Triout

Security researchers from Bitdefender have discovered a new Android malware strain named Triout that comes equipped with intrusive spyware capabilities, such as the ability to record phone calls and steal pictures taken with the device.

Researchers spotted the malware for the first time a month ago, but they say they identified signs of its activity going back as far as mid-May, when it was first uploaded on VirusTotal, a website that aggregates multiple antivirus scanning engines.

Bitdefender says Triout samples they discovered were masquerading in a clone of a legitimate application, but they were unable to discover where this malicious app was being distributed from. The obvious guess would be via third-party Android app stores, or app-sharing forums, popular in some areas of the globe.

Researchers said the first Triout sample uploaded on VirusTotal came from Russia, but subsequent samples were uploaded from an Israeli IP.

Triout is a pretty capable spyware

As for the malware itself, Triout comes with some pretty advanced features. According to a 16-page white paper on the malware's capabilities published earlier today, Triout can:

- record every call taking place on the phone
- upload recorded phone calls to a remote server
- steal call log data
- collect and steal SMS messages
- send phone's GPS coordinates to a remote server
- upload a copy of every picture taken with the phone's cameras to a remote server
- hide from the user's view

These are some pretty high-level features that require advanced knowledge of the Android OS. Generally speaking, similar malware is used by nation-state hackers or by experienced cyber-criminals.

But Bitdefender says that despite the malware's advanced capabilities, its authors appear to have also slipped up.

"What’s striking [...] is that it’s completely unobfuscated, meaning that simply by unpacking the [cloned app's] .apk file, full access to the source code becomes available," Bitdefender wrote in its report, suggesting that they had no difficulty in accessing and analyzing Triout's entire feature set.

"This could suggest the [Triout] framework may be a work-in-progress, with developers testing features and compatibility with devices," researchers added.

Triout C&C server still up and running

There were no clues to help analysts determine if Triout was the work of a nation-state hacker or a cyber-criminal involved in some sort of economic espionage.

Nevertheless, Triout operators don't appear to have detected Bitdefender researchers sniffing around their command and control server.

"The C&C (command and control) server to which the application seems to be sending collected data appears to be operational, as of
this writing, and running since May 2018," the Romania-based antivirus firm said, suggesting that Triout campaigns are most likely going on as we speak.

Related Articles:

Cheap Android Phones and Poor Quality Control Leads to Malware Surprise

November Android Security Update Fixes Critical Bugs, Drops Media Library

Emotet Trojan Begins Stealing Victim's Email Using New Module

AutoHotkey Malware Is Now a Thing

Google’s Android Apps Are No Longer Free for European Smartphone Makers