Triada

Triada is a remote access trojan (RAT) identified in 2016 targeting Android devices. In January 2017, Check Point named Triada as the top mobile malware threat after the recent discovery that the malware contains a modular backdoor to infect the Zygote process - a core process within the Android operating system. The backdoor grants the malware the ability to embed its .DLL into the process of four mobile browsers, allowing attackers to intercept web requests and send users to a specified web page of the attacker's choosing. It uses social engineering techniques to convince users to install the malware on their devices. In April 2016, it was reported that Triada was disguising itself as "Wandoujia," a top Android application in China. After it infects a device, it uses a DroidPlugin open-source sandbox to hide malicious Android application package (APK) plugins in its asset directory. It executes the plugins with DroidPlugin, thereby avoiding installing them on the device itself and evading anti-virus. The plugins allow Triada to spy on the victim, stealing passwords, stealing files, and monitoring a number of user activities. The APK names reveal the activities it carries out:

  • android.adapi.task
  • android.adapi.file
  • android.adapi.radio
  • android.adapi.location
  • android.adapi.camera
  • android.adapi.update
  • android.adapi.online
  • android.adapi.contact
  • android.adapi.wifi

Reporting

  • March 2016: Triada trojan on Android devices complex as Windows malware. (SC magazine)
  • March 2016: Triada trojan the most sophisticated mobile malware seen to date. (Security Affairs)
  • June 2016: Triada trojan now redirecting Android users to fake, malicious URLs. (SC Magazine)
  • February 2017: This modular backdoor malware is now the most common threat to Android smartphones. (ZDNet)
  • April 2017: Triada Android spyware evades anti-virus detection by using DroidPlugin sandbox. (Graham Cluley)

Technical Details

  • Securelist provides technical details on the Triada Android RAT, available here.