A new Trojan is focusing on Android devices in an effort to steal money from the victim, researchers said.
Called Triada (Backdoor.AndroidOS.Triada), this malware family’s main goal is to redirect financial SMS transactions to buy additional content or steal money from the user, said researchers at Kaspersky Lab.
What sets the Trojan apart, they said, is a modular architecture combined with the ability to infiltrate all processes on the infected system to achieve high persistence.
The malware’s modular architecture allows operators to do almost anything on the device, researchers said. The only limits lie within the operating system itself.
The malware goes out via an “advertising botnet” that included malware families such as Leech, Ztorg, and Gorpo, along with a new malware family Trojan.AndroidOS.Iop, said Kaspersky Lab’s Nikita Buchka and Mikhail Kuzin in a blog post. These Trojans have rooting capabilities where they can distribute each other on the infected devices, and also download and install other applications.
The Triada Trojan can use the Zygote parent process to implement its code in the context of all software on the device. The Zygote process contains system libraries and frameworks that almost all apps use and is a template for each new app, meaning the Trojan runs in each application, since it enters the process and is part of the template.
Because Triada actively uses root privileges to substitute system files and exists mostly in the mobile device’s RAM, it is extremely difficult to detect, Kaspersky researchers said.
The Trojan hides its modules from the list of running services, as well as from the list of running applications, from the list of installed packages, and from the list of installed applications.
The techniques used by the Trojan haven’t been found in any other known mobile malware and Kaspersky Lab researchers said this is the most advanced and dangerous malicious application targeting the mobile OS.