Recently, security researchers conducted a detailed analysis on Triout malware which posed a serious privacy threat. Read on to know more about this malware…
Recently, researchers have found a malware strain with “massive” surveillance capabilities that has been repackaged to run invisibly alongside a popular privacy tool. Triout malware which wreaked havoc on Android devices way back in 2018 is back again in a new package. This time, it was bundled with a genuine Android app to hide its spyware functionalities.
The Android malware framework Triout has been detected in a limited number of infections. Lead researchers at Bitdefender believe that it is used under targeted circumstances to conduct espionage on particular individuals. Bitdefender said that the capabilities of Triout malware include recording phone calls, text messages, videos, pictures, as well as monitoring GPS coordinates of the users.
Bitdefender said it discovered the new version of Triout in October 2018 and found that it was active from May to December of last year, with at least seven devices infected, including five in South Korea and two in Germany. The previous iteration appeared to target users in Israel.
Triout is typically bundled with a corrupted version of a legitimate application, and hides its activities on the device and its communications with the command and control server. In its latest form, Triout hides behind a popular VPN app called Psiphon, with the package name ‘com.psiphon3’. With millions of installations, the app helps users make use of VPN to bypass network restrictions like websites bans in several countries or on private networks.
“What’s interesting about the new Triout sample is that the C&C (Command & Control) server the threat actors use to smuggle the data and control infected devices is now different. The new C&C IP address (“126.96.36.199”) is still operational at the time of writing and seems to point to a French website (“magicdeal.fr”) that displays deals and discounts for various products,” highlighted the blog by Bitdefender.
“It is currently unknown whether the website is a decoy or a legitimate website that the threat actors compromised to use as a C&C server,” the researchers added.
Bitdefender analyst Liviu Arsene wrote in an advisory that “Ironically, while the original legitimate application is advertised as a privacy tool that enables access to the open internet, when bundled with the Triout spyware framework it serves the exact opposite purpose,”
Researchers said that the version of Psiphon on Google Play is clean, with the Triout malware only being found on altered versions found on third-party app stores. Bitdefender noted that aside from its spyware activities the malware contains three adware frameworks “to generate some revenue on the side”.
The attackers have targeted the app installation file that is available on third-party sources, not the one present in Google Play. The unofficial app also comes with other adware on top of the Triout malware.
The application has more than 50 million installs and claims to have more than 12 million active daily users, which Bitdefender said may be why it was targeted by the Triout malware authors.
Antivirus company Bitdefender which conducted a detailed analysis regarding Triout’s development indicated that the malware impact was small region-wise, but was unable to trace it globally.
The new iteration also shifts its command server to a legitimate-looking e-commerce website in France. Bitdefender suggested the malware may have been targeted to particular individuals via social engineering techniques or a targeted online campaign. Arsene said the popularity of Android devices makes them a natural target for espionage.
“The fact that new samples are emerging and that threat actors are using extremely popular apps to bundled the malware, may herald more incidents such as this in the near future,” he wrote.
Bitdefender recommends users to use Google’s official app store and to use security software that can detect Android malware, as well as keeping the Android operating system up to date with security patches.