Security researchers have discovered a new version of Android malware named Triout disguising as a popular online privacy application to deliver the malware.
Attacker abuses Psiphon, a privacy tool designed to bypass censored or blocked websites by leveraging a series of proxies to deliver the malware. The application has over 50 million installations and over 1 million reviews in the Google play store.
The tampered app was not distributed using the official Google Play store but through third party ones. The app also was discovered bundled with three adware components – Google Ads, Inmobi Ads, Mopub Ads to generate some revenue.
The malware was discovered by the security researchers at Bitdefender and contains massive surveillance capabilities.
The malware is capable of recording phone calls, log incoming messages, record videos, take pictures and even collect GPS coordinates of the device.
Both the tampered and legitmate
According to researchers, the current version of the legitimate app is v241 and the tampered app seems to be using the v91 version of the original application.
Attackers also changed the C&C server where information collected is sent for the new version. The new C&C Server is still operational and points to a French website (“magicdeal.fr”).
The new version of Triout malware was discovered October 11th 2018 and has been active from May 2nd 2018 all through December 7th 2018.
While analysing the malware was discovered malware running on seven devices, five of those in South Korea and two from Germany.
“The proliferation of Android devices has renewed interest from threat actors in developing malware and spyware frameworks. The ubiquity of these devices in our daily lives, the level of information they can access, and the amount of sensors they’re equipped with (e.g. camera, microphone, GPS, etc.) turn them into the perfect spies if weaponized by malware” said in the post published by researchers.
You may be interested in reading:Several Photo Editing Apps Found Stealing Users Photos