Technical Analysis of Ducex: Packer of Triada Android Malware 

MITRE Techniques

• [T1036] Masquerading – The packer uses a fake Telegram app to disguise the Triada malware payload (‘sample in question was embedded in a fake Telegram app’).
• [T1553] Subvert Trust Controls – Ducex performs APK signature verification and terminates execution if signatures do not match, preventing tampering (‘app checks the APK signature and terminates if it doesn’t match’).
• [T1620] Reflective Code Loading – Triada stores its payload as additional dex modules inside classes.dex which are decrypted and executed at runtime (‘stored within Ducex’s own classes.dex file in a large, additional section’).
• [T1218] Signed Binary Proxy Execution – The packer uses library “libducex.so” with encrypted functions loaded dynamically (‘most methods of this class are native, and they are implemented in the “libducex.so” library’).
• [T1064] Scripting – Custom decryption scripts and native code functions are used to decode encrypted functions and strings (‘function decryption occurs in .init_proc’).
• [T1622] Debugger Detection – Ducex detects debugging tools like Frida, Xposed, and Substrate and terminates the process upon detection (‘if any of these strings are found in memory, the process terminates execution’).
• [T1059] Command and Control – Triada communicates with characteristic domains identified during sandbox analysis (‘recognizing the characteristic domains it communicated with’).
• [T1055] Process Injection – Self-debugging is implemented by parent and child processes monitoring each other using ptrace and fork system calls (‘parent process uses fork and ptrace to block external tracing’).