Android Spyware Continues to Operate

Wednesday, August 22, 2018 @ 01:08 PM gHale

New spyware has the capability to develop widespread surveillance into Android applications, researchers said.

The malware, which Bitdefender researchers called Triout, first appeared May 15, when a sample ended up uploaded to VirusTotal. Although initially submitted from Russia, most of the scans came from Israel.

RELATED STORIES
Google Pulls Malware Tainted Android Apps
Open Android Port Target of Attack
Android July Security Patches
Android P Compiler-Based Mitigations Expanded

Triout’s command and control (C&C) server has been running since May as well, and Bitdefender researchers said it continues to operate.

The analyzed sample doesn’t use obfuscation, which means security researchers gained immediate access to the source code by simply unpacking the APK file, Bitdefender’s Cristofor Ochinca said in a white paper.

“This could suggest the framework may be a work-in-progress, with developers testing features and compatibility with devices,” Ochinca said in the paper.

The spyware was discovered bundled with a repackaged application that kept the appearance and all the functionality of the original, supposedly so as not to tip victims off. The malicious payload is the only thing that sets the two apart.

Once on a compromised system, Triout can start its extensive surveillance capabilities, which range from phone call recording to GPS tracking.

As it was only detected by our machine learning algorithms, Ochinca said in the paper a subsequent investigation revealed the spyware has the following capabilities:
• Records every phone call (literally the conversation as a media file), then sends it together with the caller ID to the C&C (incall3.php and outcall3.php)
• Logs every incoming SMS message (SMS body and SMS sender) to C&C (script3.php)
• Has capability to hide self
• Can send all call logs (“content://call_log/calls”, info: callname, callnum, calldate, calltype, callduration) to C&C (calllog. php)
• Whenever the user snaps a picture, either with the front or rear camera, it gets sent to the C&C (uppc.php, finpic.php or reqpic.php)
• Can send GPS coordinates to C&C (gps3.php)

Researchers still don’t know how the infected application ended up disseminated.



Leave a Reply

You must be logged in to post a comment.