{"id":11481,"date":"2016-03-03T07:00:02","date_gmt":"2016-03-03T12:00:02","guid":{"rendered":"https:\/\/www.kaspersky.com.au\/blog\/?p=11481"},"modified":"2019-11-15T22:54:42","modified_gmt":"2019-11-15T11:54:42","slug":"triada-trojan","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/triada-trojan\/11481\/","title":{"rendered":"Triada: organized crime on Android"},"content":{"rendered":"<p>You know how armies typically move: first come the scouts to make sure everything is ok. Then the heavy troops arrive; at least that was how it used to be before the age of cyber wars. It turns out, that Trojans behave quite the same way.<\/p>\n<p>There are a lot of small Trojans for Android capable of leveraging access privileges, in other words \u2014 gaining root access. Our malware analysts Nikita Buchka and Mikhail Kuzin can easily name 11 families of such Trojans. Most of them are almost harmless \u2014 all they did until recently was injecting tons of ads and downloading others of their kind. If you want to know more about them \u2014 our researchers have an <a href=\"https:\/\/securelist.com\/blog\/mobile\/71981\/taking-root\/\" target=\"_blank\" rel=\"noopener noreferrer\">article about them on Securelist<\/a>.<\/p>\n<p>If you follow the military analogy \u2014 those are the scouts. As you probably have noticed, gaining root access gives them the capability to download and install applications \u2014 that\u2019s the reason why once one of them get into the system, in a few minutes there are all the others. But our researchers have predicted that these small Trojans would certainly be used to download some really bad malware that can actually harm the owners of the infected devices.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Dangerous trends taking root in <a href=\"https:\/\/twitter.com\/hashtag\/mobile?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#mobile<\/a> phones <a href=\"https:\/\/t.co\/DkLD8KhSuk\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/DkLD8KhSuk<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/research?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#research<\/a> <a href=\"http:\/\/t.co\/wc3NfSSv3Z\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/wc3NfSSv3Z<\/a><\/p>\n<p>\u2014 Securelist (@Securelist) <a href=\"https:\/\/twitter.com\/Securelist\/status\/636925849455996928?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">August 27, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>And that\u2019s exactly what has happened recently. Small Trojans like Leech, Ztorg and Gopro now download one of the most advanced mobile Trojans our malware analysts have ever encountered \u2014 we call it Triada.<\/p>\n<p>Triada is a modular mobile Trojan that actively uses root privileges to substitute system files and exists mostly in the device\u2019s RAM, which makes it extremely hard to detect. <\/p>\n<h3>The dark ways of the Triada<\/h3>\n<p>Once downloaded and installed, the Triada Trojan first tries to collect some information about the system \u2014 like the device model, the OS version, the amount of the SD card space, the list of the installed applications and other things. Then it sends all that information to the Command &amp; Control server. We have detected a total of 17 C&amp;C servers on 4 different domains, which probably means the bad guys are quite familiar with what redundancy is.<\/p>\n<p>The C&amp;C server then responds with a configuration file, containing the personal identification number for the device and some settings \u2014 the time interval between contacting the server, the list of modules to be installed and so on. After the modules are installed they are deployed to the short term memory and deleted from the device storage, which makes the Trojan a lot harder to catch.<\/p>\n<p>There are two more reasons why Triada is so hard to detect and why it had impressed our researchers so much. First, it modifies the <a href=\"https:\/\/anatomyofandroid.com\/2013\/10\/15\/zygote\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Zygote process<\/a>. Zygote is the core process in the Android OS that is used as a template for every application, which means that once the Trojan gets into Zygote, it becomes a part of literally every app that is launched on the device.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2016\/03\/06022803\/triada-zygote.png\" rel=\"attachment wp-att-11485\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2016\/03\/06022803\/triada-zygote.png\" alt=\"Triada: organized crime on Android\" width=\"2536\" height=\"3304\" class=\"aligncenter size-full wp-image-11485\"><\/a><\/p>\n<p>Second, it substitutes the system functions and conceals its modules from the list of the running processes and installed apps. So the system doesn\u2019t see any strange processes running and thus does not cry the alarm.<\/p>\n<p>Those are not the only system functions Triada modifies. As our researchers discovered, it also lays its hands on the outgoing SMS and filters the incoming ones. That is actually how the bad guys decided to monetize the Trojan.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">A SMS <a href=\"https:\/\/twitter.com\/hashtag\/Trojan?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Trojan<\/a> Bypasses <a href=\"https:\/\/twitter.com\/hashtag\/CAPTCHA?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#CAPTCHA<\/a> and Steals Money: <a href=\"https:\/\/t.co\/9fjQ0PwZuw\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/9fjQ0PwZuw<\/a> <a href=\"http:\/\/t.co\/r5jKqQUc3y\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/r5jKqQUc3y<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/578254848203837440?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">March 18, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Some applications rely on SMS when it comes to in-app purchases \u2014 the transaction data is transferred via a short text message. The main reason for developers to choose SMS over traditional payments via Internet is that in the case with SMS no Internet connection is required. Users do not see those SMS because they are processed not by the SMS app, but by the app that has initiated the transaction \u2014 e.g a free-to-play game.