A high-end packer, Ducex, is now used to pack the Triada trojan. It’s been one of the most sophisticated Android malware threats since 2016. Though Ducex itself is not particularly malicious, its design is clearly oriented around detection evasion and increasing reverse engineering difficulty. Our researchers have discovered Ducex inside a malware-laden trojanized version of Telegram, demonstrating the packer’s function as a protective shell for Triada.

Advanced Obfuscation Techniques

Ducex uses several new advanced obfuscation techniques to protect its payload. Ducex uses a custom sequential XOR/un-XOR string encryption system on all strings. This algorithm uses a 16-byte key that changes dynamically, which mostly shrouds its activities in secrecy.

The packer implements control flow obfuscation with convoluted loops and conditional structures, bloating simple functions to deter manual code review. This makes the analysis process by many order of magnitude more challenging and time-consuming for security researchers.

Ducex employs dual decryption processes that utilize both modified RC4 and the little-known Chinese SM4 block cipher. This encryption with layers on layers adds one more layer of complexity for analysts trying to reverse-engineer and understand the malware.

Anti-Analysis Measures

Ducex passively scans for popular analysis tools such as Frida, Xposed and Substrate in memory, killing execution if found. This new anti-debugging mechanism represents a major increase in the difficulty of performing dynamic analysis.

Upon inspection, the packer’s payload is better hidden in its own classes.dex file. Unlike its cousins, it lives in a huge, appendage-like, avoidable silo to escape detection as an independent program. Ducex uses a risk-based storage strategy. This strategy combined with partial encryption of dex modules—namely, the first 2048 bytes—prevents static analysis from compromising key components.

These new measures create significant challenges for static and dynamic analysis. Consequently, researchers are having a difficult time researching and defending against the Triada trojan.

A Formidable Gatekeeper

Ducex’s architecture represents an elite, expert-level approach to evasion. It wraps together encryption, obfuscation, and anti-debugging techniques to thoroughly protect the Triada payload. The devs totally plastered together the walls to protect Triada. You can read about these specific efforts in Ducex’s anti-analysis mechanisms and the use of encrypted configurations.

Ducex is certainly one of the most sophisticated tools we’ve seen in the Android malware ecosystem, and it’s expertly designed to hide Triada from detection. Its purpose, however, is that of a powerful protective barrier, meant to confuse and annoy the most experienced researchers.