Sergey Nivens - Fotolia

Get started Bring yourself up to speed with our introductory content.

How does the Android Trojan Triada infect a device's core processes?

The Android Trojan Triada has the ability to replace a device's system functions with its own. Expert Michael Cobb explains how to mitigate the effects of this serious threat.

An Android Trojan was discovered by Kaspersky Lab researchers, which they claim is capable of infecting and modifying Android's Zygote core processes. The Android Trojan, dubbed Triada, is also harder to detect. How does Triada infect the core process, and what, if any, measures can be taken to prevent or mitigate it?

Zygote is the parent process for all Android applications and is used as a template for every application. Triada modifies the Android Zygote process, becomes a part of every app that is run on the device and can modify how they work. It uses root privileges to substitute various system files and functions with its own. It exists mostly in the device's RAM, and conceals its modules from the list of running processes and installed apps, so nothing unusual appears to the system, antivirus tools or the user, making it very hard to detect and remove. The Android Zygote process has only previously been exploited in proof-of-concept demonstrations, but researchers at Kaspersky Lab who discovered Triada say it's the most advanced mobile malware they've seen.

The Android Trojan Triada is being spread by other Trojans like Leech, Ztorg and Gopro that are capable of leveraging access privileges. Many are classified as Potentially Harmful Apps -- apps that may adversely impact a device's security or user's privacy, such as displaying intrusive ads. However, the fact that they can obtain root access gives them the capability to download and install other applications, and Triada is becoming a favorite. Once installed, Triada tries to collect information about the system, like the device model, the OS version, the free space on the SD card and a list of the installed applications. This information is sent to a command-and-control server, which then sends back a configuration file and a list of modules to be installed. Once the modules are installed, they are deployed to short-term memory and deleted from the device storage, to aid persistence.

The Triada Android Trojan is considered to be very dangerous as its modular architecture and privileged access mean it is capable of any activity its creator can dream up. At present, it only tries to steal money by subverting in-app purchases made using SMS, but this will surely change as attackers extend and alter its functionality. Devices running Android 4.4.4 KitKat and earlier versions of the Android OS are at the greatest risk from Triada, as later versions have fewer vulnerabilities that can be exploited to gain root access. Enterprises should restrict access to their networks from users with out-of-date operating systems, and deploy some form of mobile management or antivirus solution to help keep users' devices malware free. Users should only obtain apps from the Google Play Store, or the enterprise's own app store, if it exists, as Triada is mainly spread by apps installed from unknown sources or third-party stores. Sadly, if a device is infected with the Triada Android Trojan, the only reliable way to remove it is to completely wipe and reimage it.

Ask the Expert: Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Read about the Android Trojan SlemBunk that collects user credentials

Find out how to improve Android mobile security

Learn about Android security policies to implement in the enterprise

This was last published in August 2016

Dig Deeper on Malware, virus, Trojan and spyware protection and removal