Back to Blog

Android ‘Triout’ spyware records calls, sends photos and text messages to attackers

August 28, 2018

By: Ms. Smith

Triout, a creepy Android spyware identified by Bitdefender researchers, can secretly snap photos and videos, record phone calls, log text messages and keep track of victims’ locations. The spyware framework’s extensive surveillance capabilities that can be bundled into benign apps make it likely that it is part of an espionage campaign.

The malicious app contains the same code and functionality as the original app as well as the malicious payload. Perhaps there were a lot of people in Israel looking to spice up their love lives because that is where most the Triout-infected ‘Sex Game’ (SexGameForAdults) apps were detected. The first malware sample, however, was originally submitted to VirusTotal from Russia on May 15, 2018.

Triout was detected by Bitdefender’s machine learning algorithms. Bitdefender researchers suspect the Triout spyware is being hosted on attacker-controlled domains or third-party marketplaces. The firm suspects it is being used for an espionage campaign, but does not know what group or nation is behind it.

The spyware capabilities include:

  • Recording every phone call as a media file and sending it along with the call date, call duration and the caller ID to a C&C server.
  • Logging every incoming text message and sending it to the C&C.
  • Taking photos with the front and rear cameras and sending those to the C&C server; the camera capture was described as “one of the more disturbing features” by Bitdefender.
  • Logging GPS coordinates and sending the tracked data to the C&C.
  • The Android spyware can also hide itself from the user.

Despite all those advanced spying features, the most striking thing about the sample, according to Bitdefender’s whitepaper (pdf), “is that it’s completely unobfuscated, meaning that simply by unpacking the .apk file, full access to the source code becomes available. This could suggest the framework may be a work-in-progress, with developers testing features and compatibility with devices.” The C&C server, a single, hardcoded IP address, to which the app sends the collected data has been operational since May.

More: https://www-csoonline-com.cdn.ampproject.org/

Contact us

Safety is essential to your decision making. We are sure that our team can clarify any doubts. After all, we understand security.

contact@sikur.com

Follow us

Try SIKUR





Contact Us
First Name*
Last Name*
E-mail*
Mobile Number*
Company*
Country*
Tell us what do you need* ?
Products: Hold CTRL+Click to add more than 1.* ?
Comments
I agree to the Privacy Policy and Terms of Service.