Malware News Android Trojan Hijacks Browsers to Redirect Users to Custom URLs

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
A previously discovered and highly dangerous Android trojan has received an update in the form of a module that allows it to inject the phone's Web browsers and intercept URLs, redirecting users to any link the crook wishes to.

The trojan in question is named Triada and was discovered by Kaspersky at the start of March. Researchers consider this trojan to be extremely dangerous because it can inject malicious operations in Zygote, a core Android operating system process, and run the code with system-level privileges.

According to Kaspersky's staff, who's been keeping an eye on Triada's evolution, the crooks behind this malware have created a module capable of injecting four Android browser processes.

These are com.android.browser (the standard Android browser), com.qihoo.browser (360 Secure Browser), com.ijinshan.browser_fast (Cheetah browser), and com.oupeng.browser (Oupeng browser).

Crooks hijacked browsers to change homepage, default search engine
The crooks are injecting a DLL in the processes of these browsers and are sniffing for newly supplied URLs. When they detected the browser receiving a new URL and attempting to load it, the Triada module (detected as Backdoor.AndroidOS.Triada.p/o/q) will stop it and make its own request instead.

The module tells its C&C server what URL the browser was trying to access, and if certain rules are met, it will let it pass, or will replace the URL, delivering the page crooks wanted the victim to access.

Kaspersky says they've detected this module for the first time on March 15, and criminals mainly used to deliver ads, in most cases hijacking the user's browser homepage, or its default search engine provider. Basically, the module worked just like any other desktop adware, only on Android devices.

New Triada module mode of operation
Fortunately, Kaspersky says the crooks behind this campaign dropped their efforts, and the technique hasn't been sighted in the wild for quite some time.

The module is not used anymore, had so much potential
Nevertheless, its mode of operation would have allowed crooks to intercept login attempts and redirect users to phishing sites to collect the user's credentials.

This case shows the creativity crooks displayed when creating the module, even if they didn't show the same smarts when it came to using it to its full capabilities.

"We would like to note that cybercriminals specializing in Android are pretty lazy – it’s easier for them to steal money directly, for instance, with the help of Trojans that send text messages to premium-rate numbers, or spoof banking app windows," Kaspersky malware analyst Anton Kivva noted.

"However, we have recently observed that some cybercriminals have begun to actively study the structure of the operating system, expand their repertoire of technical skills, and launch sophisticated attacks like the one we examined above."

Kaspersky says it detected the module only on 247 devices where Triada had taken root, and most of them were located in Russia, India, the Ukraine, Indonesia, and Algeria.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top