Android ‘Triout’ spyware records calls, sends photos and text messages to attackers

Triout, a creepy Android spyware identified by Bitdefender researchers, can secretly snap photos and videos, record phone calls, log text messages and keep track of victims’ locations. The spyware framework’s extensive surveillance capabilities that can be bundled into benign apps make it likely that it is part of an espionage campaign.

The malicious app contains the same code and functionality as the original app as well as the malicious payload. Perhaps there were a lot of people in Israel looking to spice up their love lives because that is where most the Triout-infected ‘Sex Game’ (SexGameForAdults) apps were detected. The first malware sample, however, was originally submitted to VirusTotal from Russia on May 15, 2018.

Triout was detected by Bitdefender’s machine learning algorithms. Bitdefender researchers suspect the Triout spyware is being hosted on attacker-controlled domains or third-party marketplaces. The firm suspects it is being used for an espionage campaign, but does not know what group or nation is behind it.

The spyware capabilities include:

• Recording every phone call as a media file and sending it along with the call date, call duration and the caller ID to a C&C server.
• Logging every incoming text message and sending it to the C&C.
• Taking photos with the front and rear cameras and sending those to the C&C server; the camera capture was described as “one of the more disturbing features” by Bitdefender.
• Logging GPS coordinates and sending the tracked data to the C&C.
• The Android spyware can also hide itself from the user.

Despite all those advanced spying features, the most striking thing about the sample, according to Bitdefender’s whitepaper (pdf), “is that it’s completely unobfuscated, meaning that simply by unpacking the .apk file, full access to the source code becomes available. This could suggest the framework may be a work-in-progress, with developers testing features and compatibility with devices.” The C&C server, a single, hardcoded IP address, to which the app sends the collected data has been operational since May.

Since the malware is capable of uploading recorded phone calls, Bogdan Botezatu, a senior analyst at Bitdefender, told ZDNet that the security firm presumes “this is an espionage campaign.” He added, “This is infeasible for a commercial actor because of the diversity of languages they would receive the calls in. Since the application records phone calls and picks short messages up, we presume that whoever gets the information has the ability to translate them and make sense of the information collected.”

Bitdefender advised users to be wary of downloading apps from anywhere but the official store as well as thinking twice about granting apps permission to read messages, access call logs and GPS coordinates or other data obtained via the Android’s sensors.