Select Page

Security researchers have uncovered a new, powerful Android malware framework that is being used by cybercriminals to turn legitimate apps into spyware with extensive surveillance capabilities—as part of what seems to be a targeted espionage campaign.

Legitimate Android applications when bundled with the malware framework, dubbed Triout, gain capabilities to spy on infected devices by recording phone calls, and monitoring text messages, secretly stealing photos and videos, and collecting location data—all without users’ knowledge.

The strain of Triout-based spyware apps was first spotted by the security researchers at Bitdefender on May 15 when a sample of the malware was uploaded to VirusTotal by somebody located in Russia, but most of the scans came from Israel.

In a white paper (PDF) published Monday, Bitdefender researcher Cristofor Ochinca said the malware sample analysed by them was packaged inside a malicious version of an Android app which was available on Google Play in 2016 but has since been removed.

The malware is extremely stealthy, as the repackaged version of the Android app kept the appearance and feel of the original app and function exactly like it—in this case, the researcher analysed an adult app called ‘Sex Game’— to trick its victims.

However, in reality, the app contains a malicious Triout payload that has powerful surveillance capabilities which steal data on users and sends it back to an attacker-controlled command and control (C&C) server.

According to the researcher, Triout can perform many spying operations once it compromises a system, including:

  • Recording every phone call, saving it in the form of a media file, and then sending it together with the caller id to a remote C&C server.
  • Logging every incoming SMS message to the remote C&C server.
  • Sending all call logs (with name, number, date, type, and duration) to the C&C server.
  • Sending every picture and video to the attackers whenever the user snaps a photo or record video, either with the front or rear camera.
  • Capability to hide itself on the infected device.

But despite the powerful capabilities of the malware, the researchers found that the malware does not use obfuscation, which helped the researchers get full access to its source code by merely unpacking the APK file—suggesting the malware is a work-in-progress.

images from Hacker News