Triada Android spyware evades anti-virus detection by using DroidPlugin sandbox

Nothing new to see here!

David bisson
David Bisson
@
@DMBisson

Android spyware evades anti-virus detection by using DroidPlugin sandbox

An Android spyware family is using the DroidPlugin open-source sandbox to evade detection by anti-virus software installed on infected devices.

The offending trojan, which goes by the name Triada, has been targeting Android users since at least mid-2016. Like most other nefarious programs, this newly minted top mobile malware uses social engineering techniques to deceive people into installing it onto their devices. It then steals victims’ password information in the background.

Triada’s developers want their creation to infect as many users as possible. As such, they’ve outfitted their malware with a new trick.

Sign up to our free newsletter.
Security news, advice, and tips.

In this new campaign, the trojan masquerades as Wandoujia, one of China’s most prominent Android app stores. Upon successful installation, Triada uses the DroidPlugin open-source sandbox to invoke malicious APK plugins it hides in its asset directory. It executes these plugins within DroidPlugin; as such, it doesn’t actually install them onto an infected phone.

4

These plugins are essential to Triada’s functionality. One plugin communicates with the malware’s command and control (C&C) server, for example. Another enables the program to conduct radio monitoring of the device.

Here’s a list of the spyware’s primary plugins:

  • android.adapi.camera
  • android.adapi.contact
  • android.adapi.file
  • android.adapi.location
  • android.adapi.online
  • android.adapi.radio
  • android.adapi.task
  • android.adapi.update
  • android.adapi.wifi

Triada isn’t the first Android malware that has used DroidPlugin and other plugin frameworks to carry out their dirty work. As Avast’s threat intelligence team explains in a blog post, it has a distinct advantage for doing so:

“Why the malware developer started to use the DroidPlugin sandbox to dynamically load and run the plugins is interesting, as the malicious plugins could just be directly implemented in one app, without a sandbox. Based on our experience, we suspect this is done to bypass antivirus detections. If the host app doesn’t include malicious actions, and all the malicious actions are moved to plugins which are dynamically downloaded, it makes it difficult for antivirus solutions to detect the host app.”

No doubt we will see other malware abuse plugin frameworks to discharge their malicious functions. Acknowledging these likely threats, Android users should protect themselves by installing apps only from Google’s Play Store. They should also maintain an updated security solution on their phones and keep their device up-to-date.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

One comment on “Triada Android spyware evades anti-virus detection by using DroidPlugin sandbox”

  1. David L

    Greetings all,

    One thing that drives me crazy, is that all these infosec guys like to put there own name on certain malware families, instead of following the lead. Anyways, here are some more helpful links, that other researchers have done on this duel instance Droid Plug-in frameworks malware.

    http://blog.checkpoint.com/2017/01/23/hummingbad-returns/

    http://researchcenter.paloaltonetworks.com/2016/11/unit42-pluginphantom-new-android-trojan-abuses-droidplugin-framework/

    https://arstechnica.com/security/2017/01/virulent-android-malware-returns-gets-2-million-downloads-on-google-play/

    http://researchcenter.paloaltonetworks.com/2016/11/unit42-pluginphantom-new-android-trojan-abuses-droidplugin-framework/

    And, of course, Avast in June of last year in think, first wrote about this new fangled malware. Enjoy the read.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.