This might not sound as good news. Kaspersky Lab experts say they have detected a new malicious program targeting Android devices running the 4.4.4. and earlier versions of the Android OS.
Known as Triada, the experts from Kaspersky says the Trojan can be compared to Windows-based malware in terms of its complexity. They add that it is stealthy, modular, persistent and has been written by very professional cybercriminals.
The Triada Trojan can modify outgoing SMS messages sent by other applications and Kaspersky says this is a major functionality of the malware. When a user is making in-app purchases via SMS for Android games, fraudsters are likely to modify the outgoing SMS so that they receive the money instead of the game developers.
A distinguishing feature of this malware from other malwares is the use of Zygote the parent of the application process on an Android device that contains system libraries and frameworks used by every application installed on the device. In other words, as Kaspersky puts it ‘’it’s a demon whose purpose is to launch Android applications’’. This is a standard app process that works for every newly installed application. It means that as soon as the Trojan gets into the system, it becomes part of the app process and will be pre-installed into any application launching on the device and can even change the logic of the application’s operations.
This type of malware propagates through applications that users download and install from untrusted sources. These apps can sometimes be found in the official Google Play app store, masquerading as a game or entertainment application and this puts so many users at risk. They can also be installed during an update of existing popular applications and, are occasionally pre-installed on the mobile device.
“The Triada of Ztrog, Gorpo and Leech marks a new stage in the evolution of Android-based threats. They are the first widespread malware with the potential to escalate their privileges on most devices. The majority of users attacked by the Trojans were located in Russia, India and Ukraine as well as APAC countries. It is hard to underestimate the threat of a malicious application gaining root access to a device, ’’ Nikita Buchka, Junior Malware Analyst at Kaspersky Lab said. ‘’Their main threat, as the example of Triada shows, is in the fact that they provide access to the device for much more advanced and dangerous malicious applications. They also have a well-thought-out architecture developed by cybercriminals who have deep knowledge of the target mobile platform,”
Kaspersky says there are 11 known mobile Trojan families that use root privileges. Three of them, Ztorg, Gorpo and Leech act in cooperation with each other. Devices infected with these Trojans usually organise themselves into a network, creating a sort of advertising botnet that threat actors can use to install different kinds of adware.
Shortly after rooting on the device, the three Trojans download and install a backdoor. This then downloads and activates two modules that have the ability to download, install and launch applications.
The application loader and its installation modules refer to different types of Trojans, but all of them have been added to our antivirus databases under a common name – Triada.
Kaspersky says as it is nearly impossible to uninstall this malware from a device, users face two options to get rid of it, either to “root” their device and delete the malicious applications manually or to jailbreak the Android system on the device.