Tuesday, March 26, 2019
Home / Mobile / Malware / Triada & Horde updated and actively targeting Androids
Triada updated and targeting Android

Triada & Horde updated and actively targeting Androids

Two mobile phone versions of Triada and Horde malware were identified in the wild by Check Point analysts who advise the most recent samples now utilize dangerous new strategies including having the ability to evade Google’s security on a few OS versions.

The Android Trojan labelled Triada, researchers mention, is now able to infect the Android default web browser along with three other small Android OS browsers like 360 Secure, Cheetah and Oupeng.

Once infected, attackers can redirect URL requests. If an individual happens to go to one of a couple of specified URLs, the malware produces a spoofed website built to obtain personal financial info.

As of late, Triada’s primary purpose was to steal funds via SMS messages via in-app purchases. But, equipped with the new URL spoofing abilities, the Triada Android malware can now intercept any URL on infected phones and encourage a user to “enter credentials in a fraudulent page, or even download additional malware, without knowing he is visiting a malicious site,” wrote Oren Koriat, Check Point analyst in a blog post.

Check Point’s research follows Kaspersky Lab’s findings after they first spotted the Trojan (Backdoor.AndroidOS.Triada) and documented its ability to redirect Android browsers to malicious URLs earlier this month.

Kaspersky Lab details successful Triada infections target the Android device by infecting the Zygote Android OS core procedure that grants attackers super-user rights. After acquiring those rights, Triada uses ordinary Linux debugging tools to embed a malicious DLL that targets one of the four listed browsers.

Check Point says the latest variant of Horde is able to monitor running processes on Android Lollipop and Marshmallow versions using a new technique to avoid detection.

“Google has invested some efforts in preventing such activity and blocked apps from calling the getRunningTasks() API. Viking Horde manages to bypass this security measure by reading the “/proc/” file system, which displays running processes, from which the malware can find the current running processes,” Koriat added.

The malware was uncovered by Check Point in May. The malware was spreading via legitimate apps, including Viking Jump which had 50,000 to 100,000 downloads, before it was removed by Google. The app even became a “top free app” in some markets, Check Point said.

About FastFlux

Owner of ZeroSecurity, interested in programming, malware analysis and penetration testing. If you would like to write for the ZeroSecurity team, please use the contact form above.

Check Also

Silent OS 3.0 for Blackphone Completely revamped

Version 3.0 migrates Silent OS to Android Marshmallow 6.0.1 and delivers the Android safety patch …