<\/p>\n<p>Triada\u2019s functionality allows it to modify those messages, so the money is sent not to some app developer, but to the malware operators. Triada steals the money either from the users \u2014 if they haven\u2019t succeeded in purchasing whatever they wanted, or from the app developers, in case the user has completed the purchase successfully.<\/p>\n<p>For now, that is the only way how cybercriminals can profit from Triada, but don\u2019t forget that it\u2019s a modular Trojan, so it can be turned into literally everything on one command from the C&amp;C server.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Evolution of <a href=\"https:\/\/twitter.com\/hashtag\/Asacub?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Asacub<\/a> trojan: from small fish to ultimate weapon \u2013 <a href=\"https:\/\/t.co\/lLv0pY4lol\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/lLv0pY4lol<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/infosec?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#infosec<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/mobile?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#mobile<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/banking?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#banking<\/a> <a href=\"https:\/\/t.co\/gAM3zzy7aC\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/gAM3zzy7aC<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/689836995196129281?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">January 20, 2016<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<h3>Fighting organized crime in your phone<\/h3>\n<p>One of the main problems with Triada is that it can potentially hurt a LOT of people. As we\u2019ve mentioned earlier, Triada is downloaded by smaller Trojans that have leveraged the access privileges. And our researchers estimate that in every 10 Android users 1 was attacked by either one or several of those Trojans during the second half of 2015, so there are millions of devices with a huge possibility of being infected with Triada.<\/p>\n<p>So, what can you do to protect yourself from this stealthy beast?<\/p>\n<p>1. Never forget to update your system. It turns out that those smaller Trojans face serious problems trying to get root access on Android 4.4.4 and above, because a lot of vulnerabilities were patched in these versions. So if you have Android 4.4.4 or some more recent version of this OS on your device, your chances of getting infected with Triada are significantly lower. Yet our statistics says that about 60% of Android users are still sitting with Android 4.4.2 and below.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2016\/03\/06022805\/01_en.png\" rel=\"attachment wp-att-11484\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2016\/03\/06022805\/01_en.png\" alt=\"Triada: organized crime on Android\" width=\"1196\" height=\"934\" class=\"aligncenter size-full wp-image-11484\"><\/a><\/p>\n<p>2. Better not to take any chances at all, no matter which version of the OS you use. So we recommend installing an anti-virus solution on your Android device. <a href=\"http:\/\/app.appsflyer.com\/com.kms.free?pid=smm&amp;c=kd-com\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Kaspersky Internet Security for Android<\/a> detects all three of Triada\u2019s modules, so it can save your money from cybercriminals that are behind Triada. Just don\u2019t forget that the scan does not run automatically in the free version.<\/p>\n<p>But all in all Triada is yet another example of a really bad trend: malware developers are taking Android seriously, and the latest samples are almost as complex and hard to withstand, as their Windows-based kin. The only good way to fight all these threats is to be proactive, and so a good security solution is a must.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Triada is a modular mobile Trojan that actively uses root privileges to substitute system files and uses several clever methods to become almost invisible<\/p>\n","protected":false},"author":696,"featured_media":11482,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,2646],"tags":[105,36,1474,1475,723],"class_list":{"0":"post-11481","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"tag-android","10":"tag-malware-2","11":"tag-sms-trojans","12":"tag-triada","13":"tag-trojans"},"hreflang":[{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/triada-trojan\/11481\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/triada-trojan\/6802\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/triada-trojan\/6858\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/triada-trojan\/6782\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/triada-trojan\/7884\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/triada-trojan\/7640\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/triada-trojan\/11102\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/triada-trojan\/11481\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/triada-trojan\/6083\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/triada-trojan\/10644\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/triada-trojan\/11102\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/triada-trojan\/11481\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.au\/blog\/tag\/android\/","name":"Android"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/11481","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/users\/696"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/comments?post=11481"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/11481\/revisions"}],"predecessor-version":[{"id":24602,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/11481\/revisions\/24602"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media\/11482"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media?parent=11481"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/categories?post=11481"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/tags?post=11481"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}