S0424: Triada
Analyst context for executives and security teams
Triada matters because it represents Android malware behavior that can extend after installation by downloading new code, inspecting installed apps, collecting SMS messages, archiving data, generating victim traffic, and exfiltrating over command-and-control channels. For leaders, the practical issue is not a single indicator; it is whether the mobile security program can see risky app behavior after install, not just during app approval or static scanning.
Executive priority
Prioritize Triada as a mobile-risk validation case for Android fleets, especially where mobile devices handle business messaging, authentication workflows, or regulated data. The ATT&CK relationships point to supply-chain compromise, runtime code download, SMS access, and C2-based exfiltration, so executives should ask whether mobile app governance, device telemetry, incident response playbooks, and compliance evidence cover post-install behavior and third-party app risk.
Technical view
SOC, detection, and IR teams should validate Android telemetry and controls against the related behaviors: Download New Code at Runtime, Software Discovery, Compromise Software Supply Chain, Archive Collected Data, Ptrace System Calls, SMS Messages, Generate Traffic from Victim, and Exfiltration Over C2 Channel. Because ATT&CK provides no official detection text for this software object, detection engineering should be behavior-led: monitor suspicious app permission use, dynamic code loading, app enumeration, unusual SMS activity, process manipulation signals where available, archive creation or encrypted staging, and network traffic consistent with C2 or generated outbound activity.
Likely telemetry
- Android application inventory and installation source records
- Mobile device management or mobile threat defense alerts for risky app behavior
- Android permission grants, especially SMS-related permissions where collected
- Runtime behavior showing dynamic code download or execution
- Installed-app enumeration events where available
Detection direction
- Do not rely only on static app vetting; the related Download New Code at Runtime behavior makes post-install monitoring important.
- Tune for combinations of behaviors rather than single events, such as dynamic code download plus app discovery, SMS access, or unusual outbound traffic.
- Review false positives carefully because legitimate apps may enumerate installed apps, download modules, compress data, or generate network traffic for normal purposes.
- Validate whether Android telemetry can expose ptrace-related process activity; many environments may not collect this level of mobile endpoint detail.
- Use supply-chain context when triaging: confirm app source, update path, signing/provenance evidence, and whether the app was received through an expected distribution mechanism.
Mitigation priorities
- Strengthen Android app governance: restrict untrusted sources, review app provenance, and maintain an approved application baseline.
- Use mobile device management or equivalent controls to enforce application inventory, permission policy, and removal workflows for suspicious apps.
- Prioritize monitoring and policy controls around SMS permissions, dynamic code loading, and unexpected outbound traffic from mobile apps.
- Include mobile software supply-chain review in vendor and app risk processes, especially for apps distributed or updated through third-party channels.
- Prepare IR playbooks for mobile malware cases, including device isolation, app removal, evidence preservation, credential/session review, and assessment of data exposed through SMS or C2 channels.
Analyst notes and limits
The supplied ATT&CK object identifies Triada as Android malware first reported in 2016 as second-stage malware, with later 2019 versions described as using new techniques and acting as an initial downloader of other Trojan apps. The highest-value defensive framing comes from the listed relationships to mobile techniques rather than from object-level detection guidance.
Official detection is not provided, tactics are not specified, aliases are not listed, and the supplied source context is limited. This take does not assert current exploitation, affected customers, specific indicators, or guaranteed detection. Local Android fleet architecture, app distribution model, and available mobile telemetry determine practical coverage.
Triada
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1407 | Download New Code at Runtime | Triada utilizes a backdoor in a Play Store app to install additional trojanized apps from the Command and Control server.CitationGoogle Triada June 2019 |
| Mobile | T1636.004 | SMS Messages Sub-technique | Triada variants capture transaction data from SMS-based in-app purchases.CitationKaspersky Triada March 2016 |
| Mobile | T1418 | Software Discovery | Triada is able to modify code within the com.android.systemui application to gain access to `GET_REAL_TASKS` permissions. This permission enables access to information about applications currently on the foreground and other recently used apps.CitationGoogle Triada June 2019 |
| Mobile | T1474.003 | Compromise Software Supply Chain Sub-technique | Triada was added into the Android system by a third-party vendor identified as Yehuo or Blazefire during the production process.CitationGoogle Triada June 2019CitationKrebs-Triada June 2019 |
| Mobile | T1532 | Archive Collected Data | Triada encrypts data prior to exfiltration.CitationGoogle Triada June 2019 |
| Mobile | T1631.001 | Ptrace System Calls Sub-technique | Triada injects code into the Zygote process to effectively include itself in all forked processes. Additionally, code is injected into the Android Play Store App, web browser applications, and the system UI application.CitationGoogle Triada June 2019CitationKaspersky Triada March 2016 |
| Mobile | T1646 | Exfiltration Over C2 Channel | Triada utilized HTTP to exfiltrate data through POST requests to the command and control server.CitationGoogle Triada June 2019 |
| Mobile | T1643 | Generate Traffic from Victim | Triada can redirect ad banner URLs on websites visited by the user to specific ad URLs.CitationGoogle Triada June 2019CitationKaspersky Triada June 2016 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | bea2ee61581a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Kaspersky Triada March 2016
Snow, J. (2016, March 3). Triada: organized crime on Android. Retrieved July 16, 2019.
Open source URL -
[2]
mitre-attack S0424Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.