ANY.RUN Researches Ducex: Packer Used in Triada Android Malware
DUBAI, DUBAI, UNITED ARAB EMIRATES, July 8, 2025 /EINPresswire.com/ -- Cybersecurity analysts at ANY.RUN, an established provider of threat analysis and intelligence solutions, published comprehensive research revealing the sophisticated code packing tool Ducex used by Triada Android malware. The research uncovered an advanced obfuscation system that employs multiple layers of encryption and anti-analysis techniques to evade security detection.
饾悐饾悶饾惒 饾悈饾悽饾惂饾悵饾悽饾惂饾悹饾惉
Ducex is an advanced Chinese Android packer found in Triada samples, whose primary goal is to complicate analysis and confuse the detection of its payload.
路 饾棙饾椈饾棸饾椏饾槅饾椊饾榿饾棽饾棻 饾棛饾槀饾椈饾棸饾榿饾椂饾椉饾椈饾榾: The packer employs serious obfuscation through function encryption using a modified RC4 algorithm with added shuffling.
路 饾棲饾棦饾棩饾棽饾棻 饾棪饾榿饾椏饾椂饾椈饾棿饾榾: Beyond functions, all strings used by Ducex are also encrypted using a simple sequential XOR algorithm with a changing 16-byte key.
路 饾棗饾棽饾棷饾槀饾棿饾棿饾椂饾椈饾棿 饾棖饾椀饾棶饾椆饾椆饾棽饾椈饾棿饾棽饾榾: Ducex creates major roadblocks for debugging. It performs APK signature verification, failing if the app is re-signed. It also employs self-debugging using fork and ptrace to block external tracing and stops running if tools like Frida are detected in memory.
These capabilities represent a concerning trend toward more resilient malware that can adapt to and evade security measures.
饾悎饾惁饾惄饾悮饾悳饾惌 饾惃饾惂 饾悅饾惃饾惈饾惄饾惃饾惈饾悮饾惌饾悶 饾悅饾惒饾悰饾悶饾惈饾惉饾悶饾悳饾惍饾惈饾悽饾惌饾惒
The findings have significant implications for the cybersecurity community:
路 饾棗饾棽饾榿饾棽饾棸饾榿饾椂饾椉饾椈 饾棖饾椀饾棶饾椆饾椆饾棽饾椈饾棿饾棽饾榾: Traditional signature-based detection methods are largely ineffective against this level of obfuscation, requiring more sophisticated behavioral analysis techniques.
路 饾棓饾椈饾棶饾椆饾槅饾榾饾椂饾榾 饾棖饾椉饾椇饾椊饾椆饾棽饾槄饾椂饾榿饾槅: Security researchers must develop new methodologies to analyze heavily obfuscated malware, potentially requiring specialized tools and extended analysis timeframes.
路 饾棤饾椉饾棷饾椂饾椆饾棽 饾棪饾棽饾棸饾槀饾椏饾椂饾榿饾槅 饾棖饾椉饾椈饾棸饾棽饾椏饾椈饾榾: The integration of such sophisticated protection mechanisms into mobile malware represents an escalation in the mobile threat landscape, particularly for Android devices.
The research contributes to the broader understanding of advanced persistent threats (APTs) and sophisticated malware families. It provides detailed technical documentation, including decryption scripts and indicators of compromise (IOCs) to assist the security community in detecting and analyzing similar threats.
Read the full article in ANY.RUN鈥檚 blog.
饾悁饾悰饾惃饾惍饾惌 饾悁饾悕饾悩.饾悜饾悢饾悕
ANY.RUN is an interactive malware analysis and threat intelligence provider trusted by SOCs, CERTs, MSSPs, and cybersecurity researchers. The company鈥檚 solutions are leveraged by 15,000 corporate security teams for incident investigations worldwide.
With real-time visibility into malware behavior, a focus on real-time interaction and actionable intelligence, ANY.RUN accelerates incident response, supports in-depth research, and helps defenders stay ahead of evolving threats.
The ANY.RUN team
ANYRUN FZCO
+1 657-366-5050
email us here
Visit us on social media:
LinkedIn
YouTube
X
Distribution channels: Banking, Finance & Investment Industry, Companies, IT Industry, International Organizations, Technology
Legal Disclaimer:
EIN Presswire provides this news content "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the author above.
Submit your press release