Triada: The Android Malware

Triada: The Android Malware

Triada is a malware that targets Android devices. It is specifically a module mobile Trojan that exists mostly in the RAM of devices and actively uses privileges to substitute system files with malicious ones. Initially, it worked by exploiting root vulnerabilities, thus gaining root access and leveraging access privileges. However, it later came preinstalled in some Android devices.

Where Did It Come From: The Origin of Triada

Researchers from Kaspersky Lab first detailed in 2016 a malware that existed in the RAM of infected Android devices. They called it Triada. They explained further that it is a module Trojan backdoor that granted high-level privileges to other downloaded Trojans and even works to download malicious codes and apps while on the background.

Google was able to resolve the issue with this Trojan backdoor through security updates that prevented root exploitation. However, further research in 2017 from analysts at Dr. Web revealed that a selected number of Android devices from several manufacturers, particularly low-budget smartphones manufactured in China, came preinstalled with this Trojan backdoor.

A blog post from Google published in June 2019 explained that some Android devices were infected by a third-party during the production process. It noted further that the Trojan backdoor came from third-party vendors contracted by manufacturers. Hence, certain people tapped the supply chain of Android device manufacturers to insert Triada.

Trojan Backdoor: How The Triada Malware Works

Take note that a Trojan is a type of malware often disguised as a legitimate software, thereby misleading users of its true intent. It is designed to damage the device, disrupt its system, or steal pertinent data. A Trojan may also act as a “backdoor” to an infected device that is capable of contacting a controller and granting it unauthorized access.

In the case of Triada, it is specifically a Trojan backdoor. Kaspersky Lab first explained in 2016 that it was initially a rooting Trojan that tried to exploit vulnerable Android devices, particularly older devices that had exploitable root. Once it got high-level privileges, it worked on the background to install apps and display ads.

However, the mode of action of this Trojan backdoor changed over time. In 2017, researchers at Dr. Web found out that it now uses the Android framework log function instead of exploiting the root. Specifically, whenever an app attempts to log something to the function, the function triggers the Trojan backdoor to execute the code.

Take note that the Android framework log function cannot be accessed maliciously via root exploits alone because newer Android OS and thus, newer Android devices have better security features. The new mode of action of Triada compelled researchers to conclude that it was a Trojan backdoor that came preinstalled in Android devices.

Google explained that the Trojan backdoor specifically interfaces with command and control server using encrypted communication to send and receive data, thus giving attackers access to the infected device. It also injects a code into the system user interface app to allow the display of ads. Furthermore, it also injects a code that allows it to use Google Play to download and install certain apps selected by the attackers.


  • Dr. Web. 2017, July 27. “Trojan Preinstalled on Android Devices Infect Applications’ Processes and Downloads Malicious Modules.” Dr. Web. Available online
  • Siewerski, L. 2019, June 6. “PHA Family Highlights.” Google Security Blog. Google Inc. Available online
  • Snow, J. 2016, March 3. “Triada: Organized Crime on Android.” Kaspersky Daily. Kaspersky Lab. Available online
Posted in Articles, Science and Technology and tagged , , .