Researchers at Bitdefender have identified a new Android malware titled, Triout which acts as a framework for turning legitimate applications into spyware. It is used to inject extensive surveillance capabilities into seemingly benign applications. Triout is found bundled with a repackaged app; with capabilities including recording phone calls, logging incoming text messages, recoding videos, taking pictures and collecting GPS coordinates. Then broadcasting all of that back to an attacker-controlled C2 (command and control) server. The sample’s first appearance seems to be 15 May 2018, when it was uploaded to VirusTotal.
Capabilities
The malware has a vast array of advanced capabilities including:
- Recording every call taking place on the phone
- Uploads recorded phone calls to a remote server
- Steals call log data
- Collect and steals SMS messages which include both incoming and outgoing messages
- Sends phone's GPS coordinates to a remote server
- Uploads a copy of every picture taken with the phone's cameras to a remote server
- Ability to take remote photos and videos from both front and back cameras
- Advanced stealth capabilities that allow it to hide from the target user
- Command and Control (C2) Server
Infection Technique
It is bundled with legitimate applications thus making users unaware of its presence. The malware was first observed lurking in an app and repackaged to look identical to a legitimate Android app called “Sex Game.” As with both versions, they have identical icons and capabilities.
As the above screenshots indicate, both applications are similar in functionality. The malware application is almost identical to the original app, both in code and functionality, except for the malicious payload. Starting from the app’s icon to the in-app screens, the malicious version seems to keep all original functionality potentially so as not to arouse any suspicion from its victim.1
The C2 server, to which the application is sending the collected data, is operational and the campaign is ongoing, according to researchers. It is believed to be a highly targeted attack against a set of people, most probably in Israel. The researchers also presume that this application targets several key victims for espionage or data collection purposes.
Prevention Techniques
The best way to protect yourself from such malicious apps is to always download applications from trusted sources, like Google Play Store, and stick only to verified developers.
Think twice before granting any app permission to read your messages, access your call logs, your GPS coordinates, and any other data obtained via the Android's sensors. Common mitigation techniques are:
- Consider before granting a permission to any application.
- Download applications from trusted sources like Google Play Store.
- Keep your phone and applications up to date.
- Encrypt your devices.
- Make frequent backups of important data
- Install anti-malware on their devices.
Other Sources:
- https://www.bleepingcomputer.com/news/security/new-android-triout-malware-can-record-phone-calls-steal-pictures/
- https://threatpost.com/triout-malware-carries-out-extensive-targeted-android-surveillance/136773/
- https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/
For questions, comments or assistance regarding this report, please contact Wapack Labs at 603-606-1246, or feedback@wapacklabs.com
___________________
Comments