{ "id": "cc81f593-1666-4355-a102-5728dd1c1ebb", "created_at": "2026-04-06T03:37:40.374433Z", "updated_at": "2026-04-10T13:12:06.237541Z", "deleted_at": null, "sha1_hash": "9ba45c5ef6c7d2c3f0222a13842ef33e61145a58", "title": "Triada: organized crime on Android", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 412565, "plain_text": "Triada: organized crime on Android\r\nBy John Snow\r\nPublished: 2016-03-03 · Archived: 2026-04-06 03:10:24 UTC\r\nYou know how armies typically move: first come the scouts to make sure everything is ok. Then the heavy troops\r\narrive; at least that was how it used to be before the age of cyber wars. It turns out, that Trojans behave quite the\r\nsame way.\r\nThere are a lot of small Trojans for Android capable of leveraging access privileges, in other words — gaining\r\nroot access. Our malware analysts Nikita Buchka and Mikhail Kuzin can easily name 11 families of such Trojans.\r\nMost of them are almost harmless — all they did until recently was injecting tons of ads and downloading others\r\nof their kind. If you want to know more about them — our researchers have an article about them on Securelist.\r\nIf you follow the military analogy — those are the scouts. As you probably have noticed, gaining root access gives\r\nthem the capability to download and install applications — that’s the reason why once one of them get into the\r\nsystem, in a few minutes there are all the others. But our researchers have predicted that these small Trojans would\r\ncertainly be used to download some really bad malware that can actually harm the owners of the infected devices.\r\nAnd that’s exactly what has happened recently. Small Trojans like Leech, Ztorg and Gopro now download one of\r\nthe most advanced mobile Trojans our malware analysts have ever encountered — we call it Triada.\r\nTriada is a modular mobile Trojan that actively uses root privileges to substitute system files and exists mostly in\r\nthe device’s RAM, which makes it extremely hard to detect.\r\nThe dark ways of the Triada\r\nOnce downloaded and installed, the Triada Trojan first tries to collect some information about the system — like\r\nthe device model, the OS version, the amount of the SD card space, the list of the installed applications and other\r\nthings. Then it sends all that information to the Command \u0026 Control server. We have detected a total of 17 C\u0026C\r\nservers on 4 different domains, which probably means the bad guys are quite familiar with what redundancy is.\r\nThe C\u0026C server then responds with a configuration file, containing the personal identification number for the\r\ndevice and some settings — the time interval between contacting the server, the list of modules to be installed and\r\nso on. After the modules are installed they are deployed to the short term memory and deleted from the device\r\nstorage, which makes the Trojan a lot harder to catch.\r\nThere are two more reasons why Triada is so hard to detect and why it had impressed our researchers so much.\r\nFirst, it modifies the Zygote process. Zygote is the core process in the Android OS that is used as a template for\r\nevery application, which means that once the Trojan gets into Zygote, it becomes a part of literally every app that\r\nis launched on the device.\r\nhttps://www.kaspersky.com/blog/triada-trojan/11481/\r\nPage 1 of 4\n\nSecond, it substitutes the system functions and conceals its modules from the list of the running processes and\r\ninstalled apps. So the system doesn’t see any strange processes running and thus does not cry the alarm.\r\nhttps://www.kaspersky.com/blog/triada-trojan/11481/\r\nPage 2 of 4\n\nThose are not the only system functions Triada modifies. As our researchers discovered, it also lays its hands on\r\nthe outgoing SMS and filters the incoming ones. That is actually how the bad guys decided to monetize the\r\nTrojan.\r\nSome applications rely on SMS when it comes to in-app purchases — the transaction data is transferred via a short\r\ntext message. The main reason for developers to choose SMS over traditional payments via Internet is that in the\r\ncase with SMS no Internet connection is required. Users do not see those SMS because they are processed not by\r\nthe SMS app, but by the app that has initiated the transaction — e.g a free-to-play game.\r\nTriada’s functionality allows it to modify those messages, so the money is sent not to some app developer, but to\r\nthe malware operators. Triada steals the money either from the users — if they haven’t succeeded in purchasing\r\nwhatever they wanted, or from the app developers, in case the user has completed the purchase successfully.\r\nFor now, that is the only way how cybercriminals can profit from Triada, but don’t forget that it’s a modular\r\nTrojan, so it can be turned into literally everything on one command from the C\u0026C server.\r\nFighting organized crime in your phone\r\nOne of the main problems with Triada is that it can potentially hurt a LOT of people. As we’ve mentioned earlier,\r\nTriada is downloaded by smaller Trojans that have leveraged the access privileges. And our researchers estimate\r\nthat in every 10 Android users 1 was attacked by either one or several of those Trojans during the second half of\r\n2015, so there are millions of devices with a huge possibility of being infected with Triada.\r\nSo, what can you do to protect yourself from this stealthy beast?\r\n1. Never forget to update your system. It turns out that those smaller Trojans face serious problems trying to get\r\nroot access on Android 4.4.4 and above, because a lot of vulnerabilities were patched in these versions. So if you\r\nhave Android 4.4.4 or some more recent version of this OS on your device, your chances of getting infected with\r\nTriada are significantly lower. Yet our statistics says that about 60% of Android users are still sitting with Android\r\n4.4.2 and below.\r\nhttps://www.kaspersky.com/blog/triada-trojan/11481/\r\nPage 3 of 4\n\n2. Better not to take any chances at all, no matter which version of the OS you use. So we recommend installing\r\nan anti-virus solution on your Android device. detects all three of Triada’s modules, so it can save your money\r\nfrom cybercriminals that are behind Triada. Just don’t forget that the scan does not run automatically in the free\r\nversion.\r\nBut all in all Triada is yet another example of a really bad trend: malware developers are taking Android seriously,\r\nand the latest samples are almost as complex and hard to withstand, as their Windows-based kin. The only good\r\nway to fight all these threats is to be proactive, and so a good security solution is a must.\r\nSource: https://www.kaspersky.com/blog/triada-trojan/11481/\r\nhttps://www.kaspersky.com/blog/triada-trojan/11481/\r\nPage 4 of 4\n\n https://www.kaspersky.com/blog/triada-trojan/11481/ \nSecond, it substitutes the system functions and conceals its modules from the list of the running processes and\ninstalled apps. So the system doesn’t see any strange processes running and thus does not cry the alarm.\n Page 2 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.kaspersky.com/blog/triada-trojan/11481/" ], "report_names": [ "11481" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775446660, "ts_updated_at": 1775826726, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9ba45c5ef6c7d2c3f0222a13842ef33e61145a58.pdf", "text": "https://archive.orkl.eu/9ba45c5ef6c7d2c3f0222a13842ef33e61145a58.txt", "img": "https://archive.orkl.eu/9ba45c5ef6c7d2c3f0222a13842ef33e61145a58.jpg" } }