Android malware embeds into browsers, intercepts and changes URLs

It might be gone, but more like it will return.

David bisson
David Bisson
@
@DMBisson

Android malware embeds into browsers, intercepts and changes URLs

An Android trojan is capable of embedding into mobile browsers, intercepting URL requests, and modifying those URLs so users are sent to other web pages.

Back in March, researchers at Kaspersky Lab spotted a new Android trojan circulating in the wild. That trojan, which the researchers named “Triada,” is known for its modular functionality and for assuming superuser privileges once it successfully infects the Zygote process, a core Android operating system.

As the researchers explain in a blog post, Zygote marks a new stage in the evolution of Android malware:

“A distinctive feature of the malicious application is the use of the Zygote process to implement its code in the context of all the applications on the device. The Zygote process is the parent process for all Android applications. It contains system libraries and frameworks used by almost all applications. This process is a template for each new application, which means that once the Trojan enters the process, it becomes part of the template and will end up in each application run on the device. This is the first time we have come across this technique in the wild; Zygote was only previously used in proof-of-concepts.”

Zygote en 2 786x1024

It would now appear Triada has developed yet another trick.

Sign up to our free newsletter.
Security news, advice, and tips.

Just a few weeks after first discovering the trojan, Kaspersky’s researchers observed that Triada’s authors had added a new module that allows the malware to embed its DLL into the processes of four browsers: com.android.browser (the standard Android browser), com.qihoo.browser (360 Secure Browser), com.ijinshan.browser_fast (Cheetah browser), and com.oupeng.browser (Oupeng browser).

That DLL waits until the browser sends a request with the URL address to a web server via the Internet. It then intercepts that request and modifies the URL address so that it now directs to another web server.

As Kaspersky notes in a second blog post on the malware, this allows attackers to send a victim to whichever web page they choose:

“This sequence of actions is being used by malware creators to change the standard search engine selected in the user’s browser, and to replace the home page. Essentially, these actions are identical to those carried out by numerous adware programs for Windows. However, there is nothing to stop similar attacks intercepting any URL, including banking URLs, and redirecting users to phishing pages, etc. All it takes is for the cybercriminals to send the appropriate command.”

2 en 1024x307

Kaspersky discovered this interception module in the trojan on March 15th.

At the time, it had attacked 247 users located primarily in Russia, India, Ukraine, Indonesia, and Algeria.

Webinject en 3

The module has since all but disappeared from view, which would suggest Triada’s authors decided to pursue other projects without fully taking advantage of the new trick.

Even so, that the module showed up at all proves that malicious developers are becoming more clever with their creations. Kaspersky Lab’s researchers explain further:

“We would like to note that cybercriminals specializing in Android are pretty lazy – it’s easier for them to steal money directly, for instance, with the help of Trojans that send text messages to premium-rate numbers, or spoof banking app windows. However, we have recently observed that some cybercriminals have begun to actively study the structure of the operating system, expand their repertoire of technical skills, and launch sophisticated attacks…”

To protect against Triada and other sophisticated Android malware, you should consider running anti-virus software and avoid clicking on suspicious links. It’s also a good idea to never download Android applications from untrusted or unverified app stores.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.