A new version of Triada spreads embedded in the firmware of Android devices | Securelist

The Triada Trojan has evolved to embed a sophisticated multi-stage loader directly into Android device firmware, enabling it to infect the Zygote process and compromise every application. The Trojan’s modular architecture allows attackers to tailor functionality to specific applications, including cryptocurrency wallet address modification, link replacement, text message interception, and credential theft. The infection chain involves a malicious dependency in the boot-framework.oat, which loads three modules, including an auxiliary module, a backdoor, and a crypto stealer or dropper, depending on the running application.