Skip to content

S0424 Triada

Triada was first reported in 2016 as a second stage malware. Later versions in 2019 appeared with new techniques and as an initial downloader of other Trojan apps.1

Item Value
ID S0424
Associated Names
Version 1.0
Created 16 July 2019
Last Modified 28 May 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1532 Archive Collected Data Triada encrypts data prior to exfiltration.2
mobile T1407 Download New Code at Runtime Triada utilizes a backdoor in a Play Store app to install additional trojanized apps from the Command and Control server.2
mobile T1646 Exfiltration Over C2 Channel Triada utilized HTTP to exfiltrate data through POST requests to the command and control server.2
mobile T1643 Generate Traffic from Victim Triada can redirect ad banner URLs on websites visited by the user to specific ad URLs.24
mobile T1631 Process Injection -
mobile T1631.001 Ptrace System Calls Triada injects code into the Zygote process to effectively include itself in all forked processes. Additionally, code is injected into the Android Play Store App, web browser applications, and the system UI application.21
mobile T1636 Protected User Data -
mobile T1636.004 SMS Messages Triada variants capture transaction data from SMS-based in-app purchases.1
mobile T1418 Software Discovery Triada is able to modify code within the application to gain access to GET_REAL_TASKS permissions. This permission enables access to information about applications currently on the foreground and other recently used apps.2
mobile T1474 Supply Chain Compromise -
mobile T1474.003 Compromise Software Supply Chain Triada was added into the Android system by a third-party vendor identified as Yehuo or Blazefire during the production process.23