Researchers at Kaspersky Lab say the recently discovered Android Triada Trojan is one of the most sophisticated Android malware variants yet to be discovered and that it rivals Windows-based malware for complexity. 6 out of 10 Android devices are estimated to be vulnerable to attack by the Triada Trojan. As if that is not bad enough, the malware runs silently and embeds itself in the Android system making it virtually impossible to detect. Nikita Buchka, a junior malware analyst at Kaspersky Lab, said “Once Triada is on a device, it penetrates almost all the running processes, and continues to exist in the memory only.” All of the processes remain hidden, both from the user and application.

It has been discovered in the wild and has primarily been use to infect devices in Russia and Ukraine, suggesting that’s where its authors are based; although it has also been found in India and various other APAC countries. The malware is believed to infect devices via app downloads, in particular those downloaded from untrusted sources rather than the Google Play store. That said, in some cases infected apps have been found in Google Play app store.

Kaspersky Lab researchers say the malware has been developed by “very professional” cybercriminals and suggest the developers are extremely experienced hackers with a deep understanding of the Android platform.

Triada Trojan Capable of Monitoring All Phone Activity

The Triada Trojan is capable of gaining access to all apps running on an infected device and can change the code of the app and monitor all activities on the phone. The malware can intercept SMS messages and reroute them, which is how the researchers believe the malware will make its developers money. They say the malware is likely being used to reroute in-app purchases and direct the funds to the attackers’ accounts.

Not only is the Triada Trojan almost impossible to detect with the majority of Android anti-virus and anti-malware programs, even if it is detected, removing the Triada Trojan from an infected device is exceptionally difficult. Standard removal techniques will not succeed in ridding the device of all elements of the Triada Trojan. To disinfect an infected phone, the user has to jailbreak the Android system and manually remove all of the components.

The new malware can only infect Android 4.4.4 Kitkat and below; however even though two new Android versions have since been released, the majority of Android devices run on Kitkat or earlier versions. 30% of devices run on version 4 or below, and those devices are particularly vulnerable to attack.

Kaspersky Lab researchers have previously warned that Trojans that gain superuser privileges and are being used to display advertising or install apps would eventually be used for far more malicious activities such as rooting malware. 11 different Android malware families are known to gain root access, and three of them work together – Ztorg, Gorpo and Leech. Those malware have collectively been identified as Triada.

The malware uses Zygote to launch application processes, which until the discovery of Triada, was only known to be possible as a proof of concept, and had not been exploited in the wild.

The researchers say that the new “Triada of Ztrog, Gorpo and Leech marks a new stage in the evolution of Android-based threats.”