Triada was first reported in 2016 as a second stage malware. Later versions in 2019 appeared with new techniques and as an initial downloader of other Trojan apps.^[1]

ID: S0424

ⓘ

Type: MALWARE

ⓘ

Platforms: Android

Version: 1.0

Created: 16 July 2019

Last Modified: 28 May 2020

Version Permalink

Live Version

Techniques Used

Domain	ID	Name	Use
Mobile	T1418	Application Discovery	Triada is able to modify code within the com.android.systemui application to gain access to `GET_REAL_TASKS` permissions. This permission enables access to information about applications currently on the foreground and other recently used apps.^[2]
Mobile	T1412	Capture SMS Messages	Triada variants capture transaction data from SMS-based in-app purchases.^[1]
Mobile	T1540	Code Injection	Triada injects code into the Zygote process to effectively include itself in all forked processes. Additionally, code is injected into the Android Play Store App, web browser applications, and the system UI application.^[2]^[1]
Mobile	T1532	Data Encrypted	Triada encrypts data prior to exfiltration.^[2]
Mobile	T1475	Deliver Malicious App via Authorized App Store	Early Triada variants were delivered through trojanized apps that were distributed via the Play Store.^[1]
Mobile	T1407	Download New Code at Runtime	Triada utilizes a backdoor in a Play Store app to install additional trojanized apps from the Command and Control server.^[2]
Mobile	T1472	Generate Fraudulent Advertising Revenue	Triada can redirect ad banner URLs on websites visited by the user to specific ad URLs.^[2]^[3]
Mobile	T1437	Standard Application Layer Protocol	Triada utilized HTTP to exfiltrate data through POST requests to the command and control server.^[2]
Mobile	T1474	Supply Chain Compromise	Triada was added into the Android system by a third-party vendor identified as Yehuo or Blazefire during the production process.^[2] ^[4]

Triada

Mobile Layer

Techniques Used

References