Triada: A Modular Mobile Trojan That Actively Uses Root Privileges To Replace System Files

See All

Malware Profile


Origin: 2016

Alias: Android.Triada.231, Android.HiddenAds.251.origin

Infection Vectors:  Social engineering

Key Target Sectors:  Manufacturing, Information Technology

Targeted Region: South-East/Southern/Western/Eastern Asia, Western Europe

Motive: Spying, Data Theft

Threat Level: High

Origin


Triada is a Remote Access Trojan (RAT), discovered in 2016, that was targeting Android devices. It mainly exploited the users of Android 4.4.4 and earlier versions of the mobile operating system (OS). Later, it was identified that Triada implemented an unusual way to infect Android phones during the manufacturing process itself. For this, it targets and infects a core process within the Android operating system, called Zygote. By March 2016, Triada became an “umbrella” term for three mobile Trojan families, namely Leech, Gorpo, and Ztorg. The main goal of Triada is to install spam apps on an Android device that display ads. A majority of users attacked by this Trojan were located in the US, Yemen, Turkey, West Bank, Germany, India, Russia, and Ukraine as well as APAC (Asia-Pacific) countries.

Propagation Method


Triada often adopts social engineering methods to convince the targeted victims into installing the malware on their Android devices. In March 2016, a change was noticed in Triada’s backdoor structure, when it started targeting Android’s Zygote process. In April 2016, Triada was found masking itself as "Wandoujia," a top Android application in China. It was found using the DroidPlugin open-source sandbox to cover malicious Android Application Package (APK) plugins in its asset directory. It executed the plugins with DroidPlugin, thereby installing them on the device and avoiding detection by antivirus software. The plugins allow Triada to spy on the targeted victim, steal passwords, steal files, and monitor several user activities. The backdoor gives the malware the ability to embed its DLL into the process of four mobile browsers, which allows the attacker to intercept web requests and send users to a specific web page of the attacker's choice.

In July 2017, it was disclosed that the malware further evolved to become a pre-installed Android framework backdoor. The changes to Triada included an extra call in the Android framework log function. By backdooring the log function, the additional code executes every time the phone attempts to log in. These log attempts occur many times per second, in order to keep the extra code running.

Exploitation Method


Triada decrypts the data strings that it uses and checks the version of the OS execution environment and API, in which it is launched. The malware can inject malicious modules into the application processes, which can perform several actions, like, stealing confidential information or modifying information displayed by attacked applications. It can also extract the jar module (detected as Android.Triada.194.origin) from the modified library libandroid_runtime.so. The critical feature of Triada is that cybercriminals can inject this Trojan into the libandroid_runtime system library. As a result, the malicious application can enter the device firmware while it is being manufactured, and the users get their devices pre-infected out-of-the-box. Many smartphone manufacturers don’t have the resources needed to develop all the features they want to use in-house, so they depend on third-party vendors to build them. Such third-party vendors become an easy target of attack.

Recent Incidents


In June 2019, an analysis by the Google Security Team on the Triada malware family revealed a vendor going by the name of either Blazefire or Yehuo, that was most likely responsible for malware that came pre-installed on some Android phones. Google has now established a system with the compromised OEM (Original Equipment Manufacturer) device makers to update their systems and eliminate Triada. Google also scans for the malware on all Android devices.

In December 2017, the malware was spotted pre-installed on the Leagoo M9 smartphone. In March 2018, over 40 models (such as Leagoo M5, Plus, Edge, M8, M8 Pro, Z5C, and many more) of Android devices were also found already infected out-of-the-box from the manufacturers. The Trojan’s penetration into firmware occurred, as per the reports, at the request of the Leagoo partner, a software developer from Shanghai. Later, another malware dubbed “Android.HiddenAds.251.origin” was detected being installed on the device (Leagoo M9 firmware). It belonged to the Trojan family that displays annoying advertisements. Further analysis disclosed that Android.HiddenAds.251.origin was also found on more primitive versions of OS Android of the Leagoo M9 devices.

Prevention


Triada was secretly included in the system image as third-party code for added features requested by the OEMs. This emphasizes the need for precise security reviews of system images before the device gets updated over-the-air (OTA ) and is sold to the users. On any Android device, having an anti-malware application can detect all possible modifications made by Triada. To find out whether the mobile device is infected, scan it thoroughly to detect the malware at the initial level. If the root privileges are not available on the Android device (as it installs itself as system app), the user can remove this malware by installing a clean image of the operating system (re-flashing of device firmware).

