Security Intelligence -
Triada Trojan Conceals Itself in WhatsApp Mod
A variant of the Triada Trojan concealed itself within a WhatsApp mod for Android devices, Kaspersky found in August.
What Is Triada?
Threat actors hid Triada within the WhatsApp mod FMWhatsapp 16.80.0. The security firm also found the Trojan modification, which they named Trojan.AndroidOS.Triada.ef, gathered device IDs, MAC addresses and other unique device identifiers along with the name of the app package that deploys them.
The malware stole this information and sent it to a remote server for the purpose of registering the infected device. Once it set up this communication channel, the remote server responded with a link. The Trojan then used that link to download, decrypt and launch more files.
For instance, Triada leveraged the file Trojan-Downloader.AndroidOS.Gapac.e. This downloaded and launched other malicious modules as well as displayed full-screen ads.
The file Trojan-Downloader.AndroidOS.Helper.a arrived with similar functionality. It also used ads, only it ran them in the background to increase their views. It also downloaded and launched an installer module for xHelper, a Trojan that infected 45,000 Android devices over the span of six months back in 2019.