Triada: A Modular Mobile Trojan That Actively Uses Root Privileges To Replace System Files

Origin: 2016

Alias: Android.Triada.231, Android.HiddenAds.251.origin

Infection Vectors:  Social engineering

Key Target Sectors:  Manufacturing, Information Technology

Targeted Region: South-East/Southern/Western/Eastern Asia, Western Europe

Motive: Spying, Data Theft

Threat Level: High

Triada is a Remote Access Trojan (RAT), discovered in 2016, that was targeting Android devices. It mainly exploited the users of Android 4.4.4 and earlier versions of the mobile operating system (OS). Later, it was identified that Triada implemented an unusual way to infect Android phones during the manufacturing process itself. For this, it targets and infects a core process within the Android operating system, called Zygote. By March 2016, Triada became an “umbrella” term for three mobile Trojan families, namely Leech, Gorpo, and Ztorg. The main goal of Triada is to install spam apps on an Android device that display ads. A majority of users attacked by this Trojan were located in the US, Yemen, Turkey, West Bank, Germany, India, Russia, and Ukraine as well as APAC (Asia-Pacific) countries.

Triada often adopts social engineering methods to convince the targeted victims into installing the malware on their Android devices. In March 2016, a change was noticed in Triada’s backdoor structure, when it started targeting Android’s Zygote process. In April 2016, Triada was found masking itself as "Wandoujia," a top Android application in China. It was found using the DroidPlugin open-source sandbox to cover malicious Android Application Package (APK) plugins in its asset directory. It executed the plugins with DroidPlugin, thereby installing them on the device and avoiding detection by antivirus software. The plugins allow Triada to spy on the targeted victim, steal passwords, steal files, and monitor several user activities. The backdoor gives the malware the ability to embed its DLL into the process of four mobile browsers, which allows the attacker to intercept web requests and send users to a specific web page of the attacker's choice.

In July 2017, it was disclosed that the malware further evolved to become a pre-installed Android framework backdoor. The changes to Triada included an extra call in the Android framework log function. By backdooring the log function, the additional code executes every time the phone attempts to log in. These log attempts occur many times per second, in order to keep the extra code running.

Triada decrypts the data strings that it uses and checks the version of the OS execution environment and API, in which it is launched. The malware can inject malicious modules into the application processes, which can perform several actions, like, stealing confidential information or modifying information displayed by attacked applications. It can also extract the jar module (detected as Android.Triada.194.origin) from the modified library libandroid_runtime.so. The critical feature of Triada is that cybercriminals can inject this Trojan into the libandroid_runtime system library. As a result, the malicious application can enter the device firmware while it is being manufactured, and the users get their devices pre-infected out-of-the-box. Many smartphone manufacturers don’t have the resources needed to develop all the features they want to use in-house, so they depend on third-party vendors to build them. Such third-party vendors become an easy target of attack.

In June 2019, an analysis by the Google Security Team on the Triada malware family revealed a vendor going by the name of either Blazefire or Yehuo, that was most likely responsible for malware that came pre-installed on some Android phones. Google has now established a system with the compromised OEM (Original Equipment Manufacturer) device makers to update their systems and eliminate Triada. Google also scans for the malware on all Android devices.

In December 2017, the malware was spotted pre-installed on the Leagoo M9 smartphone. In March 2018, over 40 models (such as Leagoo M5, Plus, Edge, M8, M8 Pro, Z5C, and many more) of Android devices were also found already infected out-of-the-box from the manufacturers. The Trojan’s penetration into firmware occurred, as per the reports, at the request of the Leagoo partner, a software developer from Shanghai. Later, another malware dubbed “Android.HiddenAds.251.origin” was detected being installed on the device (Leagoo M9 firmware). It belonged to the Trojan family that displays annoying advertisements. Further analysis disclosed that Android.HiddenAds.251.origin was also found on more primitive versions of OS Android of the Leagoo M9 devices.

Triada was secretly included in the system image as third-party code for added features requested by the OEMs. This emphasizes the need for precise security reviews of system images before the device gets updated over-the-air (OTA ) and is sold to the users. On any Android device, having an anti-malware application can detect all possible modifications made by Triada. To find out whether the mobile device is infected, scan it thoroughly to detect the malware at the initial level. If the root privileges are not available on the Android device (as it installs itself as system app), the user can remove this malware by installing a clean image of the operating system (re-flashing of device firmware).

