Triada Android spyware evades anti-virus detection by using DroidPlugin sandbox

Nothing new to see here!

Android spyware evades anti-virus detection by using DroidPlugin sandbox

An Android spyware family is using the DroidPlugin open-source sandbox to evade detection by anti-virus software installed on infected devices.

The offending trojan, which goes by the name Triada, has been targeting Android users since at least mid-2016. Like most other nefarious programs, this newly minted top mobile malware uses social engineering techniques to deceive people into installing it onto their devices. It then steals victims' password information in the background.

Triada's developers want their creation to infect as many users as possible. As such, they've outfitted their malware with a new trick.

In this new campaign, the trojan masquerades as Wandoujia, one of China's most prominent Android app stores. Upon successful installation, Triada uses the DroidPlugin open-source sandbox to invoke malicious APK plugins it hides in its asset directory. It executes these plugins within DroidPlugin; as such, it doesn't actually install them onto an infected phone.

4

These plugins are essential to Triada's functionality. One plugin communicates with the malware's command and control (C&C) server, for example. Another enables the program to conduct radio monitoring of the device.

Here's a list of the spyware's primary plugins:

  • android.adapi.camera
  • android.adapi.contact
  • android.adapi.file
  • android.adapi.location
  • android.adapi.online
  • android.adapi.radio
  • android.adapi.task
  • android.adapi.update
  • android.adapi.wifi

Triada isn't the first Android malware that has used DroidPlugin and other plugin frameworks to carry out their dirty work. As Avast's threat intelligence team explains in a blog post, it has a distinct advantage for doing so:

"Why the malware developer started to use the DroidPlugin sandbox to dynamically load and run the plugins is interesting, as the malicious plugins could just be directly implemented in one app, without a sandbox. Based on our experience, we suspect this is done to bypass antivirus detections. If the host app doesn’t include malicious actions, and all the malicious actions are moved to plugins which are dynamically downloaded, it makes it difficult for antivirus solutions to detect the host app."

No doubt we will see other malware abuse plugin frameworks to discharge their malicious functions. Acknowledging these likely threats, Android users should protect themselves by installing apps only from Google's Play Store. They should also maintain an updated security solution on their phones and keep their device up-to-date.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

One Response

  1. David L

    April 7, 2017 at 1:50 am #

    Greetings all,

    One thing that drives me crazy, is that all these infosec guys like to put there own name on certain malware families, instead of following the lead. Anyways, here are some more helpful links, that other researchers have done on this duel instance Droid Plug-in frameworks malware.

    http://blog.checkpoint.com/2017/01/23/hummingbad-returns/

    http://researchcenter.paloaltonetworks.com/2016/11/unit42-pluginphantom-new-android-trojan-abuses-droidplugin-framework/

    https://arstechnica.com/security/2017/01/virulent-android-malware-returns-gets-2-million-downloads-on-google-play/

    http://researchcenter.paloaltonetworks.com/2016/11/unit42-pluginphantom-new-android-trojan-abuses-droidplugin-framework/

    And, of course, Avast in June of last year in think, first wrote about this new fangled malware. Enjoy the read.

Leave a Reply