This article is more than 1 year old

Android trojan Triada implants itself into older mobes' 'brains'

First time this one's been seen in the wild, says Kaspersky

Security researchers have discovered a trojan targeting Android devices that can be as complex and functional as Windows-based malware.

The Triada trojan is stealthy, modular, persistent and written by professional cybercriminals, according to security researchers at Kaspersky Lab.

The trojan can modify outgoing SMS messages sent by other applications. When a user is making in-app purchases via SMS for Android games, fraudsters are likely to modify the outgoing SMS so that they receive the money instead of the game developers, raking in illicit income in the process.

Triada operates silently, meaning that all malicious activities are hidden, both from the user and from other applications.

After getting into the user’s device Triada implements itself in nearly every working process – and continues to exist in the short-term memory.

This is the first time technology like this has been seen in the wild, according to experts at the Russian security software firm. Prior to this, a Trojan using Zygote was only known of as a proof-of-concept pathogen.

The malware propagates through applications that users download/install from untrusted sources. The applications loader and its installation modules reference various to trojans, but all of them have been added to Kaspersky Lab’s antivirus databases under the common name of Triada.

Smartphones and tablets running Android 4.4.4. and earlier versions of the mobile OS are at the greatest risk. Android-based devices running versions higher than 4.4.4 have fewer vulnerabilities that can be exploited to gain root access, a vital stepping stone in the malware’s pwnage of compromised devices.

A full write-up of the threat be analysts Nikita Buchka and Mikhail Kuzin can be found on Kaspersky Lab’s blog post here.


Zygote – the parent of the application process on an Android device – contains the system libraries and frameworks used by every application installed on the device. It’s a demon whose purpose is to launch Android applications.

“This is a standard app process that works for every newly installed application,” Kaspersky Lab explains. “It means that as soon as the Trojan gets into the system, it becomes part of the app process and will be pre-installed into any application launching on the device and can even change the logic of the application’s operations.”

More about


Send us news

Other stories you might like