Kaspersky found Triada, the most threatening Android Trojan so far

Kaspersky found Triada, the most threatening Android Trojan so far

Kaspersky Lab experts have detected the latest Android trojan named Triada, which is the most threatening mobile Trojan Detected so far.
Triada: specializes in financial fraud
Kaspersky Lab malware researchers recently discovered a new Trojan virus, Triada, targeting Android devices. Researchers believe the virus is by far the most threatening and Advanced Mobile Threat virus. The technology used to attack mobile devices does not appear in other mobile malware.
Triada virus is designed mainly for financial fraud, which is usually achieved by hijacking of financial transaction text messages. Triada's most interesting feature is its distinctive modular architecture, which theoretically makes the virus more powerful.
Nikita Buchka and Mikhail Kuzin, a Kaspersky researcher, explained:
"Triada Trojan virus can penetrate all programs running on mobile devices ."
According to the Post published by researchers in the blog:
"The most notable feature of this trojan is the use of the Zygote process. once it enters the system, it will become part of the application process and can be installed in advance in any application started on the device, it even changes the running logic of the application. When a user purchases an android game through SMS in an application, the hacker can use the Triada Trojan to modify the sent sms to illegally obtain the user's payment fee. This trojan uses stealth technology to spread apps downloaded and installed from untrusted channels, but it may also appear in the Google Play app store, android 4.4.4 and earlier versions have the highest risk of device infection."
Zygote-based attacks
Triada Trojan virus uses Zygote processes to execute code on all device software, which also means that the threat can run in each application.
The researchers said:
"The most notable feature of this malicious application is the use of Zygote processes to execute code for all device applications. The Zygote process is the upper-layer processing program of all android applications. It contains the system library and framework used by all applications. This program is a template for all new programs, which means that once the Triada Trojan virus enters the program, it will become part of the application process and run on the device. This is the first time we have encountered this situation in actual operations. In the past, Zygote only existed in concepts ."
 

This trojan is hard to detect because it mainly runs in RAM and can replace system files with ROOT permissions. It can also hide traces from the list of running/installed services and applications.
The following are the characteristics of Triada Trojan virus:
Provides the modular function to flexibly exercise the privileges of super users;
Most of the malicious functions only exist on RAM devices;
Trojan modifies the Zygote system program in the memory for durability;
During the development of the virus, the industrial method is used to show that its developers have high quality and skills.
For the malware, the researchers said: it is almost impossible to uninstall the malware from infected devices. There are only two ways for users to clear the infection: the first is to manually delete malicious applications after the "root" setting is performed on the device. The second method is to jailbreak the Android system of the device.