The Triada malware, said last year to be the most advanced mobile threat, recently boosted its detection evasion capabilities with the adoption of sandbox technology, Avast security researchers reveal.
Detailed for the first time in March last year, the malware was observed leveraging the Zygote process to hook all applications on a device. Featuring a modular architecture, the Trojan was mainly designed to redirect financial SMS transactions to buy additional content or steal money from the user.
Recently, Triada started using the open source sandbox DroidPlugin, which is designed to dynamically load and run an app without actually installing it. With the help of this sandbox, Triada loads malicious APK plugins, thus running them without having to install them on the device. Because of this practice, anti-virus solutions have a hard time detecting the malware, because its malicious components are not stored in the host app.
The malware is being distributed with the help of social engineering tactics, by deceiving victims into downloading the malware. Once installed, the threat hides its icon from the phone’s desktop and starts stealing personal information in the background, without ever alerting the victim.
While the earliest variant of the malware didn’t use DroidPlugin, a new variant that emerged in November started integrating it, Avast researchers explain. Around the same time the new Triada variant emerged, the malware author reportedly submitted an issue to DroidPlugin to report an out-of-memory bug.
According to Avast, the malware disguises itself as Wandoujia, a famous Android app store in China. Furthermore, it was observed hiding all of its malicious APK plugins in the asset directory, for DroidPlugin to run.
“Each of these plugins has its own dedicated malicious action to spy on the victim, including file stealing, radio monitoring, and more. One of the plugins communicates with a remote command and control (C&C) server, which instructs which activities should be carried out. These are then carried out by the other APKs,” the researchers say.
Avast also explains that the malware developer didn’t integrate the malicious plugins into an application, but instead opted for the use of DroidPlugin sandbox to dynamically load and run them specifically to bypass antivirus detections. The host application doesn’t include malicious actions, and antivirus solution won’t detect and blog the host app.
Only a couple of cases of malware using sandboxes for their nefarious purposes have been observed so far, but more instances might emerge. “While it can be convenient to use a sandbox to run an app without installing it, sandboxes can also be used maliciously by malware,” Avast concludes.
Related: “PluginPhantom” Android Trojan Uses Plugins to Evade Detection
Related: Triada Trojan Most Advanced Mobile Malware Yet: Kaspersky