My Account Login

ANY.RUN Researches Ducex: Packer Used in Triada Android Malware

DUBAI, DUBAI, UNITED ARAB EMIRATES, July 8, 2025 /EINPresswire.com/ -- Cybersecurity analysts at ANY.RUN, an established provider of threat analysis and intelligence solutions, published comprehensive research revealing the sophisticated code packing tool Ducex used by Triada Android malware. The research uncovered an advanced obfuscation system that employs multiple layers of encryption and anti-analysis techniques to evade security detection.

๐Š๐ž๐ฒ ๐…๐ข๐ง๐๐ข๐ง๐ ๐ฌ

Ducex is an advanced Chinese Android packer found in Triada samples, whose primary goal is to complicate analysis and confuse the detection of its payload.

ยท ๐—˜๐—ป๐—ฐ๐—ฟ๐˜†๐—ฝ๐˜๐—ฒ๐—ฑ ๐—™๐˜‚๐—ป๐—ฐ๐˜๐—ถ๐—ผ๐—ป๐˜€: The packer employs serious obfuscation through function encryption using a modified RC4 algorithm with added shuffling.

ยท ๐—ซ๐—ข๐—ฅ๐—ฒ๐—ฑ ๐—ฆ๐˜๐—ฟ๐—ถ๐—ป๐—ด๐˜€: Beyond functions, all strings used by Ducex are also encrypted using a simple sequential XOR algorithm with a changing 16-byte key.

ยท ๐——๐—ฒ๐—ฏ๐˜‚๐—ด๐—ด๐—ถ๐—ป๐—ด ๐—–๐—ต๐—ฎ๐—น๐—น๐—ฒ๐—ป๐—ด๐—ฒ๐˜€: Ducex creates major roadblocks for debugging. It performs APK signature verification, failing if the app is re-signed. It also employs self-debugging using fork and ptrace to block external tracing and stops running if tools like Frida are detected in memory.

These capabilities represent a concerning trend toward more resilient malware that can adapt to and evade security measures.

๐ˆ๐ฆ๐ฉ๐š๐œ๐ญ ๐จ๐ง ๐‚๐จ๐ซ๐ฉ๐จ๐ซ๐š๐ญ๐ž ๐‚๐ฒ๐›๐ž๐ซ๐ฌ๐ž๐œ๐ฎ๐ซ๐ข๐ญ๐ฒ

The findings have significant implications for the cybersecurity community:

ยท ๐——๐—ฒ๐˜๐—ฒ๐—ฐ๐˜๐—ถ๐—ผ๐—ป ๐—–๐—ต๐—ฎ๐—น๐—น๐—ฒ๐—ป๐—ด๐—ฒ๐˜€: Traditional signature-based detection methods are largely ineffective against this level of obfuscation, requiring more sophisticated behavioral analysis techniques.

ยท ๐—”๐—ป๐—ฎ๐—น๐˜†๐˜€๐—ถ๐˜€ ๐—–๐—ผ๐—บ๐—ฝ๐—น๐—ฒ๐˜…๐—ถ๐˜๐˜†: Security researchers must develop new methodologies to analyze heavily obfuscated malware, potentially requiring specialized tools and extended analysis timeframes.

ยท ๐— ๐—ผ๐—ฏ๐—ถ๐—น๐—ฒ ๐—ฆ๐—ฒ๐—ฐ๐˜‚๐—ฟ๐—ถ๐˜๐˜† ๐—–๐—ผ๐—ป๐—ฐ๐—ฒ๐—ฟ๐—ป๐˜€: The integration of such sophisticated protection mechanisms into mobile malware represents an escalation in the mobile threat landscape, particularly for Android devices.

The research contributes to the broader understanding of advanced persistent threats (APTs) and sophisticated malware families. It provides detailed technical documentation, including decryption scripts and indicators of compromise (IOCs) to assist the security community in detecting and analyzing similar threats.

Read the full article in ANY.RUNโ€™s blog.

๐€๐›๐จ๐ฎ๐ญ ๐€๐๐˜.๐‘๐”๐

ANY.RUN is an interactive malware analysis and threat intelligence provider trusted by SOCs, CERTs, MSSPs, and cybersecurity researchers. The companyโ€™s solutions are leveraged by 15,000 corporate security teams for incident investigations worldwide.

With real-time visibility into malware behavior, a focus on real-time interaction and actionable intelligence, ANY.RUN accelerates incident response, supports in-depth research, and helps defenders stay ahead of evolving threats.

The ANY.RUN team
ANYRUN FZCO
+1 657-366-5050
email us here
Visit us on social media:
LinkedIn

Twitter

View full experience

Distribution channels: Banking, Finance & Investment Industry, Companies, IT Industry, International Organizations, Technology