Full Report
Kaspersky expert has discovered a new version of the Triada Trojan, with custom modules for Telegram, WhatsApp, TikTok, and other apps.
Analysis Summary
# Tool/Technique: Triada Trojan (New Variants)
## Overview
The Triada Trojan is a sophisticated, evolving malware family primarily targeting Android devices. Recent variants leverage pre-installation via infected device firmware, bypassing modern privilege restrictions. Its core purpose is to establish deep persistence and compromise every application running on the system by infecting the Zygote process.
## Technical Details
- Type: Malware family (Trojan)
- Platform: Android OS (specifically targeting versions 9 and earlier with a legacy execution path, but effective across recent versions via firmware infection)
- Capabilities: Multi-stage loading, Zygote process injection, application-level payload execution, credential theft, SMS interception, financial fraud (wallet replacement).
- First Seen: Older versions were notorious; new tactics highlighted in research from March 2025.
## MITRE ATT&CK Mapping
While the context focuses on Android system manipulation rather than the standard enterprise matrix, the following mappings reflect its core actions on the compromised device:
- **TA0005 - Defense Evasion**
- T1218 - Signed Binary Proxy Execution (Implied via injection into system components like AOT-compiled framework)
- **TA0003 - Persistence**
- T1553 - Subvert Trust Controls
- T1553.001 - Root Certificate or Trust Store Modification (Implied, as firmware modification achieves even deeper trust placement)
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.008 - Scripting Interpreter: WSH/VBScript (Analogous to injecting code into the system framework context)
- **TA0006 - Credential Access**
- T1213 - Data from Local System (Stealing login credentials for apps)
## Functionality
### Core Capabilities
Achieving persistence by embedding a loader directly into the Android device firmware, often hidden within system applications responsible for Over-The-Air (OTA) updates (e.g., Dwphon loader ancestry). The core infection mechanism involves corrupting the AOT-compiled system framework (`boot-framework.oat`) to load a malicious native library (`/system/framework/arm/binder.so` or `/system/framework/arm64/binder.so`) into the **Zygote process**.
### Advanced Features
- **Zygote Infection:** Compromises Zygote, ensuring the malware's presence in **every application process** launched on the device.
- **Modular Architecture:** Allows attackers to deploy tailored payloads dynamically based on the host application context.
- **Payloads Analyzed:**
1. **Auxiliary Module:** Written as a `.jar` file; relies on registering a receiver capable of loading arbitrary code. Used for registering native methods to intercept arbitrary method calls within the host process.
2. **`mms-core.jar` Backdoor:** Decrypted via double XOR, loaded using `DexClassLoader`, and subsequently deleted from disk. This module enables specific application-level attacks.
- **Application-Specific Malice:**
- Modify cryptocurrency wallet addresses during transactions.
- Replace arbitrary links viewed in browsers.
- Send SMS messages and intercept replies.
- Steal login credentials from messaging and social media applications.
## Indicators of Compromise
- File Hashes: *(Not provided in the text)*
- File Names:
- Malicious Native Library: `binder.so` (located in `/system/framework/arm/` or `/system/framework/arm64/`)
- Infected Framework Component: `boot-framework.oat`
- Auxiliary Module Dropped: `systemlibarm64_%N%.jar` (N = random number)
- Backdoor Dropped: `/data/data/%PACKAGE%/mms-core.jar`
- Registry Keys: *(Not applicable/provided for Android system libraries)*
- Network Indicators: *(No specific C2 addresses were detailed, only general capabilities described)*
- Behavioral Indicators:
- Infection of `/system/framework/` libraries.
- Modification of `android.util.Log` class to call suspicious native methods (`println_native` -> `_config_log_println`).
- Injection of modules into every process spawned from Zygote.
## Associated Threat Actors
- **Triada Operators** (The text primarily focuses on the malware itself evolving from past iterations.)
## Detection Methods
- Signature-based detection: Kaspersky products detect the new version as **Backdoor.AndroidOS.Triada.z**.
- Behavioral detection: Monitoring for the loading of custom libraries into the Zygote process or dynamic loading of JARs via `DexClassLoader` within sensitive application contexts.
- YARA rules: *(Not provided in the text)* Detection efforts should focus on verifying the integrity of system framework files like `binder.so` and `boot-framework.oat`.
## Mitigation Strategies
- Prevention of pre-installation attacks requires strict control over the device supply chain (i.e., only purchasing devices directly from trusted vendors or ensuring initial firmware scans if buying new/unsealed devices).
- Ensure high firmware integrity is maintained, as patching old vulnerabilities is insufficient when malware is embedded in the core, uneditable partition.
## Related Tools/Techniques
- **Dwphon loader:** Mentioned as an earlier loader that utilized a similar firmware infection vector via OTA update mechanisms.