Full Report
A new version of the Triada trojan has been discovered preinstalled on thousands of new Android devices, allowing threat actors to steal data as soon as they are set up. [...]
Analysis Summary
# Tool/Technique: Triada Malware
## Overview
Triada is a highly evasive malware, specifically a Trojan, that has been found embedded directly into the firmware of counterfeit, low-cost Android devices during the supply chain, before they reach end-users. Its purpose is to compromise the device, steal sensitive information (like accounts and cryptocurrency), and perform various malicious actions by persisting across system processes.
## Technical Details
- Type: Malware family (Trojan)
- Platform: Android
- Capabilities: Stealing accounts, sending/deleting messages (WhatsApp/Telegram), cryptocurrency hijacking, tracking browsing activity, spoofing phone numbers, intercepting/sending/deleting SMS, enabling premium SMS, remote application execution, blocking network connections to evade security.
- First Seen: Information not specified in the provided text, but the newest version is currently active.
## MITRE ATT&CK Mapping
Since the context focuses on the malware's actions rather than a specific TTP mapping provided in the text, the mapping below infers common categories for mobile malware with these capabilities:
- **TA0007 - Credential Access**
- T1557 - Steal Accounts from Messengers/Social Media (Inferred)
- **TA0011 - Collection**
- T1425 - Intercepting Communications/Messages (SMS, WhatsApp, Telegram) (Inferred)
- **TA0001 - Initial Access**
- T1410 - Compromised Supply Chain (Malware embedded in firmware) (Inferred)
- **TA0005 - Defense Evasion**
- T1482 - Blocking Network Connections (Inferred)
- **TA0010 - Exfiltration**
- General Data Exfiltration related to stolen accounts (Inferred)
## Functionality
### Core Capabilities
- Persistence: Embedded in the firmware, copying itself to every running process on the smartphone.
- Financial Theft: Hijacking cryptocurrency by replacing wallet addresses in apps and enabling premium SMS services.
- Communication Manipulation: Sending, deleting, and intercepting SMS messages; sending/deleting messages on WhatsApp and Telegram to impersonate users; spoofing phone numbers to reroute conversations.
- Information Stealing: Stealing accounts from messengers and social media.
### Advanced Features
- Firmware-level persistence makes removal extremely difficult without reflashing the operating system.
- Evasion capabilities, including blocking network connections to hinder detection or disruption of defenses.
- Remote execution of additional applications.
## Indicators of Compromise
- File Hashes: [Not provided]
- File Names: [Not provided]
- Registry Keys: [Not applicable for Android OS structures mentioned]
- Network Indicators: [If C2 communication existed, it was not specified. All behavioral indicators listed below are relevant.]
- Behavioral Indicators:
- Copying itself to every process initiated on the smartphone (system framework persistence).
- Malicious transactions involving cryptocurrency replacement.
- Rerouting or intercepting SMS/calls via spoofing.
## Associated Threat Actors
- The specific threat actor group is not named, but it is associated with a large-scale operation that has stolen at least $270,000 in traceable cryptocurrency, plus unknown amounts of Monero.
## Detection Methods
- Signature-based detection: Difficult due to firmware embedding and evading copying patterns.
- Behavioral detection: Monitoring for process injection, unauthorized SMS/messaging actions, and unauthorized enabling of premium services.
- YARA rules: [Not provided]
## Mitigation Strategies
- Prevention measures: Only purchase smartphones from authorized distributors.
- Hardening recommendations: Reflash the device using a clean system image from Google (GSI) or a trustworthy third-party ROM such as LineageOS or GrapheneOS.
## Related Tools/Techniques
- Other sophisticated mobile malware or supply chain compromise techniques targeting hardware/firmware.