Security researchers from Bitdefender have discovered a new Android malware strain named Triout that comes equipped with intrusive spyware capabilities, such as the ability to record phone calls and steal pictures taken with the device.
Researchers spotted the malware for the first time a month ago, but they say they identified signs of its activity going back as far as mid-May, when it was first uploaded on VirusTotal, a website that aggregates multiple antivirus scanning engines.
Bitdefender says Triout samples they discovered were masquerading in a clone of a legitimate application, but they were unable to discover where this malicious app was being distributed from. The obvious guess would be via third-party Android app stores, or app-sharing forums, popular in some areas of the globe.
Researchers said the first Triout sample uploaded on VirusTotal came from Russia, but subsequent samples were uploaded from an Israeli IP.
As for the malware itself, Triout comes with some pretty advanced features. According to a 16-page white paper on the malware's capabilities published earlier today, Triout can:
These are some pretty high-level features that require advanced knowledge of the Android OS. Generally speaking, similar malware is used by nation-state hackers or by experienced cyber-criminals.
But Bitdefender says that despite the malware's advanced capabilities, its authors appear to have also slipped up.
"What’s striking [...] is that it’s completely unobfuscated, meaning that simply by unpacking the [cloned app's] .apk file, full access to the source code becomes available," Bitdefender wrote in its report, suggesting that they had no difficulty in accessing and analyzing Triout's entire feature set.
"This could suggest the [Triout] framework may be a work-in-progress, with developers testing features and compatibility with devices," researchers added.
There were no clues to help analysts determine if Triout was the work of a nation-state hacker or a cyber-criminal involved in some sort of economic espionage.
Nevertheless, Triout operators don't appear to have detected Bitdefender researchers sniffing around their command and control server.
"The C&C (command and control) server to which the application seems to be sending collected data appears to be operational, as of
this writing, and running since May 2018," the Romania-based antivirus firm said, suggesting that Triout campaigns are most likely going on as we speak.