By By James Walker Mar 4, 2016 in Technology A new Trojan malware has been discovered that is capable of making in-app purchases and gaining root access to phones. It could affect as many as 60 percent of all Android devices, is very sophisticated and almost impossible to remove. Triada hijacks Android's Zygote process, the system-level facility containing code libraries and frameworks shared by virtually all installed apps. Zygote is in charge of overseeing running apps and launching new ones, making it a key target for malware. The process is well-protected and has previously never been breached. Triada is the first malware to infect Zygote as only hypothetical proof-of-concepts have been developed before. By embedding itself into Zygote, Triada becomes It is "almost impossible" to Kaspersky Labs has now found Triada active in the wild. It said that it will be controlled by "very professional" cybercriminals "The Triada of Ztrog, Gorpo and Leech [three elements of the collective 'Triada' malware] marks a new stage in the evolution of Android-based threats," "The majority of users attacked by the Trojans were located in Russia, India and Ukraine as well as APAC countries. It is hard to underestimate the threat of a malicious application gaining root access to a device. Their main threat, as the example of Triada shows, is in the fact that they provide access to the device for much more advanced and dangerous malicious applications. They also have a well thought-out architecture developed by cybercriminals who have deep knowledge of the target mobile platform." The Trojan can be used to intercept and reroute SMS messages being sent by legitimate apps on the phone. Currently, Triada only runs on Android 4.4.4 Kitkat and does not affect newer versions of the operating system. Its success means it is likely to be updated in the future for wider use in cybercrime though. Kitkat is already one of the most prevalent Android versions around as successors Lollipop and Marshmallow still hold Kaspersky warns it is "nearly impossible" to delete the Trojan once installed. It can only be done by "rooting" the phone and manually removing all the Triada components or by jailbreaking the Android system. Neither route will be particularly welcoming to all but power users who understand how Android works and are aware of the dangers involved with rooting and jailbreaking. The mobile Trojan was discovered by researchers at security firm Kaspersky Labs . Known as Triada, the malware has an unprecedented level of sophistication and "can be compared to Windows-based malware in terms of its complexity."Triada hijacks Android's Zygote process, the system-level facility containing code libraries and frameworks shared by virtually all installed apps. Zygote is in charge of overseeing running apps and launching new ones, making it a key target for malware. The process is well-protected and has previously never been breached. Triada is the first malware to infect Zygote as only hypothetical proof-of-concepts have been developed before.By embedding itself into Zygote, Triada becomes part of the Android system. It gains integration into every new app that is launched on the device, capable of monitoring activities or even changing the code that the app runs.It is "almost impossible" to detect with current anti-malware products and operates completely silently. The user and running apps will never know of its existence but it is present behind the scenes inside every process running on the phone.Kaspersky Labs has now found Triada active in the wild. It said that it will be controlled by "very professional" cybercriminals who are out to make money. The complexity required to interact so deeply with the core of Android indicates Triada's creators are experienced hackers looking to increase their revenue."The Triada of Ztrog, Gorpo and Leech [three elements of the collective 'Triada' malware] marks a new stage in the evolution of Android-based threats," said Nikita Buchka , Junior Malware Analyst at Kaspersky Labs.The Trojan can be used to intercept and reroute SMS messages being sent by legitimate apps on the phone. Kaspersky suggests this functionality could be used to direct money from in-app purchases in games to the malware's creators, rather than the game developer.Currently, Triada only runs on Android 4.4.4 Kitkat and does not affect newer versions of the operating system. Its success means it is likely to be updated in the future for wider use in cybercrime though. Kitkat is already one of the most prevalent Android versions around as successors Lollipop and Marshmallow still hold miniscule overall market share.Kaspersky warns it is "nearly impossible" to delete the Trojan once installed. It can only be done by "rooting" the phone and manually removing all the Triada components or by jailbreaking the Android system. Neither route will be particularly welcoming to all but power users who understand how Android works and are aware of the dangers involved with rooting and jailbreaking. More about Trojan, Android, Mobile, Security, Device Trojan Android Mobile Security Device Hack Attack Cybercrime