1. Home > Virus prevention >

Triada: An Android Trojan that can use the sandbox to evade security detection

Recently, we discovered a mobile malware that can use sandbox software (such as VirtualApp) to evade security detection and steal users' Twitter accounts. Therefore, we believe that malicious software that uses sandboxes to evade anti-virus detection will set off a new round of security storms.

Malware analysis
This malware is called Triada (package name is com.android.adapi), the earliest Found in China in mid-2016, it uses an open source sandbox (DroidPlugin) to evade detection by security protection software. DroidPlugin was originally designed and developed by Qihoo 360, and it was put on the Android app market. It can dynamically load and run apps without installing apps, just like VirtualApp. Triada can use DroidPlugin to load malicious APK plugins, so it can run these plugins without installing them. Therefore, this also makes it more difficult for anti-virus products to detect this kind of malware, because its malicious components are not stored in the host App. The DroidPlugin project code is also hosted on GitHub, and interested students can download and view it by themselves. [Portal]
At present, attackers mainly use social engineering techniques to spread Triada and entice users to download and install this malware. When the malware successfully infects the device, it will immediately hide the icon on the mobile phone desktop and start stealing the private information of the target user in the background. In this way, the target user will not even notice that he is infected, but his personal privacy The information has already been sent to a server controlled by cybercriminals.
In fact, DroidPlugin was not used in the early version of the malware, but according to our threat intelligence information, researchers detected a new variant version in November last year, and this variant version is integrated I installed DroidPlugin and disguised myself as a pea pod (a famous Android app store in China).

Interestingly, the developer of this malware even reported an error caused by insufficient memory to the DroidPlugin project problem.

This malware will hide all malicious APK plugins in the Asset directory.

Each plug-in shown in the figure above is used to monitor the target user, and each one has its own Special purpose, such as file theft and video surveillance, etc. One of the plug-ins can communicate with the remote command control server. The attacker can send commands to the plug-in through the server to control its activities. The specific implementation of these control commands is the malicious APK plug-in installed in the target mobile phone. Listed below are some of the APK packages, and we can guess the function of each package from the package name:
android.adapi.task
android.adapi.file
android. adapi.radio
android.adapi.location
android.adapi.camera
android.adapi.update
android.adapi.online
android.adapi.contact
android.adapi.wifi
From the code directory, we can see that the variant version of Triada has integrated DroidPlugin.

This malware uses DroidPlugin to "install" malicious plug-ins, but these plug-ins will eventually be in the sandbox environment (DroidPlugin) It is not actually installed in the target device. After starting the operation, the attacker can monitor the target mobile phone.
Summary
In fact, the functions of these malicious plug-ins can be implemented directly in an App, so why should the developers of the malware Triada use the DroidPlugin sandbox to dynamically load and run the plug-ins? The only possible reason is that criminals want to use the sandbox to bypass the detection of anti-virus products. If an App itself does not contain any malicious activities, but uses plug-ins to dynamically load and execute malicious activities, it is difficult for anti-virus products to detect such security threats.
Threat detection indicator IoC
Malware sample SHA-1 hash: e2b05c8fdf3b82660f7ab378e14b8feab81417f0

This article is published by www.internetweblist.com and does not represent the position of www.internetweblist.com/:http://www.internetweblist.com/Virus prevention/20539.html

Contact Us

Online consultation:click here to give a message