Indicators of Compromise


SHA1
7ed01280dd254b063fecfdbf1da773df7738120a
a1cdc9736e93bd1db572a5969be0117e4921de99
9985f3362013e31dff1a0dac638b802c4a01fdde
478e5ac7df97b458dd1ed57e0dd093f07aa5d35b
03b2f4efd534d69321746ad0851e4fbe7b8e1db1
4c675b8196fb7e921f7e27646a2fedc83bbde702
006b23bcdd39ffb7b98ef3af1eeb939f11f02393
df4df5c9009753776ff7b3d53f208f9cc11ad1c2
ed7af94974777145329da8e6251437e2ec29f8ab
48b801668aaeced40e183e94b15375a5c5ec8ec9
f3d503acc9e3db9b942f3238cae1eaa085407ef6
9ceba8c4e874bb668ca31491ddcf632f38b23b47
30c9b50f6331de621c8f0e5c884d5dab4b13396b
a31d8d67b49cdf4c44a7f301a931849744c0c96b
30d110bb04932ac5e92b3d56033ac81933b5a208
cc2dc2ead2a8cf384bcf8ac66e31586ca76ee8a9
a1d0dbe601b611a7206f82574fcd72e5ab57f09c
317ce52713f99f3c7a4f38c3a98a02690cce6de7
04e04eae2bd4a29e1a08c38545aef80394f62493
6aba69f858ed360c818bcbe105db01f970d1e6aa
acb292bb3cc0b6095a06dae30d3ff033a3863cfc
82d32c1c8cc1eb08d30326279281f5317bd7b058
f7484ba764d73943f27e8afdf1fc48b09b65caa5
7a2fc3782d179d37a01e4c609ea2be4cb915eebf
8deee992b7c28eec0c414c707724ec2f57d7e168
706aab1479ac2088ea200b988dba61a7e0c38d36
606624c6e7c4627ffc75dbd756ac495ea3b53f69
ed645df93c688885e7a7b01c56d643ad9553b75e
1940de90a38e4f9b06a510ded0472f8829736aff
5b1207d4eb9dd216ed62762a9e8301173b8ccee2
85e9a11e3d04c3c9fd89b55282f2f428643d9bd7
b5a06369e6cf26a947af25790aea053ef1eb398d
9cedd1cdb1a239a7f1c3eda14aa7c4ae3a7022be
c5ba0dd5f7d483ba27ed49f0e9b622622d13a8d4
00be651d94bde3b113569e93ec41dff79749ae82
3a291646b2d21548619b84333beb6f22f8ba5a8d
d7e734be9ea143c41dae3fbf9388a625d6ba8d5d
65bfc482d6c7fbf3b9681af12e25880dfa71785b
34e1e6ec24b92ce374396a5e339c13e47064224a
d9da4f1ed7cd78863b9867d4efbebc22e28e45b5
7a57aa9ee54cc442004a5d6874f623e115552467
4aa1d2cb87352bb96e8cf53c86d5ae40fc7dc1a2
78d311a4a160f3831f978e51b61c5f2d8c165faf
350405545ded0697a3b12e4d9281297005ae9718
6bafdbe578daecd057aa14f11416f717bc4daacc
c9764fd47c1b271945b634a258e1bacac3304f35
4ac1756a4af888bb23f1f0aaec4db9578b159d71
a1cdc9736e93bd1db572a5969be0117e4921de99
af62d2328819267d0207b266bc1cdc3db73fc588
cceee71d75d151fd44d62c25ace07ec9fe8f4647
ff721627e493beaf53371f6eae567725d5a6e6b7
bbb91acd3454be1dc60692a5b7af679467530091
6c0fc552d0fc54c5cb7070e422dfab6537a2956f
a3eaea4926d8088faf4ebcdf8df89594c903e730
ebe809ac123453292b50c75f20d9857caf069aaa
21f06113a03dd7c911adcf902d933a4571052213
e88a5145d6d024e14a5050c1ac93ebc5d400dd17
54ed99f6af6bc246483b235156df28018fd05bc7
12f30c84471ebf8f25a7734932e1144c75888f6f
02d2be28d734f58a30cbebf2c324399279276569
1fbe9ff02b253c9088c70a3b431d7f4559e8d650
410de31222d82b43802cdbc759117696122475b9
cd4439d0c4d98eb2ec2d456173fe4469047a6b08
7f56508595589b74fdea9c277886862aa999ca36
6c3063a6ac9a664c9a52ed39f4c9d8a7d4d89a4b
74c5d21df8ed295f5d87f0707a3f28ad81872c4e
d39a2f010f687c489e886432e6113bd84e96b8a6
6348a1ccdbd541e3e89b4a16d0552189ab7f710d
21feef4ae9e6d6edc2223646aa1137b07e69baf5
3c348b3b2415d37db880bfa5a80567301ab3ea2a
9616f779add04e8c0ef502e19f5c21cf94aa76ff
3fac99faf5039b669710135ae8755e001c7d221d
89bfbdc527a6d070219eb276b8ca1828dd6053eb
417d97d1e2117b3486cd3a8d7498dc1e9b9e5a23

SHA256
6ae1dbc9e7674d7dbbf125f606b3f7dbd11f8718bfd0d7e0861ffa5afc42b20d
0746c3ed1598947566e92b5e258ee955b559f86f661e7a70aaa56a0ecb9792ad
49f97664b28c15cc244a5d55122f7bb10d246ff851f86fbfeba1bf525da433b9
Cb13d25e921941706eb29f7ec2db1bbc74beb5a6a688f6aa53b2d7bfff1f34a5

Communication by the malware as an app
67.252[.]10:80
7.41.34[.]80
251.212[.]218:80
20.83[.]120:80
28.24[.]144:80
6.165[.]90:80
2.159[.]222:80
108.185[.]113:80

Contacted the following IPs after obtaining root permissions
105.254[.]228:80
21.91[.]8:80
21.92[.]20:80
205.159[.]56:80
187.73[.]202:7012

Malicious APKs
android.adapi.task
android.adapi.file
android.adapi.radio
android.adapi.location
android.adapi.camera
android.adapi.update
android.adapi.online
android.adapi.contact
android.adapi.wifi
com.as.ytb.downloader




  • Share this blog:
Previous
Building Cyber Fusion Center the Right Way
Next
APT40: A State-Sponsored Cyber Espionage Group Targeting North America And Europe to Obtain Advanced Naval Technology
To enhance your experience on our website, we use cookies to help us understand how you interact with our website. By continuing navigating through Cyware’s website and its products, you are accepting the placement and use of cookies. You can also choose to disable your web browser’s ability to accept cookies and how they are set. For more information, please see our Privacy Policy.