Hidden malware behind apps that look perfectly legitimate

Modified versions of mobile apps are very common in the mobile world. These apps may offer additional features and settings, reduced prices, or be available in a wider range of markets compared to their original app. Their offering can be attractive enough to entice gullible users to install them through unofficial third-party app stores.

The risk of installing modified versions comes from the fact that it is impossible for the user to know what changes were made to the application's code. To be more precise – it is unknown what code was added and whether it has malicious intent.malware

Her research team για κινητά ανακάλυψε πρόσφατα μια τροποποιημένη έκδοση της δημοφιλούς εφαρμογής Telegram Messenger για Android. Η κακόβουλη εφαρμογή εντοπίστηκε και αποκλείστηκε από το Harmony Mobile. Αν και μοιάζει αθώα, αυτή η τροποποιημένη έκδοση είναι ενσωματωμένη με κακόβουλο κώδικα που συνδέεται με το Trojan Triada. First detected in 2016, Trojan Triada is a modular backdoor for Android that provides administrator privileges to download other malware.  

Telegram 9.2.1 – Amended by Triada Trojan

The perfect disguise

Το κακόβουλο λογισμικό μεταμφιέζεται σε Telegram Messenger έκδοση 9.2.1. Έχει το ίδιο όνομα πακέτου (org.telegram.messenger) και το ίδιο εικονίδιο με την αρχική εφαρμογή Telegram. Κατά την εκκίνηση, ο χρήστης εμφανίζεται με την οθόνη ς του Telegram, του ζητείται να εισάγει τον αριθμό τηλεφώνου της συσκευής και να χορηγήσει στην εφαρμογή δικαιώματα τηλεφώνου.

This process is similar to the actual authentication process of the original Telegram Messenger app. The user has no reason to suspect that anything unusual is happening with the device.


Figure 1: Malware masquerading as an application Messenger Telegram

In the background

Static analysis of the applications shows that when the application is launched, a malicious code runs in the background, masquerading as an internal application update service.000


Figure 2: Malicious code masquerading as an update service

The malware collects information about the device, establishes a communication channel, downloads a configuration file, and waits to receive the payload from the remote server.

Figure 3: The malware downloads the payload        


Figure 4: The malware loads the payload


Once the payload is decrypted and launched – Triada gains system privileges, which allow it to infiltrate other processes and perform many malicious actions.

Προηγούμενες έρευνες που πραγματοποιήθηκαν σε payloads Triada παρουσίασαν τις ποικίλες κακόβουλες ικανότητες του Triada. Αυτές περιλαμβάνουν την του χρήστη σε διάφορες συνδρομές επί πληρωμή, την πραγματοποίηση αγορών εντός της εφαρμογής χρησιμοποιώντας τα SMS και τον αριθμό τηλεφώνου του χρήστη, την εμφάνιση διαφημίσεων (συμπεριλαμβανομένων αόρατων διαφημίσεων που εκτελούνται στο παρασκήνιο) και την κλοπή διαπιστευτηρίων σύνδεσης και άλλων πληροφοριών χρήστη και συσκευής.

How to Protect Your Device from Trojan Malwares

  • Always download your apps from trusted sources, be it official websites or official app stores and repositories.
  • Check who is the author and creator of the app before downloading. You can read comments and reactions from previous users before downloading
  • Be careful with the permissions requested by the installed app and whether they are actually necessary for the actual app to function.

Check Point Harmony Mobile™ had already successfully detected and alerted on the new Triada variant since early November last year – before any other vendor on VirusTotal!

We also assembled an IOC collection of Triada specimens in VT:







iGuRu.gr The Best Technology Site in Greecefgns

Subscribe to Blog by Email

Subscribe to this blog and receive notifications of new posts by email.

Written by newsbot

Although the press releases will be from very select to rarely, I said to go ... because sometimes the authors are hiding.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).