itself initially to the device storage, it updates by getting the modules from the server and then deletes the copy on the storage after it copies itself to the RAM. Afterward, it will modify the core process of the Android operating system called Zygote which is essential to infect and become a part of every app installed on an Android device.

Now since it is able to be part of every app on your phone, it is possible for purchases on apps with in-app purchases to redirect payments to the malware author through transaction data that are transferred via SMS instead of the money going to the app developer just in case the purchase go through successfully. In this case, it is either the user’s money get stolen or the app developer is the one who gets robbed.

It is initially known to rob off people’s money through the app, but since it is a modular type of malware, its payload can be updated to something much worse like reading all your keystrokes and literally stealing your credentials. Additionally, with its attachment to Zygote, it can possibly be made into a Remote Access Trojan similar to those already existing on Windows and Mac. In other words, almost anything that these group of malware authors wants it to be.

Once these cyber-criminals cannot get money directly from your card, then it is a huge possibility that the authors may shift to phishing activities to continuously monetize the malware.

About the author

Leave a Reply