Users' personal data is precious and expensive, and hackers are exploiting systems' vulnerabilities to get their hands on them.
Researchers at Bitdefender have identified a powerful Android malware named ‘Triout’. Equipped with intrusive spyware capabilities, the malware is capable of recording most interactions on an infected phone, and sending all the collected data to a command and control center, the security researchers have warned.
The malware strain was first discovered in July 2018, after malicious signs of activities were identified as far as mid-May. This was when the strain was uploaded on VirusTotal, a website that aggregates multiple antivirus scanning engines.
Bitdefender said that Triout samples they discovered were masquerading in a clone of a legitimate application, called 'SexGameForAdults' which was available on Google Play Store in 2016.
Even though the app has been removed from Play Store, a repackaged version of the app was later available to be downloaded from third-party sites, stores and app-sharing forums.
The malware has some advanced features. According to Bitdefender's 16-page white paper, the malware Triout can:
- Record phone calls, together with the caller's ID
- Upload recorded conversations to a remote server.
- Steal call log data.
- Read, collect and steal SMS messages.
- Send phone's GPS coordinates to a remote server.
- Upload a copy of every picture taken with the phone's cameras to a remote server.
- Hide from the user's view.
The above abilities are considered high-level features, since stealing them require the malware developer an advanced knowledge of the Android OS. Malware with similar abilities have also been used by state-sponsored hackers or by experienced cyber-criminals.
While the malware is sophisticated and able to hide itself, Bitdefender found that it does not use obfuscation. The researchers got full access to its source code by only unpacking the package called 208822308.apk, which is apparently readable.
Bitdefender notes, suggesting that it may be an experimental version or a work-in-progress.
"What's striking about sample is that it's completely unobfuscated, meaning that simply by unpacking the .apk file, full access to the source code becomes available. This could suggest the framework may be a work-in-progress, with developers testing features and compatibility with devices," explained the company.
With the exception of the malicious payload, the tainted version of the app is indistinguishable from the real thing, both in terms of the code and the functionality, "potentially so as not to arouse any suspicion from its victim." The sample was also signed with an authentic Google Debug Certificate.
The researchers aren’t sure about the origins of the app, but suggested that it came from Russia. They also detected a lot of Israeli samples collected by the app.
To prevent falling victim to Triout or similar malware, the researchers urge users to never install apps from third-party providers. They also advise users not to give unnecessary permissions that grant apps the access to call logs, messages and media files.