Android users have been warned to look out for a nasty new Trojan that has been spotted in the wild by security researchers.

Kaspersky Lab is warning that Triada has been written by “very professional cybercriminals” that have a deep understanding of the targeted mobile platform, and that users of Android 4.4.4 and earlier versions of the mobile OS should be especially wary, as it is “nearly impossible uninstall”.

Kaspersky warned that Triada exploits Zygote, a core piece of the Android platform which contains system libraries and frameworks used by every application installed on the Android device, and is used to start apps

It is the first time that technology like this has been seen in the wild, with prior Trojans using Zygote only spotted as a proof-of-concept.

Kaspersky Lab said that because of Zygote, once Triada is downloaded and installed, it becomes part of the app process and will be pre-installed into any application launching on the device and can even change the logic of the application’s operations.

“The stealth capabilities of this malware are very advanced,” said Kaspersky. “After getting into the user’s device Triada implements in nearly every working process and continues to exist in the short-term memory. This makes it almost impossible to detect and delete using antimalware solutions. Triada operates silently, meaning that all malicious activities are hidden, both from the user and from other applications.”

So what does it do? Well it seems that the Triada Trojan will get unauthorised superuser privileges. It can modify outgoing SMS messages sent by other applications. So when a user for example makes in-app purchases via SMS for Android games, the outgoing SMS is modified so that the criminals receive the money instead of the app developers.

“The Triada of Ztrog, Gorpo and Leech marks a new stage in the evolution of Android-based threats,” said Nikita Buchka, junior malware analyst at Kaspersky Lab. “The majority of users attacked by the Trojans were located in Russia, India and Ukraine, as well as APAC countries. It is hard to underestimate the threat of a malicious application gaining root access to a device. They also have a well-thought-out architecture developed by cybercriminals who have a deep knowledge of the target mobile platform.”

And Kaspersky warned that it is nearly impossible to uninstall this malware from a device. If infected, users have to either “root” their device and delete the malicious applications manually. Or the second option is to jailbreak the Android system on the device.

More detailed information about this trojan is available here.

TechWeekEurope