| Name | Triada |
| Type of Malware | Backdoor Trojan |
| Date of Initial Activity | 2016 |
| Motivation | Collects the device ID, MAC address, subscriber ID, and other information (including the name of the app package that deploys it) and sends it to a remote server |
| Attack Vectors | A modified version of WhatsApp called FMWhatsapp (and possibly other apps) |
| Targeted System | Android |
Overview
Triada which was first spotted in 2016, is a modular backdoor for Android which grants admin privileges to download another malware. Its latest version is distributed via adware development kits in WhatsApp for Android.
Targets
Android users.
Tools/ Techniques Used
Once the app with Triada hidden in it is launched, the Trojan gathers various device information to set up a communication channel and drops additional payloads via a remote server. Once the modified WhatsApp app (FMWhatsapp) is launched, Triada collects device information and sends it to a remote server. Then the remote server sends a link that Triada uses to download and launch other files. FMWhatsapp is used to download malicious files/other malware.
For example, malware that downloads and launches other malicious modules, displays advertisements (including invisible ads running in the background), signs the victim up for various paid subscriptions, steals login credentials and other data, etc. One of the permissions the FMWhatsapp app asks is to access SMS messages.
Thus, not only FMWhatsapp but also Triada (and other modules launched by it) can access those messages. Threat actors can use this to sign victims up for premium subscriptions (and other malicious purposes).
