NEWS You Open Telegram—And There’s a Trojan. Of Course, No One Even Noticed

ExcalibuR

ExcalibuR

Legend
LEGEND
PREMIUM
MEMBER
Joined
Jan 17, 2025
Messages
4,031
Reaction score
7,810
Deposit
11,800$

You Open Telegram—And There’s a Trojan. Of Course, No One Even Noticed

1752245882091.png
Ducex hides malware so skillfully that even antiviruses welcome it like an old friend.

Researchers have discovered a new packer called Ducex, which conceals one of the most dangerous mobile malware strains—the Triada trojan—using advanced encryption and obfuscation techniques. Analysis in the ANY.RUN interactive sandbox revealed just how far Android threat developers have come in bypassing security measures.
Ducex was first spotted in a fake Telegram app. While not malicious itself, it plays a crucial role—making the real Trojan nearly impossible to detect. The packer acts as a masking layer, hiding Triada’s malicious activity and significantly complicating the work of security analysts.

How Ducex Evades Detection

Ducex’s architecture is built on multi-layered encryption and stealth techniques:
  • Modified RC4 algorithm combined with custom byte shuffling makes standard decryption tools useless.
  • Dynamic XOR encryption with a 16-byte rotating key scrambles all strings, rendering static analysis ineffective.
  • The Triada payload is hidden inside classes.dex as a non-standard extended section, avoiding suspicion since the malicious code doesn’t appear as a separate file.
  • The first 2048 bytes of DEX modules are encrypted, obscuring critical code segments.

Anti-Analysis Tricks

  • Obfuscated control flow: Simple functions are overloaded with convoluted loops and conditions to deter manual analysis.
  • APK signature check: If the signature doesn’t match, the app crashes—preventing tampering or repackaging for analysis.
  • Anti-debugging: Ducex detects tools like Frida, Xposed, and Substrate, instantly terminating execution if they’re found in memory.

Double-Layered Encryption & Execution

Ducex employs two encryption methods:
  1. Modified RC4
  2. Chinese SM4 block cipher
The payload decryption is split into multiple stages, executed via native functions like init() and dl(). Only after this does the fake Telegram app launch, unleashing the Triada trojan inside.

Why This Matters

Ducex acts as a multi-stage shield for Triada, designed to thwart even the most advanced analysis attempts. This highlights:
  • The sophistication of modern mobile threats.
  • The urgent need for new defense strategies in cybersecurity.
Antiviruses and sandboxes struggle to detect such well-hidden malware, making behavioral analysis and AI-driven detection more critical than ever.
TL;DR:
A new packer, Ducex, hides the Triada trojan inside fake Telegram apps using advanced encryption, anti-analysis tricks, and multi-stage decryption. It’s so stealthy that even security tools often miss it, proving that mobile malware is evolving faster than defenses.
Would you like a deeper breakdown of how Triada operates once deployed? Or ways to detect such threats?
 
You must log in or register to reply here.

Similar threads

ExcalibuR
NEWS You didn’t download a virus. You didn’t open attachments. You were just on a Linux server — and root was already in someone else’s hands
Replies
0
Views
3K
ExcalibuR
ExcalibuR
BaksBanny
MARKET 🥕 🥕 🥕 Bak$Banny CC SHOP ! Low Price ! High Valid ! Promotions and bonuses always await you. 🥕 🥕 🥕
Replies
4
Views
105
Frank
F
pinkman
Interesting Video Tutorial How I Found My First Bug (now you can too)
Replies
1
Views
166
dusty_boots
D
pinkman
NEWS Lessons have done, you can also hack the car business. The student created a malicious infrastructure for a couple of euros. And already there are the
Replies
0
Views
113
pinkman
pinkman
pinkman
NEWS $40 billion a year on "I love you" and fake investments. Asian fraudsters have reached a new level
Replies
0
Views
130
pinkman
pinkman
Top Bottom