Security researchers at Bitdefender have identified a new Android malware, dubbed Triout, which disguises itself as a popular app to deliver the malware, according to a recent blog post published last Thursday (Feb.7th).
The app, known as Psiphon and packaged as com.psiphon3, is designed to bypass censored or blocked websites by leveraging a series of proxies to deliver the malware. The app has over 50 million installations and over 1 million reviews in the Google Play Store.
The tampered app was not distributed via the official Google Play Store, but was found on third-party app stores, Bitdefender said.
The app comes bundled with three adware components – Google Ads, Inmobi Ads, Mopub Ads – to generate “some revenue on the side for threat actors”.
The Triout malware can record phone calls, log incoming text messages, record videos, take pictures, and collect GPS coordinates, said Liviu Arsene, the author of the report.
Both the fake and the original app share the same user interface and functionalities, meaning that attackers only “focused on adding the spyware to avoid raising any suspicion”.
The tampered version seems to have used “the v91 version of the original application when distributing the Triout spyware,” researchers said. The current version of the legitimate app – at the time of writing – is v241”.
The cybercriminals also changed the C&C server where information collected is sent to the new version of the app.
“The new C&C IP address (“126.96.36.199”) is still operational at the time of writing and seems to point to a French website (“magicdeal.fr”) that displays deals and discounts for various products,” Arsene said.
“It is currently unknown whether the website is a decoy or a legitimate website that the threat actors compromised to use as a C&C server,” the researcher added.
The new tampered version was discovered on 11th October 2018 and has been active from May to December of last year, with at least seven devices infected, including five in South Korea and two in Germany. Previous campaigns appeared to focus on Israel.
“The proliferation of Android devices has renewed interest from threat actors in developing malware and spyware frameworks,” Arsene said.
“The ubiquity of these devices in our daily lives, the level of information they can access, and the amount of sensors they’re equipped with (e.g. camera, microphone, GPS, etc.) turn them into the perfect spies if weaponised by malware,” he added.
“While the Triout Android spyware framework itself does not seem to have undergone changes in terms of code or capabilities, the fact that new samples are emerging and that threat actors are using extremely popular apps to bundled the malware may herald more incidents such as this in the near future.”