Modified versions of mobile apps are very common in the mobile world. These apps may offer additional features and settings, reduced prices, or be available in a wider range of markets compared to their original app. Their offering can be attractive enough to entice gullible users to install them through unofficial third-party app stores.
The risk of installing modified versions comes from the fact that it is impossible for the user to know what changes were made to the application's code. To be more precise – it is unknown what code was added and whether it has malicious intent.
Check Point's mobile research team recently discovered a modified version of the popular Telegram Messenger app for Android. The malicious app was detected and blocked by Harmony Mobile. Although it looks innocent, this modified version is embedded with malicious code linked to the Trojan Triada. First detected in 2016, Trojan Triada is a modular backdoor for Android that provides administrator privileges to download other malware.
Telegram 9.2.1 – Amended by Triada Trojan
The perfect disguise
The malware disguises itself as Telegram Messenger version 9.2.1. It has the same package name (org.telegram.messenger) and the same icon as the original Telegram app. On startup, the user is presented with the Telegram authentication screen, asked to enter the device's phone number and grant the app phone permissions.
This process is similar to the actual authentication process of the original Telegram Messenger app. The user has no reason to suspect that anything unusual is happening with the device.
Figure 1: Malware masquerading as an application Messenger Telegram
In the background
Static analysis of the applications shows that when the application is launched, a malicious code runs in the background, masquerading as an internal application update service.
Figure 2: Malicious code masquerading as an update service
The malware collects information about the device, establishes a communication channel, downloads a configuration file, and waits to receive the payload from the remote server.
Figure 3: The malware downloads the payload
Figure 4: The malware loads the payload
Once the payload is decrypted and launched – Triada gains system privileges, which allow it to infiltrate other processes and perform many malicious actions.
Previous research conducted on Triada payloads demonstrated Triada's diverse malicious capabilities. These include enrolling the user in various paid subscriptions, making in-app purchases using the user's SMS and phone number, displaying ads (including invisible ads running in the background), and stealing login credentials and other user information, and device.
How to Protect Your Device from Trojan Malwares
- Always download your apps from trusted sources, be it official websites or official app stores and repositories.
- Check who is the author and creator of the app before downloading. You can read comments and reactions from previous users before downloading
- Be careful with the permissions requested by the installed app and whether they are actually necessary for the actual app to function.
Check Point Harmony Mobile™ had already successfully detected and alerted on the new Triada variant since early November last year – before any other vendor on VirusTotal!
We also assembled an IOC collection of Triada specimens in VT:
References:
https://blog.checkpoint.com/research/in-the-wild-mobile-malware-implements-new-features/
https://securelist.com/attack-on-zygote-a-new-twist-in-the-evolution-of-mobile-threats/74032/
https://security.googleblog.com/2019/06/pha-family-highlights-triada.html
https://securelist.com/triada-trojan-in-whatsapp-mod/103679/