Security researchers have uncovered a new, powerful Android malware framework that is being used by cybercriminals to turn legitimate apps into spyware with extensive surveillance capabilities—as part of what seems to be a targeted espionage campaign.

Legitimate Android applications when bundled with the malware framework, dubbed Triout, gain capabilities to spy on infected devices by recording phone calls, and monitoring text messages, secretly stealing photos and videos, and collecting location data—all without users' knowledge.

The strain of Triout-based spyware apps was first spotted by the security researchers at Bitdefender on May 15 when a sample of the malware was uploaded to VirusTotal by somebody located in Russia, but most of the scans came from Israel.

In a white paper (PDF)

published

Monday, Bitdefender researcher Cristofor Ochinca said the malware sample analyzed by them was packaged inside a malicious version of an Android app which was available on Google Play in 2016 but has since been removed.

The malware is extremely stealthy, as the repackaged version of the Android app kept the appearance and feel of the original app and function exactly like it—in this case, the researcher analyzed an adult app called 'Sex Game'— to trick its victims.

However, in reality, the app contains a malicious Triout payload that has powerful surveillance capabilities which steal data on users and sends it back to an attacker-controlled command and control (C&C) server.

According to the researcher, Triout can perform many spying operations once it compromises a system, including:

  • Recording every phone call, saving it in the form of a media file, and then sending it together with the caller id to a remote C&C server.
  • Logging every incoming SMS message to the remote C&C server.
  • Sending all call logs (with name, number, date, type, and duration) to the C&C server.
  • Sending every picture and video to the attackers whenever the user snaps a photo or record video, either with the front or rear camera.
  • Capability to hide itself on the infected device.

But despite the powerful capabilities of the malware, the researchers found that the malware does not use obfuscation, which helped the researchers get full access to its source code by merely unpacking the APK file—suggesting the malware is a work-in-progress.

"This could suggest the framework may be a work-in-progress, with developers testing features and compatibility with devices," Ochinca said.
"The C&C (command and control) server to which the application seems to be sending collected data appears to be operational, as of this writing, and running since May 2018."

Although the researchers were unable to find how this repackaged version of the legitimate app was being distributed and how many times it was successfully installed, they believe the malicious app was delivered to victims either by third-party app stores or by other attacker-controlled domains likely used to host the malware.

Ochinca explains that the analyzed Triout sample was still signed with an authentic Google Debug Certificate.

At the time, no evidence points towards the attackers, or to determine who they are and where they are from, but what's clear is one thing that the attackers are highly skilled and full of resources to develop a sophisticated form of a spyware framework.

The best way to protect yourself from avoiding falling victims to such malicious apps is to always download apps from trusted sources, like Google Play Store, and stick only to verified developers.

Also, most important, think twice before granting any app permission to read your messages, access your call logs, your GPS coordinates, and any other data obtained via the Android's sensors.