Triada got to Android
Welcome to the pages of the blog iCover ! The number of small Trojans attacking Android gadgets and seeking to get the superuser rights to take control of them is growing like a snowball. So Kaspersky Lab experts immediately called at least 11 malicious families specializing in the implementation of just such a scenario. The vast majority of them are relatively harmless and manifest themselves through intrusive advertising and downloading their own kind. And if we try to make an analogy with military actions, then such Trojans are a kind of intelligence officers sent to the enemy’s camp in order to obtain the information necessary to organize a large-scale offensive.
As you know, with the entry into the system of one Trojan-intelligence officer, in a short time we can expect a targeted invasion of his more or less dangerous satellites. And it is far from a fact that among the partners of the intelligence officer there will be no malicious programs that pose a much greater threat than banal viral advertising. This is how the situation arises with the Triada modular Trojan (in KAS terminology), which experts have recognized as one of the most complex, dangerous, and cunning Trojans identified on mobile devices until today.
The Triada modular Trojan actively uses root privileges and modifies system files is downloaded by small Trojans like Leech, Ztorg and Gopro. It is rather difficult to detect a trojan, since it exists mostly in the operational memory of the device.
')
Path of the Dark Warrior
Once in the device, “malware scouts” extract key information about the system, including information about the OS version, device model, SD card size, list of preinstalled applications, etc. The collected information is sent to the command server, while in the case of the Triad, experts recorded almost 17 servers located on 4 different domains.
After receiving a packet of information from the Trojan, the command server in response sends it a configuration file containing the personal ID of the infected device and a set of current instructions: at what time intervals the malware should contact the server, which modules it should install, etc. Immediately after installation Modules are erased from the device's permanent memory, but remain at the same time in its RAM. So masked Triada.
It is noteworthy that the complexity of detecting malware is also related to the modification of the Zygote process by the Trojan, one of the basic processes in the Android OS, which is used when installing any other applications. As a result, as soon as Triada gets to the “Zygote”, it subsequently becomes part of each application installed on your smartphone.
By replacing the system functions, the Triad hides its modules from the list of running processes and installed applications. Thus, the victim for some time does not even suspect that the device is under external control. In addition to the listed modifications made by the malware in the system, Triad controls the process of sending SMS and has the ability to filter incoming messages. It is at this stage that Triada turns the user's smartphone into a printing press.
As you know, some applications allow you to make domestic purchases of goods and services without having to connect to the Internet. The identification process in this case is carried out by sending an SMS. At the same time, since messages are not processed by the SMS reader, but by the application itself initiating the transaction, the users themselves do not see the messages. This, for example, can be another conditionally free game for mobile. And here Triada gets the opportunity to withdraw funds from the user's account, modifying the financial messages in such a way that the money goes not to the account of real developers or resellers of the mobile application, but to the account of intruders. Thus, users do not get paid game, or receive, but in this case, the fee for it does not reach the developers.
According to the KAS laboratory experts, this is so far the only fixed way in which the Triad, in their opinion, is capable of generating profit for its creators. But, they emphasize, this is a modular Trojan. That is, the harmful hydra can be easily modified to reflect the new task. And, since the malicious user has access rights, the scale and features of the adjustment of the device operation in this case are completely determined and controlled by the intruders.
One of the most unpleasant features of the malware is the potential danger to millions of mobile device users. According to statistics from the KAS laboratory, the above-mentioned small Trojans, providing the subsequent possibility of taking the device under control and transferring super-rights to attackers with a likely installation of the Triad, have attacked every second 10th (!) Android smartphone since the second half of 2015.
Is it possible to protect against nosy malware? Yes, and not so difficult - noted in the laboratory.
1. First, make it a rule to install the latest system updates. It is noted that minor malware is difficult to intercept root privileges on devices with Android 4.4.4 and higher, since the mass of vulnerabilities in these versions of the OS has been closed. Therefore, if a more or less recent version of the operating system is already installed on the smartphone, then its owner is in relative safety. However, according to statistics from the virus lab, about 60% of Android users are sitting on version 4.4.2 and earlier versions of this OS. And here the chances to meet with the Triad in that, or in its other manifestation, are very high.
2. Secondly, it will be more correct and reliable not to tempt fate and not to try to estimate the probability of one or another chance. It’s no secret that the motley Trojans have been repeatedly found in official Google stores. A sufficiently reliable protection of the device from Triada is capable of providing its recognizing antivirus. As one of these solutions, computer security experts KAS, who identified the malware, suggest considering Kaspersky Internet Security for Android, which detects all three components of its module. A free version of the anti-virus application is available, which involves regular manual start of the scanning process.
Summarizing, it can be noted that the “Triad” found in the KAS laboratory is a very eloquent example of an emerging unpleasant trend: the growing popularity of the Android OS is attracting more and more attention of malware developers. At the same time, Android's vulnerabilities are used very effectively, and the malware itself is almost as good as its Windows counterparts in terms of complexity and secrecy.
Dear readers, we are always happy to meet and wait for you on the pages of our blog. We are ready to continue to share with you the latest news, review materials and other publications, and we will try to do everything possible so that the time spent with us will be useful for you. And, of course, do not forget to subscribe to our headings .
Our other articles and events
Source: https://habr.com/ru/post/391277/
All Articles