Researchers have spotted the latest version of the Triada trojan targeting mobile devices via an advertising SDK.
Triada malware, both pernicious and persistent, has resurfaced. Its most recent sighting is buried inside an advertising component of a modified version of the popular WhatsApp messenger called FM WhatsApp.
The malware, first spotted by researchers at Kaspersky in 2016, is a type of mobile supply-chain malware that today delivers a bevy of additional unwanted trojans to hapless victims. The latest version of Triada slips onto phones via an advertising software development kit (SDK) used to monetize the third-party FM WhatsApp Android mobile app.
Version 16.80.0 of FM WhatsApp is affected. The app, only available via unofficial third-party app stores, is one of many popular WhatsApp mods that allow users to add functionality to Facebook’s WhatsApp messenger.
In a Tuesday report by Kaspersky, researchers warn that this latest version of Triada acts as a payload downloader, injecting up to six additional trojan applications onto Android phones that can do a number of malicious actions – from commandeering a handset silently to full-screen popup ads.
“We don’t recommend using unofficial modifications of apps, especially WhatsApp mods. You may well end up with an unwanted paid subscription, or even lose control of your account altogether, which attackers can hijack to use for their own purposes, such as spreading spam sent in your name,” wrote Kaspersky cybersecurity expert Igor Golovin on Tuesday.
The developer of FM WhatsApp – Foud Apps – did not return requests for comment. It’s unclear how popular the app is among WhatsApp users; however, a cursory review of top third-party WhatsApp mods does not list FM WhatsApp.
Kaspersky first discovered Triada in 2016 and dubbed it as “almost invisible” to users and those trying to find and remove it. They also described it as “one of the most advanced mobile Trojans our malware analysts have ever encountered.”
Its 2016 iteration was “a modular mobile trojan that actively uses root privileges to substitute system files and exists mostly in the device’s RAM, which makes it extremely hard to detect,” Kaspersky said. Most often the malware was delivered post-infection via the trojans Leech, Ztorg and Gopro.
In 2019, Google’s Android Security and Privacy Team spotlighted Triada as an example of a type of malware that would be neutralized by an update to its Google Play Protect. Google noted the evolution of the malware in a blog post.
“During the summer of 2017 we noticed a change in new Triada samples. Instead of rooting the device to obtain elevating privileges, Triada evolved to become a pre-installed Android framework backdoor,” wrote Lukasz Siewierski, with Google’s Android Security and Privacy Team.
The 2021 incarnation of Triada, according to Kaspersky, plants itself on Android handsets via malicious code embedded in the FM WhatsApp (version 16.80.0). When the app starts, the Triada malware is decrypted and launched – triggered via a long command string embedded in the app’s code.
Kaspersky likens Triada to malicious code it found in April embedded in the app APKPure and found in CamScanner in 2019, both now unavailable via Google Play.
Leaving the Backdoor Wide Open
Malware similar to Triada has garnered more attention by researchers as it has been increasingly discovered pre-installed on budget phones as a backdoor for threat actors to abuse. In each case, a malicious dropper component delivers a host of trojans, giving criminals access to a device via a command-and-control backend. In 2019, Google confirmed Triada did just that.
The most recent version of Triada has also evolved in the way it infects and hides on a phone. Instead of relying upon being able to root the smartphone to elevate privileges, as it did in 2017, the threat actors behind Triada adopted a more advanced attack methodology.
Triada now comes pre-installed on a handset or bundled inside a malicious app. Once active, the malware abuses a call in the Android framework log function. This means every time any app attempts to log something, a function is called and Triada code is launched, allowing the trojan to execute code in the context of any app.
“With this app, it is hard for users to recognize the potential threat because the mod application actually does what is proposed – it adds additional features,” Kaspersky’s Golovin said.