Mobile spyware with ‘massive’ surveillance capabilities poses as popular anti-censorship tool to gather data on select targets
A malware strain with “massive” surveillance capabilities has been repackaged to run invisibly alongside a popular privacy tool, researchers have found.
The Android malware framework Triout has been detected in a limited number of infections, leading researchers at Bitdefender to believe that it is used under targeted circumstances to conduct espionage on particular individuals.
Triout is typically bundled with a corrupted version of a legitimate application, and hides its activities on the device and its communications with the command and control server.
Meanwhile, it records phone calls, logs incoming text messages, records videos, takes pictures and collects the device’s GPS coordinates, Bitdefender said.
A previous version of Triout detected in August of last year was built into an adult content app, but the new version is attached to a legitimate tool called Psiphon that allows users to bypass restrictions, such as state-imposed blocks, in order to access internet content.
“Ironically, while the original legitimate application is advertised as a privacy tool that enables access to the open internet, when bundled with the Triout spyware framework it serves the exact opposite purpose,” Bitdefender analyst Liviu Arsene wrote in an advisory.
The application has more than 50 million installs and claims to have more than 12 million active daily users, which Bitdefender said may be why it was targeted by the Triout malware authors.
The version of Psiphon on Google Play is clean, with the Triout malware only being found on altered versions found on third-party app stores, researchers said.
The firm noted that aside from its spyware activities the malware contains three adware frameworks “to generate some revenue on the side”.
The firm said it discovered the new version of Triout in October 2018 and found that it was active from May to December of last year, with at least seven devices infected, including five in South Korea and two in Germany. The previous iteration appeared to target users in Israel.
The new iteration also shifts its command server to a legitimate-looking e-commerce website in France.
Bitdefender suggested the malware may have been targeted to particular individuals via social engineering techniques or a targeted online campaign.
Arsene said the popularity of Android devices makes them a natural target for espionage.
“The fact that new samples are emerging and that threat actors are using extremely popular apps to bundled the malware, may herald more incidents such as this in the near future,” he wrote.
Bitdefender recommends users to use Google’s official app store and to use security software that can detect Android malware, as well as keeping the Android operating system up to date with security patches.