Triada trojan on Android devices "complex as Windows malware"

Nearly two-thirds of Android phones and tablets susceptible to attacks by the complex Triada Trojan

The Triada Trojan takes dead aim at Android devices
The Triada Trojan takes dead aim at Android devices

A new Trojan targeting Android devices has been found to be a risk to around 60 per cent of Android devices.

According to Kaspersky, the Triada malware can be “compared to Window-based malware in terms of its complexity”.

“It is stealthy, modular, persistent and written by professional cybercriminals. Triada operates silently, meaning that all malicious activities are hidden, both from the user and from other applications,” said Nikita Buchka, junior malware analyst at Kaspersky Lab.

Devices running the 4.4.4. and earlier versions of the Android OS are at the greatest risk. This type of malware usually propagates through applications that users download/install from untrusted sources.

“These apps can sometimes be found in the official Google Play app store, masquerading as a game or entertainment application. They can also be installed during an update of existing popular applications and are occasionally pre-installed on the mobile device,” said Buchka.

According to Kaspersky, there are eleven known mobile Trojan families that use root privileges. Three of them – Ztorg, Gorpo and Leech – act in cooperation with each other. Devices infected with these Trojans usually organise themselves into a network, creating a sort of advertising botnet that threat actors can use to install different kinds of adware.

“Shortly after rooting on the device, the above-mentioned Trojans download and install a backdoor.  This then downloads and activates two modules that have the ability to download, install and launch applications,” said Buchka.

In a blog post, Buchka said that a distinctive feature of the malicious application is the use of the Zygote process to implement its code in the context of all the applications on the device.

“This is the first time we have come across this technique in the wild; Zygote was only previously used in proof-of-concepts,” he added.

It seems that once infected, the malware is very difficult to get rid of.

"Once Triada is on a device, it penetrates almost all the running processes, and continues to exist in the memory only. In addition, all separately running Trojan processes are hidden from the user and other applications. As a result, it is extremely difficult for the user and antivirus solutions to detect and remove the Trojan,” said Buchka.

Henry Seddon, vice president EMEA at Duo Security, told SCMagazineUK.com that most organisations today, are unware whether their Android devices are infected or not.

“Our research shows that 90 per cent of Android devices, run out of date operating systems thus making them more vulnerable. Indeed 30 per cent of Android devices run versions prior to 4.0 which are vulnerable to the zygote malware. We would strongly recommend that companies analyse and notify users of these risks and implement policies that restrict users from accessing corporate resources with out of date devices,” he said.

Mark James, security specialist at ESET, told SC one of the sole aims for malware is to infect and remain undetected, “having the highest level of authority makes this job a lot easier, by gaining access or controlling a process ( Zygote) that all other applications use, it is capable of virtually anything.”

“Because it is so difficult to get rid of, the most effective means to clean these devices is to completely wipe and re-image the device.”