Alias: Android.Triada.231, Android.HiddenAds.251.origin
Infection Vectors: Social engineering
Key Target Sectors: Manufacturing, Information Technology
Targeted Region: South-East/Southern/Western/Eastern Asia, Western Europe
Motive: Spying, Data Theft
Threat Level: High
Triada is a Remote Access Trojan (RAT), discovered in 2016, that was targeting Android devices. It mainly exploited the users of Android 4.4.4 and earlier versions of the mobile operating system (OS). Later, it was identified that Triada implemented an unusual way to infect Android phones during the manufacturing process itself. For this, it targets and infects a core process within the Android operating system, called Zygote. By March 2016, Triada became an “umbrella” term for three mobile Trojan families, namely Leech, Gorpo, and Ztorg. The main goal of Triada is to install spam apps on an Android device that display ads. A majority of users attacked by this Trojan were located in the US, Yemen, Turkey, West Bank, Germany, India, Russia, and Ukraine as well as APAC (Asia-Pacific) countries.
Triada often adopts social engineering methods to convince the targeted victims into installing the malware on their Android devices. In March 2016, a change was noticed in Triada’s backdoor structure, when it started targeting Android’s Zygote process. In April 2016, Triada was found masking itself as "Wandoujia," a top Android application in China. It was found using the DroidPlugin open-source sandbox to cover malicious Android Application Package (APK) plugins in its asset directory. It executed the plugins with DroidPlugin, thereby installing them on the device and avoiding detection by antivirus software. The plugins allow Triada to spy on the targeted victim, steal passwords, steal files, and monitor several user activities. The backdoor gives the malware the ability to embed its DLL into the process of four mobile browsers, which allows the attacker to intercept web requests and send users to a specific web page of the attacker's choice.
In July 2017, it was disclosed that the malware further evolved to become a pre-installed Android framework backdoor. The changes to Triada included an extra call in the Android framework log function. By backdooring the log function, the additional code executes every time the phone attempts to log in. These log attempts occur many times per second, in order to keep the extra code running.
Triada decrypts the data strings that it uses and checks the version of the OS execution environment and API, in which it is launched. The malware can inject malicious modules into the application processes, which can perform several actions, like, stealing confidential information or modifying information displayed by attacked applications. It can also extract the jar module (detected as Android.Triada.194.origin) from the modified library libandroid_runtime.so. The critical feature of Triada is that cybercriminals can inject this Trojan into the libandroid_runtime system library. As a result, the malicious application can enter the device firmware while it is being manufactured, and the users get their devices pre-infected out-of-the-box. Many smartphone manufacturers don’t have the resources needed to develop all the features they want to use in-house, so they depend on third-party vendors to build them. Such third-party vendors become an easy target of attack.
In June 2019, an analysis by the Google Security Team on the Triada malware family revealed a vendor going by the name of either Blazefire or Yehuo, that was most likely responsible for malware that came pre-installed on some Android phones. Google has now established a system with the compromised OEM (Original Equipment Manufacturer) device makers to update their systems and eliminate Triada. Google also scans for the malware on all Android devices.
In December 2017, the malware was spotted pre-installed on the Leagoo M9 smartphone. In March 2018, over 40 models (such as Leagoo M5, Plus, Edge, M8, M8 Pro, Z5C, and many more) of Android devices were also found already infected out-of-the-box from the manufacturers. The Trojan’s penetration into firmware occurred, as per the reports, at the request of the Leagoo partner, a software developer from Shanghai. Later, another malware dubbed “Android.HiddenAds.251.origin” was detected being installed on the device (Leagoo M9 firmware). It belonged to the Trojan family that displays annoying advertisements. Further analysis disclosed that Android.HiddenAds.251.origin was also found on more primitive versions of OS Android of the Leagoo M9 devices.
Triada was secretly included in the system image as third-party code for added features requested by the OEMs. This emphasizes the need for precise security reviews of system images before the device gets updated over-the-air (OTA ) and is sold to the users. On any Android device, having an anti-malware application can detect all possible modifications made by Triada. To find out whether the mobile device is infected, scan it thoroughly to detect the malware at the initial level. If the root privileges are not available on the Android device (as it installs itself as system app), the user can remove this malware by installing a clean image of the operating system (re-flashing of device firmware).
Indicators of Compromise
Communication by the malware as an app
Contacted the following IPs after obtaining root permissions