As securelist.com mentioned in their report, Android users are facing a whole new threat after March of 2016, when Kaspersky Lab detected a modular Trojan.
Trojan is a non-self-replicating malware that appears to perform a desirable function for the user, but instead, facilitates unauthorized access to the user’s operating system.
Backdoor.AndroidOS.Triada, as Kaspersky Lab called, granted superuser privileges to downloaded Trojans, as well as the chance to get embedded into system processes. It’s a unique Trojan that first collects several information about device’s name, operating system version, size of the SD card, information about device memory (from the file /proc/mem), IMEI, IMSI and a list of applications installed. The information are being sent to the cyber-criminals’ server. Then the malware stores to the system a small database to be used later during its action.
The main function of this malware is to redirect financial SMS transactions when the user makes online payments to buy additional content in legitimate apps and as a result the money goes to the attackers rather than to the appropriate developer.
As Kaspersky Lab said:
“Applications that gain root access to a mobile device without the user’s knowledge can provide access to much more advanced and dangerous malware, in particular, to Triada, the most sophisticated mobile Trojans we know. Once Triada is on a device, it penetrates almost all the running processes, and continues to exist in the memory only. In addition, all separately running Trojan processes are hidden from the user and other applications. As a result, it is extremely difficult for both the user and antivirus solutions to detect and remove the Trojan.”
Android OS versions infected
So what’s the new threat for now?
Kaspersky Lab after the detection period also found that there is a module inside the Trojan that enables a dangerous attack: spoofing URLs loaded in the browser. The attack can infect only those browsers listed below:
- com.android.browser (the standard Android browser)
- com.qihoo.browser (360 Secure Browser)
- com.ijinshan.browser_fast (Cheetah browser)
- com.oupeng.browser (Oupeng browser)
So, when the user tries to open a specific website, the module analyzes it and changes it to another URL address if necessary. The rules are determined from the database created before.
Attack sequence as described from securelist.com
In an uninfected system, the browser sends a request with a URL address to the web server via the Internet, and receives a page in response.
After infection by Triada, a DLL intercepting URLs is added to the browser’s process. The URL address request finds its way into this DLL, where it is modified and sent to another web server.
As a result, the browser receives data that’s different from that requested, meaning the user ends up viewing a different page.
Number of users attacked by Backdoor.AndroidOS.Triada.p in different countries
“..we have recently observed that some cybercriminals have begun to actively study the structure of the operating system, expand their repertoire of technical skills, and launch sophisticated attacks like the one we examined above.” – Anton Kivva, securelist.com
As BadFive, we recommend that you to stop using the browsers mentioned above and start using the chrome browser, as google seems very serious with its encryption and security on that.