Triada got to Android
Welcome to the iCover Blog Pages ! The number of small Trojans attacking Android gadgets and seeking to gain superuser rights in order to take them under control is growing like a snowball. So, Kaspersky Lab experts immediately named at least 11 malicious families specializing in the implementation of just such a scenario. The vast majority of them are relatively harmless and manifest themselves through intrusive advertising and downloading their own kind. And if you try to give an analogy with military operations, then such Trojans are a kind of scouts sent to the enemy’s camp in order to obtain the information necessary for organizing a large-scale offensive.
As you know, with the entry of one scout Trojan into the system, one can soon expect a targeted invasion of its more or less dangerous satellites. And it’s far from the fact that among the scout’s partners there will not be malicious programs that pose a significantly greater threat than banal viral advertising. This is how the situation with the modular Troada Trojan (according to KAS terminology) develops, which experts have recognized as one of the most complex, dangerous and cunning Trojans identified on mobile devices to date.
The Triada modular Trojan, which actively uses root privileges and modifies system files, is downloaded by small Trojans like Leech, Ztorg and Gopro. Detecting a trojan is quite difficult, since it exists for the most part in the device’s RAM.
Way of the Dark Warrior
Once in the device, “malware scouts” obtain key information about the system, including data on the OS version, device model, SD card size, a list of preinstalled applications, etc. The information collected is sent to the command server, while in the case of the Triad, experts recorded almost 17 servers located on 4 different domains.
After receiving a packet of information from the Trojan, the command server in response sends it a configuration file containing the personal ID of the infected device and a set of current instructions: at what time intervals the malware should communicate with the server, which modules should be installed, etc. Right after installation modules are erased from the device’s permanent memory, but remain in its RAM. So disguised as Triada.
It is noteworthy that the complexity of malware detection is also associated with the modification by the Trojan of the Zygote process - one of the basic processes in the Android OS that is used to install any other applications. As a result, as soon as Triada gets to the Zygote, it subsequently becomes part of every application installed on your smartphone.
By replacing system functions, the Triad hides its modules from the list of running processes and installed applications. Thus, the victim for some time does not even suspect that the device is under external control. In addition to the above modifications made by the malware in the system, the Triad controls the process of sending SMS and has the ability to filter incoming messages. It is at this point that Triada turns the user's smartphone into a printing press.
As you know, some applications allow you to make internal purchases of goods and services without the need for an Internet connection. The identification process in this case is carried out by sending SMS. At the same time, since the messages are processed not by the SMS reader, but by the application initiating the transaction, users do not see the messages themselves. This, for example, may be another shareware game for mobile. And here Triada gets the opportunity to withdraw funds from the user's account, modifying financial messages so that the money does not come to the account of the real developers or resellers of the mobile application, but to the account of the attackers. Thus, users do not receive a paid game, or they receive, but in this case, the fee for it does not reach the developers.
According to the experts of the CAS laboratory, this is the only recorded way that the Triad, in their opinion, is able to bring profit to its creators. But, they emphasize, we are talking about a modular Trojan. That is, the harmful hydra can be easily modified to take into account the new task. And, since the malware has access rights, the scope and features of adjusting the operation of the device in this case are completely and completely determined and controlled by the attackers.
One of the most unpleasant features of the malware is the potential danger to millions of mobile device users. According to KAS lab statistics, the above-mentioned small Trojans, which provide the subsequent possibility of taking the device under control and transferring super rights to attackers with a probable installation of the Triad, attacked every 10th (!) Android smartphone from the second half of 2015.
Is it possible to protect oneself from a crafty malware? Yes, and not so difficult - they note in the laboratory.
1. First, make it a rule to install the latest system updates. It has been noticed that it is difficult for small malware to grab root privileges on devices with Android 4.4.4 and higher, since a lot of vulnerabilities were closed in these OS versions. And therefore, if a more or less recent version of the operating system is already installed on the smartphone, then its owner is in relative safety. At the same time, according to the statistics of the virus laboratory, about 60% of Android users are sitting on version 4.4.2 and earlier versions of this OS. And here the chances of meeting the Triad in one way or another in its manifestation are very high.
2. Secondly, it will be more correct and reliable not to tempt fate and not try to assess the likelihood of certain chances. It's no secret that mottled Trojans have been repeatedly detected in official Google stores. Reliable protection of the device from Triada is able to provide an antivirus that recognizes it. As one of these solutions, KAS computer security experts who have identified the malware suggest considering Kaspersky Internet Security for Android, which detects all three of its components. A free version of the antivirus application is available, assuming regular manual launch of the scanning process.
Summing up, it can be noted that the “Triad” discovered in the KAS laboratory is a very eloquent example of an emerging unpleasant trend: the growing popularity of the Android OS is attracting more and more attention from malware developers. At the same time, Android vulnerabilities are used very effectively, and the malware itself is almost as good as its Windows counterparts in terms of complexity and stealth.
Dear readers, we are always happy to meet and wait for you on the pages of our blog. We are ready to continue to share with you the latest news, review materials and other publications, and will try to do our best to make the time spent with us useful for you. And, of course, do not forget to subscribe to our columns . Our other articles and events