7ed01280dd254b063fecfdbf1da773df7738120a

a1cdc9736e93bd1db572a5969be0117e4921de99

9985f3362013e31dff1a0dac638b802c4a01fdde

478e5ac7df97b458dd1ed57e0dd093f07aa5d35b

03b2f4efd534d69321746ad0851e4fbe7b8e1db1

4c675b8196fb7e921f7e27646a2fedc83bbde702

006b23bcdd39ffb7b98ef3af1eeb939f11f02393

df4df5c9009753776ff7b3d53f208f9cc11ad1c2

ed7af94974777145329da8e6251437e2ec29f8ab

48b801668aaeced40e183e94b15375a5c5ec8ec9

f3d503acc9e3db9b942f3238cae1eaa085407ef6

9ceba8c4e874bb668ca31491ddcf632f38b23b47

30c9b50f6331de621c8f0e5c884d5dab4b13396b

a31d8d67b49cdf4c44a7f301a931849744c0c96b

30d110bb04932ac5e92b3d56033ac81933b5a208

cc2dc2ead2a8cf384bcf8ac66e31586ca76ee8a9

a1d0dbe601b611a7206f82574fcd72e5ab57f09c

317ce52713f99f3c7a4f38c3a98a02690cce6de7

04e04eae2bd4a29e1a08c38545aef80394f62493

6aba69f858ed360c818bcbe105db01f970d1e6aa

acb292bb3cc0b6095a06dae30d3ff033a3863cfc

82d32c1c8cc1eb08d30326279281f5317bd7b058

f7484ba764d73943f27e8afdf1fc48b09b65caa5

7a2fc3782d179d37a01e4c609ea2be4cb915eebf

8deee992b7c28eec0c414c707724ec2f57d7e168

706aab1479ac2088ea200b988dba61a7e0c38d36

606624c6e7c4627ffc75dbd756ac495ea3b53f69

ed645df93c688885e7a7b01c56d643ad9553b75e

1940de90a38e4f9b06a510ded0472f8829736aff

5b1207d4eb9dd216ed62762a9e8301173b8ccee2

85e9a11e3d04c3c9fd89b55282f2f428643d9bd7

b5a06369e6cf26a947af25790aea053ef1eb398d

9cedd1cdb1a239a7f1c3eda14aa7c4ae3a7022be

c5ba0dd5f7d483ba27ed49f0e9b622622d13a8d4

00be651d94bde3b113569e93ec41dff79749ae82

3a291646b2d21548619b84333beb6f22f8ba5a8d

d7e734be9ea143c41dae3fbf9388a625d6ba8d5d

65bfc482d6c7fbf3b9681af12e25880dfa71785b

34e1e6ec24b92ce374396a5e339c13e47064224a

d9da4f1ed7cd78863b9867d4efbebc22e28e45b5

7a57aa9ee54cc442004a5d6874f623e115552467

4aa1d2cb87352bb96e8cf53c86d5ae40fc7dc1a2

78d311a4a160f3831f978e51b61c5f2d8c165faf

350405545ded0697a3b12e4d9281297005ae9718

6bafdbe578daecd057aa14f11416f717bc4daacc

c9764fd47c1b271945b634a258e1bacac3304f35

4ac1756a4af888bb23f1f0aaec4db9578b159d71

a1cdc9736e93bd1db572a5969be0117e4921de99

af62d2328819267d0207b266bc1cdc3db73fc588

cceee71d75d151fd44d62c25ace07ec9fe8f4647

ff721627e493beaf53371f6eae567725d5a6e6b7

bbb91acd3454be1dc60692a5b7af679467530091

6c0fc552d0fc54c5cb7070e422dfab6537a2956f

a3eaea4926d8088faf4ebcdf8df89594c903e730

ebe809ac123453292b50c75f20d9857caf069aaa

21f06113a03dd7c911adcf902d933a4571052213

e88a5145d6d024e14a5050c1ac93ebc5d400dd17

54ed99f6af6bc246483b235156df28018fd05bc7

12f30c84471ebf8f25a7734932e1144c75888f6f

02d2be28d734f58a30cbebf2c324399279276569

1fbe9ff02b253c9088c70a3b431d7f4559e8d650

410de31222d82b43802cdbc759117696122475b9

cd4439d0c4d98eb2ec2d456173fe4469047a6b08

7f56508595589b74fdea9c277886862aa999ca36

6c3063a6ac9a664c9a52ed39f4c9d8a7d4d89a4b

74c5d21df8ed295f5d87f0707a3f28ad81872c4e

d39a2f010f687c489e886432e6113bd84e96b8a6

6348a1ccdbd541e3e89b4a16d0552189ab7f710d

21feef4ae9e6d6edc2223646aa1137b07e69baf5

3c348b3b2415d37db880bfa5a80567301ab3ea2a

9616f779add04e8c0ef502e19f5c21cf94aa76ff

3fac99faf5039b669710135ae8755e001c7d221d

89bfbdc527a6d070219eb276b8ca1828dd6053eb

417d97d1e2117b3486cd3a8d7498dc1e9b9e5a23

6ae1dbc9e7674d7dbbf125f606b3f7dbd11f8718bfd0d7e0861ffa5afc42b20d

0746c3ed1598947566e92b5e258ee955b559f86f661e7a70aaa56a0ecb9792ad

49f97664b28c15cc244a5d55122f7bb10d246ff851f86fbfeba1bf525da433b9

Cb13d25e921941706eb29f7ec2db1bbc74beb5a6a688f6aa53b2d7bfff1f34a5

67.252[.]10:80

7.41.34[.]80

251.212[.]218:80

20.83[.]120:80

28.24[.]144:80

6.165[.]90:80

2.159[.]222:80

108.185[.]113:80

105.254[.]228:80

21.91[.]8:80

21.92[.]20:80

205.159[.]56:80

187.73[.]202:7012

android.adapi.task

android.adapi.file

android.adapi.radio

android.adapi.location

android.adapi.camera

android.adapi.update

android.adapi.online

android.adapi.contact

android.adapi.wifi

com.as.ytb.downloader