Ducex Packer: The New Shield for Triada Android Trojan Evading Detection

Researchers have uncovered a new packer, Ducex, which conceals one of the most formidable mobile malware threats— the Triada Trojan—through advanced encryption and obfuscation techniques. Its analysis in the interactive sandbox environment ANY.RUN reveals the extent to which Android threat developers have refined their tactics to evade detection.

Ducex was first identified within a counterfeit version of the Telegram app. While not inherently malicious, it plays a pivotal role: complicating the discovery of the underlying Trojan to the greatest possible extent. Acting as a sophisticated camouflage layer, the packer masks Triada’s malicious activity, significantly hindering the efforts of security analysts and defenders.

Ducex’s defining feature lies in its multi-layered architecture designed for encryption and concealment. A customized implementation of RC4, combined with unique byte permutation, protects critical functions—rendering conventional decryption tools ineffective. All code strings are encrypted using a sequential XOR algorithm with a dynamically changing 16-byte key, making static analysis virtually infeasible.

The Triada payload is embedded within Ducex’s classes.dex file as a non-standard extended section. This method prevents it from drawing suspicion, as the malicious code does not stand out as a separate component. Additionally, the first 2048 bytes of the DEX modules are encrypted, concealing vital code segments from researchers.

Execution flow obfuscation further complicates analysis—simple functions are deliberately overloaded with convoluted loops and conditions to deter manual inspection. An APK signature verification mechanism is also in place; if the signature fails to match, the application forcibly terminates. This means any tampering, including re-signing for analysis purposes, leads to immediate failure.

Ducex is equipped to detect popular analysis tools such as Frida, Xposed, and Substrate, and halts execution instantly upon detecting their presence in memory. This renders debugging and dynamic behavioral inspection virtually impossible.

Of particular note is Ducex’s use of dual encryption strategies. In addition to the customized RC4, it employs the Chinese SM4 block cipher. The decryption process of the payload is divided into multiple stages and implemented through native functions such as init() and dl(). Only after this sequence does the fake Telegram app launch—within which the Triada Trojan begins to operate.

Thus, Ducex serves as a fully-fledged shield for Triada, functioning as a multi-tiered defense mechanism designed to thwart even the most sophisticated analysis attempts. This underscores the advanced technical sophistication of modern mobile threats and highlights the urgent need for innovative countermeasures in the realm of cybersecurity.