Posted on August 23, 2018 at 2:18 PM
Android malware threats continue with the latest discovery by Bitdefender researchers. According to their report, a new malicious software called Triout has all the capabilities of a fully fledged spyware, that can steal data from users’ devices.
New spyware detected
A new malware that was spotted only a month ago, and was dubbed Triout comes equipped with all capabilities of a spyware. Researchers claim that it is capable of stealing phone calls, location, and even images from Android phones.
Despite the fact that the spyware was only noticed a month ago, its activity was traced back to mid-May. Researchers believe that it started its activities on VirusTotal, which is a site that aggregates different engines for antivirus scanning.
Furthermore, the report claims that Triout is attacking undercover, by pretending to be a legitimate app. However, despite their best efforts, they were unable to detect the origin of its distribution. For now, their guess is that the malware is making its move from third-party app stores that are frequented by Android users. Alternatively, it could also be coming from forums dedicated to app-sharing, which are also popular in some areas of the world.
What they did manage to determine is that the spyware’s first upload came from Russia, while multiple others came from IP addresses belonging to Israel.
Triout is very capable
From everything that the researchers have gathered, it would seem that this malware is not to be underestimated, as it is extremely capable and excellent at what it does. It possesses numerous advanced features that were described in a 16-page long white paper published by Bitdefender.
The white paper claims that Triout can record every phone call and upload it to a remote server, as well as steal log data, SMS messages, GPS coordinates, and even images located on the device. Additionally, it does all of this discreetly, while hiding from the user and avoiding detection.
Obviously, to do all of this, it had to have been created by some highly capable individuals with excellent knowledge of Android’s systems. This is almost certainly suggesting experienced cybercriminals or nation-state hackers.
Despite all of these highly advanced features, however, the researchers think that the malware’s creators still made a mistake. The mistake is that the spyware is entirely unobfuscated, which means that it is very easy to access its source code. This has allowed researchers to ‘open it up’, and easily access and analyze its set of features, as well as its inner workings. Because of this, they believe that the malware might not be finished and that its current actions are only a test.
Triout command and control server remains active
So far, the researchers were unable to determine who exactly is behind the malware, and what is its purpose. However, it would seem that the malware creators have yet to detect the researchers’ intrusion into their C&C server.
This is the server that the malware has been sending stolen data to, and researchers were more than surprised to find that it remains active, even after the malware was discovered. So far, it was noted that the server has been up an running since May of this year, and since it is still active, it is reasonable to assume that the malware is still sending the stolen data towards it.