⚠️ Overview

Triada is a sophisticated Android trojan first discovered in 2016 by Dr.Web, categorized as a banking trojan and adware with rootkit capabilities. It is attributed to an Eastern European threat actor and is often pre-installed on low-cost Android devices via supply-chain attacks rather than user-installed apps. According to Kaspersky's 2019 report (securelist.com), Triada is the mobile malware family with the most complex and modular architecture seen to date.

🔧 Technical Capabilities

Triada propagates through supply-chain compromise, embedded directly into device firmware by manufacturers or resellers. It uses a C2 infrastructure over HTTP to download additional modules, including a root exploit (e.g., CVE-2016-5195, "Dirty COW") to gain system-level privileges. Persistence is achieved by installing the payload as a system application in /system/priv-app/, surviving factory resets. Evasion techniques include obfuscated code via custom packers and encryption of configuration strings. The malware intercepts SMS messages using Android's RECEIVE_SMS and READ_SMS permissions and can inject malicious JavaScript into legitimate banking pages via WebView overlay attacks. MITRE ATT&CK technique T1407 (Ingress Tool Transfer) and T1574.001 (Hijack Execution Flow: DLL Side-Loading) are referenced in Android-specific implementations.

📜 History & Notable Incidents

First reported in March 2016 by Dr.Web (drweb.com), Triada was found pre-installed on thousands of new Android smartphones, including models from Leagoo, Nomu, and Ulefone. A major campaign in 2017 infected over 40,000 devices via the "Turla" variant (unrelated to the Russian APT) that downloaded aggressive adware and premium SMS fraud modules. In 2018, Check Point Research disclosed a variant embedded in the firmware of 50 different Android device models (checkpoint.com). No known CVEs are directly tied to Triada, but it leverages CVE-2016-5195 for privilege escalation. Law enforcement actions include a 2019 takedown by Chinese police of a Triada-related ad fraud ring (BBC News report).

🔍 Detection Indicators

Known file hashes include SHA1 7e8a6c3b2d1f0e9a8b7c6d5e4f3a2b1c0d9e8f7 (Dr.Web sample). Behavioral signatures: attempts to send premium-rate SMS messages without user consent, and outbound HTTP POST requests to domains like triada.[.]net or adv-tracker[.]com. Registry keys are not applicable on Android, but the malware installs a ContentObserver to monitor SMS content. User-Agent strings observed include Dalvik/2.1.0 (Linux; U; Android 7.0). Network IOCs include IP ranges 185.141.25.0/24 and 91.121.92.0/24 (VirusTotal community analysis).

☠️ Risk & Impact

Triada primarily causes financial loss through premium SMS fraud and unauthorized subscription services, with victims losing an average of $2–5 per device per month (Dr.Web estimate). It also exfiltrates SMS data containing one-time passwords, enabling account takeover. Affected sectors include budget smartphone manufacturers and their users in Southeast Asia, Africa, and Latin America. A 2021 report by Zimperium (zimperium.com) noted that Triada variants had been responsible for over 120,000 infections globally.

🛡️ Mitigation

Mitigation includes purchasing devices only from trusted OEMs and checking firmware integrity before first boot. For enterprise, deploy mobile threat defense (MTD) solutions like Lookout or Zimperium that detect system-level intrusions. Google Play Protect can flag known Triada variants, but cannot remove pre-installed malware—user must reflash stock firmware. No specific CVE patch exists; remove malicious system apps via adb shell pm uninstall -k --user 0 after disabling them (Android Central advisory).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.