Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Android Trojan Uses Sandbox to Evade Detection

The Triada malware, said last year to be the most advanced mobile threat, recently boosted its detection evasion capabilities with the adoption of sandbox technology, Avast security researchers reveal.

The Triada malware, said last year to be the most advanced mobile threat, recently boosted its detection evasion capabilities with the adoption of sandbox technology, Avast security researchers reveal.

Detailed for the first time in March last year, the malware was observed leveraging the Zygote process to hook all applications on a device. Featuring a modular architecture, the Trojan was mainly designed to redirect financial SMS transactions to buy additional content or steal money from the user.

Recently, Triada started using the open source sandbox DroidPlugin, which is designed to dynamically load and run an app without actually installing it. With the help of this sandbox, Triada loads malicious APK plugins, thus running them without having to install them on the device. Because of this practice, anti-virus solutions have a hard time detecting the malware, because its malicious components are not stored in the host app.

The malware is being distributed with the help of social engineering tactics, by deceiving victims into downloading the malware. Once installed, the threat hides its icon from the phone’s desktop and starts stealing personal information in the background, without ever alerting the victim.

While the earliest variant of the malware didn’t use DroidPlugin, a new variant that emerged in November started integrating it, Avast researchers explain. Around the same time the new Triada variant emerged, the malware author reportedly submitted an issue to DroidPlugin to report an out-of-memory bug.

According to Avast, the malware disguises itself as Wandoujia, a famous Android app store in China. Furthermore, it was observed hiding all of its malicious APK plugins in the asset directory, for DroidPlugin to run.

“Each of these plugins has its own dedicated malicious action to spy on the victim, including file stealing, radio monitoring, and more. One of the plugins communicates with a remote command and control (C&C) server, which instructs which activities should be carried out. These are then carried out by the other APKs,” the researchers say.

Avast also explains that the malware developer didn’t integrate the malicious plugins into an application, but instead opted for the use of DroidPlugin sandbox to dynamically load and run them specifically to bypass antivirus detections. The host application doesn’t include malicious actions, and antivirus solution won’t detect and blog the host app.

Only a couple of cases of malware using sandboxes for their nefarious purposes have been observed so far, but more instances might emerge. “While it can be convenient to use a sandbox to run an app without installing it, sandboxes can also be used maliciously by malware,” Avast concludes.

Related: “PluginPhantom” Android Trojan Uses Plugins to Evade Detection

Related: Triada Trojan Most Advanced Mobile Malware Yet: Kaspersky

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...


Pig Butchering, also known as Sha Zhu Pan and CryptoRom, is an ugly name for an ugly scam.