Triada: the past, the present and the (hopefully not existing) future

Thursday 4 October 16:00 - 16:30, Green room

Łukasz Siewierski (Google)



Triada is an Android threat that has been known within the malware research community for a couple of years. Despite that, it remains a very interesting threat because its authors did something very rarely seen in malicious software: instead of evading detection, they embraced it.

This talk will focus on the most up-to-date and comprehensive view of the newest strain of Triada malware. Unique C&C communication and encryption make it possible to attribute the new strain to this old malware family, but the actual code has been completely rewritten and is very different from the previous versions. This newest version of Triada was first detected preinstalled on the system image of some low-end Android devices in mid-2017. As soon as Google Play Protect detected these applications, we reached out to OEM partners to address the threat. Due to this outreach work we gained unique insights into Triada’s evolution and tactics. It also made it possible to understand the whole Triada ecosystem and techniques used to perform malicious actions. Triada used several different mechanisms to evade detection and make reverse engineering slightly harder. The unique features of this particular malware strain - ability to communicate with other apps from the same author and a unique way to execute code in the context of any app on the device - will also be presented during the talk.

This presentation will cover Google Play Protect’s findings and present previously unrevealed aspects of Triada and the extent to which it backdoored OEM system images. We will also cover how our coordination with OEMs on an unprecedented scale led us to update system images across the Android ecosystem and remove Triada, making users safer.

 

 

Generic-silhouette-web.jpg

Łukasz Siewierski

Łukasz is a reverse engineer on the Google Play Protect team. In his role he focuses on the analysis and detection of potentially harmful applications, making Android a more secure environment. Prior to Google Łukasz worked at CERT.pl, where he was involved in incident response and security-related software projects. Lukasz holds an M.Sc. degree in computer science and a B.Sc. degree in mathematics, both from the Nicolaus Copernicus University in Poland.

   Download slides    Watch video

Back to VB2018 Programme page

Other VB2018 papers

Lightning talks – innovation in threat intel

Sayeed Abu-Nimeh (Seclytics)
Matthias Leisi (DNS Whitelist (DNSWL))

DNS tunnelling: that's not your grandma's exfil

Brad Antoniewicz (Cisco Umbrella)

Adware is just malware with a legal department - how we reverse engineered OSX/Pirrit, received legal threats, and survived

Amit Serper (Cybereason)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.