The Triada Trojan has been found in the firmware of various low-cost Android devices, which could be used to steal sensitive data and run cyber espionage modules.

The Trojan, called Android.Triada.231, was discovered by Dr. Web researchers. Entrenched in the source code of the libandroid_runtime.so system library, the malware infiltrates application processes, and can covertly download and run further malicious modules.

How Does the Triada Trojan Work?

Triada is an advanced form of malware that can insert itself into Zygote, which is an essential system component used to run programs, reported SecurityWeek. By infecting Zygote, the Trojan can launch malicious modules without the user’s knowledge.

Since it is embedded in the libandroid_runtime.so system library, the Triada Trojan is present in the memory of all running apps. This enables it to penetrate the processes of all apps without root privileges.

After the initialization process, Triada sets up some boundaries: The malware creates a working directory and checks the running environment. If the environment is suitable, it intercepts a system method, tracks the initialization of applications and performs malicious actions.

How Dangerous Is the Malware?

Dr. Web researchers reported that Triada can be used to surreptitiously download additional modules. These Trojans may run malicious plugins that allow cybercriminals to steal sensitive data from bank applications, initialize cyber espionage modules and interrupt social media conversations.

Triada can also be used to extract the encrypted module Android.Triada.194.origin from the libandroid_runtime.so system library. This module allows threat actors to potentially download further malicious components and ensure that such modules can interact effectively.

It is worth noting that the Trojan continues to evolve. Earlier this year, Triada used the open source sandbox DroidPlugin to boost its evasion abilities, SecurityWeek noted. However, in this latest development, Dr. Web researchers found the altered library on a range of Android devices, including Leagoo M5 Plus, Leagoo M8, Nomu S10 and Nomu S20.

How Should Users React?

It is impossible to delete the Android Trojan using traditional measures, such as antivirus and antimalware detection, because the malware is pre-installed and embedded into one of the libraries on the operating system. Dr. Web researchers suggested that the only safe and secure way to eradicate this Trojan is to run a clean installation of Android firmware. They informed the manufacturers of the compromised smartphones about the Triada Trojan so they can work toward a fix.

The presence of malicious software on new phones represents a fresh danger to users and businesses. Users are advised to look out for official updates and to run these releases as soon as they become available.

More from

Data never dies: The immortal battle of data privacy

4 min read - More than two hundred years ago, Benjamin Franklin said there is nothing certain but death and taxes. If Franklin were alive today, he would add one more certainty to his list: your digital profile. Between the data compiled and stored by employers, private businesses, government agencies and social media sites, the personal information of nearly every single individual is anywhere and everywhere. When someone dies, that data becomes the responsibility of the estate; but what happens to the privacy rights…

Vulnerability resolution enhanced by integrations

2 min read - Why speed is of the essence in today's cybersecurity landscape? How are you quickly achieving vulnerability resolution? Identifying vulnerabilities should be part of the daily process within an organization. It's an important piece of maintaining an organization’s security posture. However, the complicated nature of modern technologies — and the pace of change — often make vulnerability management a challenging task. In the past, many organizations had to support manual integration work to get different security systems to ‘talk’ to each…

How I got started: SIEM engineer

3 min read - As careers in cybersecurity become increasingly more specialized, Security Information and Event Management (SIEM) engineers are playing a more prominent role. These professionals are like forensic specialists but are also on the front lines protecting sensitive information from the relentless onslaught of cyber threats. SIEM engineers meticulously monitor, analyze and manage security events and incidents within an organization. They leverage SIEM tools to aggregate and correlate data, enabling them to detect anomalies, identify potential threats and respond swiftly to security…

Tequila OS 2.0: The first forensic Linux distribution in Latin America

3 min read - Incident response teams are stretched thin, and the threats are only intensifying. But new tools are helping bridge the gap for cybersecurity pros in Latin America. IBM Security X-Force Threat Intelligence Index 2023 found that 12% of the security incidents X-force responded to were in Latin America. In comparison, 31% were in the Asia-Pacific, followed by Europe with 28%, North America with 25% and the Middle East with 4%. In the Latin American region, Brazil had 67% of incidents that…