Triada
Triada is a sophisticated Android malware family first documented in 2016 that evolved from a rooting trojan into a modular backdoor and, in later campaigns, a firmware-level preinstalled threat. Early Triada activity focused on silently installing spam/ad-displaying apps, injecting into browsers to replace ads and URLs, and using root privileges for persistence and control. Google reported that Triada later evolved into a system-image backdoor embedded in Android framework components during production, enabling code execution in privileged contexts such as System UI and Google Play.
Recent reporting describes Triada variants embedded directly into device firmware, including counterfeit Android smartphones sold through online marketplaces and other preinfected devices. In the 2025 firmware campaign, malicious framework components and rogue binder.so libraries were loaded into the Android Zygote process, causing Triada code to be injected into every application launched on the device. Kaspersky detected this variant as Backdoor.AndroidOS.Triada.z and reported more than 4,500 infected devices worldwide between March and April 2025, with the highest counts in Russia, the United Kingdom, the Netherlands, Germany, and Brazil. Kaspersky also reported that preinstalled variants such as Triada.ag, Triada.z, Triada.ae, Triada.ab, and Triada.ad remained active in later mobile threat rankings.
Triada is modular and supports app-specific payload delivery. Reported capabilities include downloading and executing additional payloads; installing and uninstalling APKs; blocking selected domains; acting as a reverse proxy; hijacking browser links; replacing cryptocurrency wallet addresses in text fields, button handlers, QR codes, and clipboard contents; intercepting incoming SMS and MMS; sending arbitrary SMS messages; changing premium SMS policy settings to allow silent premium-rate texting; and stealing data from targeted apps. Documented targets include Telegram, WhatsApp, Instagram, LINE, Skype, TikTok, Facebook, browsers, Google Play, Google Play Services, SMS apps, and phone apps. Reported stolen data includes tokens, cookies, credentials, session material, account data, phone numbers, and authentication artifacts. Triada variants have also been reported to capture transaction data from SMS-based in-app purchases.
Triada has used HTTP POST requests for command-and-control data exfiltration. In the 2025 campaign, Kaspersky reported infrastructure overlap with the Vo1d backdoor via the domain g.sxim[.]me and observed Chinese-language comments in the malware code, suggesting Chinese-speaking developers. Google previously assessed that some Triada infections were introduced into device system images during production by a third party believed to use the name Yehuo or Blazefire. Additional reporting linked Operation NoVoice to the Android.Triada family based on shared persistence techniques involving replacement of core system libraries and Zygote-based injection.
Triada has been widely observed in modified messaging apps, especially trojanized WhatsApp mods, with variants including Triada.ga, Triada.fd, Triada.gs, Triada.gn, Triada.gm, Triada.fe, and Triada.ii appearing prominently in mobile threat rankings. It is consistently described as one of the most advanced Android malware families and as a long-running supply-chain and preinstallation threat capable of surviving factory resets when embedded in firmware or system partitions.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"...redirect unsuspecting site users to ... malware, including an Android malware called Triada in one case."
Techniques & procedures
36 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
5 techniques
Execution
Depending on which one was provided, the binary either 1) ran the command given as an argument as root or 2) concatenated all of the arguments, ran that concatenation preceded by sh, then ran them as root.
It registers a malicious receiver that, upon receiving intents, can execute arbitrary JavaScript code using WebView
After decryption, it is saved to disk as /data/data/%PACKAGE%/mms-core.jar and then loaded using DexClassLoader... The downloaded payload is decrypted... and loaded via DexClassLoader
Persistence
4 techniques
Persistence
We discovered that the suspicious library was loaded into Zygote, the parent process for every Android application, by an infected AOT-compiled Android system framework (boot-framework.oat)
This class registers a receiver that allows other modules to install arbitrary APKs on the device and also uninstall any apps
Privilege Escalation
4 techniques
Privilege Escalation
We discovered that the suspicious library was loaded into Zygote, the parent process for every Android application, by an infected AOT-compiled Android system framework (boot-framework.oat)
We conducted an investigation, discovering a new version of the BADBOX backdoor, preloaded on the device. This backdoor is a multi-level loader embedded in a malicious native library, librescache.so, which was loaded by the system framework. As a result, a copy of the Trojan infiltrated every process running on the device.
Stealth
8 techniques
Stealth
This module undergoes a double XOR decryption process... After downloading, the modules were decrypted twice using XOR with different keys
All field values within the configuration are encrypted using AES-128 in ECB mode and then encoded with Base64... The infected device receives the key and initialization vector (IV) RSA-encrypted from the C2
We conducted an investigation, discovering a new version of the BADBOX backdoor, preloaded on the device. This backdoor is a multi-level loader embedded in a malicious native library, librescache.so, which was loaded by the system framework. As a result, a copy of the Trojan infiltrated every process running on the device.
Once the loading is complete, the payload file is deleted... If the message text matches regular expressions received by the Trojan from the C2 server, the message is deleted from the client... Delete sent messages on the device to cover its tracks
Этот модуль дважды расшифровывается XOR-методом с разными ключами... Все значения полей в конфигурации зашифрованы алгоритмом AES-128... Модули после скачивания дважды расшифровывались с помощью XOR
binder.so registers native methods that can intercept calls to arbitrary methods within the process where the malware is running... the malware uses reflection to replace the Instrumentation class instance for the app
Defense Impairment
2 techniques
Defense Impairment
Credential Access
5 techniques
Credential Access
the Trojan then swaps the crypto wallet address with a hardcoded one and replaces the click handlers of all buttons in the application with a proxy handler... replaces image elements with generated QR codes
В нем хранятся данные для авторизации в Telegram, в том числе токен... с помощью рефлексии он получает токен доступа приложения... пытается извлечь токен, позволяющий получить доступ к учетной записи Skype
This file contains the cookies for active Instagram sessions... the malware steals the Facebook authentication cookies... designed for stealing Instagram cookies from web browsers
Discovery
2 techniques
Discovery
Collection
3 techniques
Collection
читает строку с ключом user... содержимое файла tgnet.dat... строку с id = 1 из таблицы params в базе данных cache4.db... собирает все файлы
Command and Control
7 techniques
Command and Control
Whenever it had to send a request to the Command and Control (C&C) server, it encrypted the request using two XOR loops with different passwords.
зловред регулярно отправляет запросы на командный сервер... В ответ C2 возвращает JSON... Сначала он устанавливает связь с C2 поверх TCP-сокетов
the malware periodically transmits a wealth of device information... to its command-and-control server... The C2 responds with a JSON file
the main purpose of this module is to turn the infected device into a reverse proxy, essentially giving the attackers network access through the victim’s device
First, it establishes a connection with the C2 server over TCP sockets... The server responds with an IP address and port, which the malware uses to listen for commands
IOCs tracked for this family
76 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
33 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Android malware/trojan referenced as being preinstalled on smartphones out of the box.
Advanced Android mobile Trojan that evolved into a modular backdoor embedded directly into device firmware during manufacturing, underpinning later infected-device campaigns.
Android malware family appearing as both preinstalled backdoor variants and trojanized app-embedded variants. Multiple Triada variants ranked among the most widespread mobile threats in the quarter.
Android malware/rootkit family known for replacing libandroid_runtime.so, hooking system functions so every app runs attacker code at launch, and persisting across factory resets. The report links NoVoice to the Triada family through shared persistence techniques and an installation-state property.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.