A powerful form of Android surveillance malware with the ability to record phone calls, monitor text messages, secretly steal photos and videos, and collect the location of the user is disguising itself in a repackaged version of a legitimate app and being distributed as part of what appears to be a targeted and sophisticated espionage campaign.
Uncovered by researchers at Bitdefender and named Triout, the malware has been active since at least May this year and is packaged inside a phony version of an Android app which was previously available on the Google Play store in 2016, but has since been removed. The repackaged version of the app is still signed with an authentic Google Debug Certificate.
It’s unclear how the malicious app is distributed or how many times it has been successfully installed, but researchers believe that Triout is delivered to victims by third-party marketplaces or other forms of attacker-controlled domains which host the malware.
Analysis of the spyware suggests that it was first submitted from Russia — although not necessarily built there — and that the majority of the detected samples are in Israel, pointing to the possibility of a specially targeted campaign against individuals within the country.
However, while there’s not yet enough evidence to determine who the attackers are, one thing is for certain — they have access to resources and knowledge to build a sophisticated form of spyware.
“We presume that this is an espionage campaign, given the fact that the malware is able to upload recorded phone calls. This is infeasible for a commercial actor because of the diversity of languages they would receive the calls in,” Bogdan Botezatu, senior e-threat analyst at Bitdefender told ZDNet.
“Since the application records phone calls and picks short messages up, we presume that whoever gets the information has the ability to translate them and make sense of the information collected,” he added.
SEE: What is malware? Everything you need to know about viruses, trojans and malicious software
The malware is extremely stealthy, designed to look and function exactly like the app it purports to be — in this case, an adult app called ‘Sex Game’ — while also turning the infected Android device into a powerful surveillance tool which sends stolen data back to an attacker-controlled command and control server.
Investigation of the spyware capabilities found that it records every phone call as a media file and sends the audio along with the caller ID to the attackers, as well as logging information about every incoming text message.
Whenever the user takes a photo, Triout also sends that to the hackers and the attackers can ask for the GPS coordinates of the user at any given time.
But despite the powerful capabilities of the malware, researchers found that the malware sample is completely unobfuscated, meaning that by unpacking the .apk file, the source code becomes available to see.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
This doesn’t seem to sit well alongside the sophistication of the malware itself, leading researchers to suggest that the framework itself could be a work-in-progress as the developers test features and compatibility with devices.
Bitdefender note that the attackers have recently upgraded the command and control infrastructure and that the campaign is still active — but there are simple steps which can be taken to avoid falling victim to Triout or similar campaigns.
“Users should be aware of any applications that do not come from the official store and refuse to sideload it if it gets downloaded from the web and make sure that the requested permissions are in line with the functionality provided by the application,” said Botezatu.
“Unless absolutely required, users should be reluctant to granting applications permissions to read short messages, access call information or use the device’s sensors.”
READ MORE ON CYBER CRIME