While there might be several reasons for malware to target end-users, the most common reason is financial gain. What we often see looks something like:

• Banking malware trying to steal user-credentials and empty their accounts.
• Spyware (as the name indicates) secretly gathering user information and transferring it to the attacker. This is also used in blackmailing.
• Ransomware encrypting stored device-data and trying to get users to pay to unlock their data.
• Cryptominers using the processor on a phone to mine for cryptocurrencies.

Two of the more common mobile malware suites in 2019 are Triada and Triout. Triada has even been found being preinstalled on cheap mobile phones from the far-East. 

Both Triout and Triada are modular collections of different software packages. They can be used as remote-controls for devices (a “RAT”), for communicating with other devices, and for gaining elevated access rights. Common to both Triada and Triout is that they have a laundry list of exploits that can be used to gain root-rights on Android - rights far beyond what is possible with normal Android permissions.

Root-access makes it possible for the malware to:

• Gain access to the memory and storage of every single app. For example, Triada becomes part of every running application on an Android, making it possible to modify running apps and what happens inside them.
• Hide from the lists of running services and applications.
• Hide from overviews of installed packages and programs.
• Read all files, including the databases, used by web browsers to store your passwords.

Root-access makes it very hard to discover that the device has been infected, as the malware has essentially the same access to the system as the software provided by the phone manufacturer.

Still, even without root-access rights, malware might be able to:

• Read, hide, and modify outgoing SMS messages and recognise if they’re an OTP based on the sending number.
• Record calls and transfer those recordings to remote servers.
• Remote control the user interface, i.e. for automatically transferring money out of an account when users open a banking app.
• Display overlays on top of other applications, i.e to hide the real recipient of a money transfer.
• Transfer calls, i.e. when a bank calls you to ask a user why they are transferring money to a casino in the Philippines.
• Log everything written through the keyboard, including passwords.

The most efficient kind of malware is the kind that end-users aren’t aware of. Of course, it is also the kind that is only triggered once (when it is most profitable for the malware creators).

An example of this would be when an attacker has figured out how to exploit a common banking app, and has created a module that transfers money from any available account. Yet a malware infection is not stand-alone: it depends on a command-and-control server, which receives information and sends commands and updates.

In the background, there is an entire ecosystem of malware authors and criminal gangs communicating through underground forums. Accessing these kinds of forums can be surprisingly easy, and it does not take much effort to find cheap prepackaged malware suites that can be used to remote-control infected phones, or software that can run on command-and-control servers. While we never advise to trust services or devices bought off the dark-web, it can still be quite educational to see what is available out there.

In our next post, we’ll look at how malware spreads and what you can do to avoid being infected.