Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Android Trojan Uses Sandbox to Evade Detection

The Triada malware, said last year to be the most advanced mobile threat, recently boosted its detection evasion capabilities with the adoption of sandbox technology, Avast security researchers reveal.

The Triada malware, said last year to be the most advanced mobile threat, recently boosted its detection evasion capabilities with the adoption of sandbox technology, Avast security researchers reveal.

Detailed for the first time in March last year, the malware was observed leveraging the Zygote process to hook all applications on a device. Featuring a modular architecture, the Trojan was mainly designed to redirect financial SMS transactions to buy additional content or steal money from the user.

Recently, Triada started using the open source sandbox DroidPlugin, which is designed to dynamically load and run an app without actually installing it. With the help of this sandbox, Triada loads malicious APK plugins, thus running them without having to install them on the device. Because of this practice, anti-virus solutions have a hard time detecting the malware, because its malicious components are not stored in the host app.

The malware is being distributed with the help of social engineering tactics, by deceiving victims into downloading the malware. Once installed, the threat hides its icon from the phone’s desktop and starts stealing personal information in the background, without ever alerting the victim.

While the earliest variant of the malware didn’t use DroidPlugin, a new variant that emerged in November started integrating it, Avast researchers explain. Around the same time the new Triada variant emerged, the malware author reportedly submitted an issue to DroidPlugin to report an out-of-memory bug.

According to Avast, the malware disguises itself as Wandoujia, a famous Android app store in China. Furthermore, it was observed hiding all of its malicious APK plugins in the asset directory, for DroidPlugin to run.

“Each of these plugins has its own dedicated malicious action to spy on the victim, including file stealing, radio monitoring, and more. One of the plugins communicates with a remote command and control (C&C) server, which instructs which activities should be carried out. These are then carried out by the other APKs,” the researchers say.

Avast also explains that the malware developer didn’t integrate the malicious plugins into an application, but instead opted for the use of DroidPlugin sandbox to dynamically load and run them specifically to bypass antivirus detections. The host application doesn’t include malicious actions, and antivirus solution won’t detect and blog the host app.

Advertisement. Scroll to continue reading.

Only a couple of cases of malware using sandboxes for their nefarious purposes have been observed so far, but more instances might emerge. “While it can be convenient to use a sandbox to run an app without installing it, sandboxes can also be used maliciously by malware,” Avast concludes.

Related: “PluginPhantom” Android Trojan Uses Plugins to Evade Detection

Related: Triada Trojan Most Advanced Mobile Malware Yet: Kaspersky

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.