S0424 Triada
Triada was first reported in 2016 as a second stage malware. Later versions in 2019 appeared with new techniques and as an initial downloader of other Trojan apps.1
| Item | Value |
|---|---|
| ID | S0424 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 16 July 2019 |
| Last Modified | 28 May 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1532 | Archive Collected Data | Triada encrypts data prior to exfiltration.2 |
| mobile | T1407 | Download New Code at Runtime | Triada utilizes a backdoor in a Play Store app to install additional trojanized apps from the Command and Control server.2 |
| mobile | T1646 | Exfiltration Over C2 Channel | Triada utilized HTTP to exfiltrate data through POST requests to the command and control server.2 |
| mobile | T1643 | Generate Traffic from Victim | Triada can redirect ad banner URLs on websites visited by the user to specific ad URLs.24 |
| mobile | T1631 | Process Injection | - |
| mobile | T1631.001 | Ptrace System Calls | Triada injects code into the Zygote process to effectively include itself in all forked processes. Additionally, code is injected into the Android Play Store App, web browser applications, and the system UI application.21 |
| mobile | T1636 | Protected User Data | - |
| mobile | T1636.004 | SMS Messages | Triada variants capture transaction data from SMS-based in-app purchases.1 |
| mobile | T1418 | Software Discovery | Triada is able to modify code within the com.android.systemui application to gain access to GET_REAL_TASKS permissions. This permission enables access to information about applications currently on the foreground and other recently used apps.2 |
| mobile | T1474 | Supply Chain Compromise | - |
| mobile | T1474.003 | Compromise Software Supply Chain | Triada was added into the Android system by a third-party vendor identified as Yehuo or Blazefire during the production process.23 |
References
-
Snow, J. (2016, March 3). Triada: organized crime on Android. Retrieved July 16, 2019. ↩↩↩
-
Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019. ↩↩↩↩↩↩↩
-
Krebs, B. (2019, June 25). Tracing the Supply Chain Attack on Android. Retrieved July 16, 2019. ↩
-
Kivva, A. (2016, June 6). Everyone sees not what they want to see. Retrieved July 16, 2019. ↩