Older versions of Android contained various vulnerabilities that allowed gaining root access to the device. Many malicious programs exploited these to elevate their system privileges and gain persistence. The notorious Triada Trojan also used this attack vector. With time, the vulnerabilities were patched, and restrictions were added to the firmware. Specifically, system partitions in recent Android versions cannot be edited, even with superuser privileges. Ironically, this has inadvertently benefited malicious actors.
While external malware now faces greater permission restrictions, pre-installed malware within system partitions has become impossible to remove. Attackers are leveraging this by embedding malicious software into Android device firmware. This is how one of Kaspersky earlier findings, the Dwphon loader, functioned. It was built into system apps for over-the-air (OTA) updates. In March 2025, Kaspersky research highlighted the Triada Trojan’s evolved tactics to overcome Android’s enhanced privilege restrictions.
Read more…
Source: Kaspersky
Sign up for our Newsletter
The latest news and insights delivered right to your inbox.
Related:
- Europol and Microsoft disrupt world’s largest infostealer Lumma
May 21, 2025
Europol’s European Cybercrime Centre has worked with Microsoft to disrupt Lumma Stealer (“Lumma”), the world’s most significant infostealer threat. This joint operation targeted the sophisticated ecosystem that allowed criminals to exploit stolen information on a massive scale. Europol coordinated with law enforcement in Europe to ensure action was taken, leveraging intelligence provided by Microsoft. Between 16 ...
- Scattered Spider snared financial orgs before targeting shops in Britain, America
May 21, 2025
Scattered Spider snared financial services organizations in its web before its recent spate of retail attacks in the UK and US, according to Palo Alto Networks’ Unit 42. “We saw several instances in the financial services space, and now we’re starting to see instances in the retail-oriented, customer-facing space,” Unit 42 principal threat researcher Kristopher Russo ...
- KrebsOnSecurity Hit With Near-Record 6.3 Tbps DDoS
May 20, 2025
KrebsOnSecurity last week was hit by a near record distributed denial-of-service (DDoS) attack that clocked in at more than 6.3 terabits of data per second (a terabit is one trillion bits of data). The brief attack appears to have been a test run for a massive new Internet of Things (IoT) botnet capable of launching crippling ...
- Major supermarket distributor to Tesco and Sainsbury’s ‘held to ransom’
May 20, 2025
A major distributor to Britain’s biggest supermarkets, including Tesco, Sainsbury’s and Aldi, is being held to ransom by cyber hackers following a string of assaults on UK retail in the last month. Peter Green Chilled said clients were “receiving regular updates” including “workarounds” on how to continue deliveries. No orders would be processed on Thursday, although any ...
- Broadcom hit by employee data theft after breach in supply chain
May 19, 2025
Customers of the global semiconductor giant Broadcom have had their sensitive data leaked on the dark web after a two-step supply chain attack. Apparently, a company called Business Systems House (BSH), a human capital management (HCM) services provider from the Middle East, suffered a ransomware attack in September 2024, in which a group known as El ...
- Cocospy stalkerware apps go offline after data breach
May 19, 2025
A trio of phone surveillance apps, which was caught spying on millions of people’s phones earlier this year, has gone offline. Cocospy, Spyic, and Spyzie were three near-identical but differently branded stalkerware apps that allowed the person planting one of the apps on a target’s phone access to their personal data — including their messages, photos, ...