Two mobile variants of Triada and Horde malware have been spotted in the wild by Check Point Software Technologies researchers who warn the latest samples have adopted dangerous new techniques including the ability to evade Google’s security on some OS versions.
The Android Trojan called Triada, researchers say, now is capable of infecting the Android default browser along with three other niche Android OS browsers including 360 Secure, Cheetah and Oupeng. Once infected, attackers can intercept browser URL requests. Next, if a user happens to visit one of a number of specific URLs, the malware will deliver a spoofed website designed to capture personal financial data.
Up until now, Triada main function was to steal money via SMS messages as part of in-app purchases. However, armed with the new URL spoofing capabilities, the Triada Android malware can now intercept any URL on infected phones and entice a user to “enter credentials in a fraudulent page, or even download additional malware, without knowing he is visiting a malicious site,” wrote Oren Koriat, Check Point analyst in a research blog outlining his research.
Check Point’s research compliments findings from Kaspersky Lab that first spotted the Trojan (Backdoor.AndroidOS.Triada) and documented its ability to redirect Android browsers to malicious URLs earlier this month.
Kaspersky Lab explains successful Triada infections target the Android device by infecting the Zygote Android OS core process that gives attackers super-user privileges. After obtaining those privileges, Triada uses regular Linux debugging tools to embed a malicious DLL that targets one of the four vulnerable browsers.
Check Point also updated the profile it has on the malware Horde, which is notorious for infecting apps in Google Play and surreptitiously enlisting armies of Android phones to become part of a mobile botnet. The Horde malware most notably infects games and utilities available on Google Play such as Viking Jump, Parrot Copter, Memory Booster, Simple 2048 and WiFi Plus.
Check Point says the latest variant of Horde is able to monitor running processes on Android Lollipop and Marshmallow versions using a new technique to avoid detection.
“Google has invested some efforts in preventing such activity and blocked apps from calling the getRunningTasks() API. Viking Horde manages to bypass this security measure by reading the “/proc/” file system, which displays running processes, from which the malware can find the current running processes,” Koriat wrote.
Each of these hacking techniques are leveraged by attackers who lay in wait until they a payment or banking app is in use. Next, attackers can generate a fake overlay designed to capture personal or financial data inputted by the user. The Horde malware has also been used to leverage victims’ phones for ad fraud, carry out DDoS attacks and send spam, researchers warn.
In an interview with Threatpost, Check Point research analyst Daniel Pardon said the new technique of monitoring the “/proc/” file system has not yet been seen used in the wild. “We haven’t seen it in action yet. It’s a model in process and we believe hackers will use it,” Padon said. “As we have seen in the past, malware learns from other malware. This process of bypassing Google’s security measures will be shortly adopted by banking malware and other malware that requires such as circumvention of Google security.”
The malware was discovered by Check Point in May. At the time, Check Point reported, Viking Jump garnered 50,000 to 100,000 downloads, before it was removed by Google. The app even became a “top free app” in some markets, Check Point said.