Triada: the past, the present and the (hopefully not existing) future

Presented at VB2018, Oct. 4, 2018, 4 p.m. (30 minutes)

Triada is an *Android* threat that has been known within the malware research community for a couple of years. Despite that, it remains a very interesting threat because its authors did something very rarely seen in malicious software: instead of evading detection, they embraced it. This talk will focus on the most up-to-date and comprehensive view of the newest strain of Triada malware. Unique C&C communication and encryption make it possible to attribute the new strain to this old malware family, but the actual code has been completely rewritten and is very different from the previous versions. This newest version of Triada was first detected preinstalled on the system image of some low-end *Android* devices in mid-2017. As soon as *Google Play Protect* detected these applications, we reached out to OEM partners to address the threat. Due to this outreach work we gained unique insights into Triada's evolution and tactics. It also made it possible to understand the whole Triada ecosystem and techniques used to perform malicious actions. Triada used several different mechanisms to evade detection and make reverse engineering slightly harder. The unique features of this particular malware strain - ability to communicate with other apps from the same author and a unique way to execute code in the context of any app on the device - will also be presented during the talk. This presentation will cover *Google Play Protect*'s findings and present previously unrevealed aspects of Triada and the extent to which it backdoored OEM system images. We will also cover how our coordination with OEMs on an unprecedented scale led us to update system images across the *Android* ecosystem and remove Triada, making users safer.

Presenters:

• Łukasz Siewierski - Google
  Łukasz Siewierski Łukasz is a reverse engineer on the Google Play Protect team. In his role he focuses on the analysis and detection of potentially harmful applications, making Android a more secure environment. Prior to Google Łukasz worked at CERT.pl, where he was involved in incident response and security-related software projects. Lukasz holds an M.Sc. degree in computer science and a B.Sc. degree in mathematics, both from the Nicolaus Copernicus University in Poland.

Links:

• https://www.virusbulletin.com/conference/vb2018/abstracts/triada-past-present-and-hopefully-not-existing-future
• https://www.virusbulletin.com/uploads/pdf/conference_slides/2018/Siewierski-VB2018-Triada.pdf

Similar Presentations:

• VB2017 / Habo SecBox: run and monitor malware on real Android device (sponsor presentation)
• ekoparty 14 (2018) / To Execute or Not to Execute. How to Build a Malware Execution Lab
• ToorCon San Diego 14 (2012) / {Malandroid} - The Crux of Android Infections