A new Android malware framework being used by cybercriminals has been revealed by security researchers. This malware, the report says, enables attackers to turn legitimate apps into powerful spyware that allows for extensive, highly intrusive surveillance of the victim.

Published on Monday, the report was led by Bitdefender researcher, Cristofor Ochinca. According to research findings, when legitimate Android applications bundled with the malware framework – dubbed ‘Triout’ – allows attackers to record phone calls, monitor text messages, secretly extract photos and videos and also collect location data.

Android Malware Risks

Ochinca said the malware sampled analyzed during his research was discreetly packaged inside malicious version of an Android app, which was then made available to Google Play customers in 2016. He noted that this has since been removed, however.

The Triout-based spyware was first discovered by Bitdefender security researchers on the 15th May, after a sample was uploaded to VirusTotal by an individual located in Russia. Despite the upload source, the majority of scans highlighted Israel as a prime location for its usage.

The report stated: “It’s interesting that Triout, which is detected by Bitdefender’s machine learning algorithms, was first submitted from Russia, and most scans/reports came from Israel.

“The sample’s first appearance seems to be May 15, 2018, when it was uploaded to VirusTotal, but it’s unclear how the tainted sample is disseminated. Third-party marketplaces or some other attacker-controlled domains are likely used to host the sample.”

According to Ochinca, this malware type is extremely discreet due to its ability to retain the appearance and functionality of the original app. The investigation focused specifically on one adult app called ‘Sex Game’ which was used to trick victims.

Once a user unknowingly accesses the malicious Triout-containing app, the powerful surveillance tools steal user data and send it to a command and control centre operated by the attacker.

Multiple Capabilities

The report highlighted the malware’s frightening ability to perform multiple tasks at one time, enabling attackers to access a range of sensitive user data.

These capabilities include:

Records every phone call (literally the conversation as a media file), then sends it together with the caller id to the C&C (incall3.php and outcall3.php)

Logs every incoming SMS message (SMS body and SMS sender) to C&C (script3.php)

Has the capability to hide self

Can send all call logs (“content://call_log/calls”, info: callname, callnum, calldate, calltype, callduration) to C&C (calllog.php)

Whenever the user snaps a picture, either with the front or rear camera, it gets sent to the C&C (uppc.php, fi npic.php orreqpic.php)

Can send GPS coordinates to C&C (gps3.php)

Although the report highlights the powerful capabilities of this malware, it also suggests it is a work-in-progress and can be easily foiled. As it does not use obfuscation, researchers were able to gain full access to the source code by unpacking its APK file.

Currently, there are still no clues as to how the repackaged version of a legitimate app was being distributed, as well as how many times it was installed on user devices. The malicious app, Ochinca suggested, was delivered to victims through third-party app stores or by alternative attacker-controlled domains.

Additionally, there is still little evidence to pinpoint where the attackers are from, the report said.

Like this: Like Loading...