Triada
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Mobile | T1418 | Application Discovery |
Triada is able to modify code within the com.android.systemui application to gain access to |
|
| Mobile | T1412 | Capture SMS Messages |
Triada variants capture transaction data from SMS-based in-app purchases.[1] |
|
| Mobile | T1540 | Code Injection |
Triada injects code into the Zygote process to effectively include itself in all forked processes. Additionally, code is injected into the Android Play Store App, web browser applications, and the system UI application.[2][1] |
|
| Mobile | T1532 | Data Encrypted | ||
| Mobile | T1475 | Deliver Malicious App via Authorized App Store |
Early Triada variants were delivered through trojanized apps that were distributed via the Play Store.[1] |
|
| Mobile | T1407 | Download New Code at Runtime |
Triada utilizes a backdoor in a Play Store app to install additional trojanized apps from the Command and Control server.[2] |
|
| Mobile | T1472 | Generate Fraudulent Advertising Revenue |
Triada can redirect ad banner URLs on websites visited by the user to specific ad URLs.[2][3] |
|
| Mobile | T1437 | Standard Application Layer Protocol |
Triada utilized HTTP to exfiltrate data through POST requests to the command and control server.[2] |
|
| Mobile | T1474 | Supply Chain Compromise |
Triada was added into the Android system by a third-party vendor identified as Yehuo or Blazefire during the production process.[2] [4] |
|