A powerful form of Android malware with spy capabilities has re-emerged with new tactics — this time masquerading as a popular online privacy application to trick users into downloading it.
First uncovered in August last year, Triout malware collects vast amounts of information about victims by recording phone calls, monitoring text communications, stealing photos, taking photos, and even collecting GPS information from the device, allowing the user's location to be tracked.
The campaign has been active since May last year, with users previously duped into downloading the malware with a fake version of an adult app — but now those behind Triout have altered their tactics, distributing the malware with a re-purposed version of a legitimate privacy tool that has been ripped from the Google Play store.
Now Triout is being hidden in a phony version of Psiphon, a privacy tool that is designed to help users bypass censorship on the internet. Psiphon is particularly focused towards aiding users living under repressive regimes and its services have been downloaded millions of times — the version available in the official Google Play store boasts over 10 million installations.
The tool can also be downloaded from third-party sites, especially in places that don't have access to Google Play, and it's this, combined with the function and popularity of Psiphon, which is likely to have made it an appealing lure for the hacking operation behind Triout.
Those behind Triout have been careful to make sure the phony version of Psiphone looks and acts in the same way as the real thing, so they can conduct the campaign without raising the suspicion of victims.
The updated Triout follows in the footsteps of the initial campaign, appearing to very selective when targeting victims. Researchers uncovered the malware running on seven devices, with five of those in South Korea and Germany. Previous campaigns appeared to focus on Israel.
It's still uncertain how the attackers ensure that their selected victims are duped into downloading the malware, but it potentially involves spear-phishing.
"Whether they used social engineering techniques to trick the victims into installing the app from third-party marketplaces or prepared an online campaign directly targeted at a limited number of users, it's uncertain at this point how victims have been selected, targeted, and infected," Liviu Arsene, senior e-threat analyst at Bitdefender told ZDNet.
It isn't just the lure which has changed — researchers note that the command and control server the attackers use to extract data from compromised devices has changed to an IP address in France. In addition to this, previously analysed samples of Triout had been submitted from Russia, while the latest version has been uploaded from the US.
This subterfuge around the origin of the malware means it still isn't possible to identify the origin of the campaign or the group behind it, but what is certain is that Triout remains an extremely powerful hacking tool that provide attackers with vast amounts of information.
"It's a potent piece of malware that has been purposely developed for espionage," said Arsene.
Researchers believe that the campaign is still active and recommended users do all they can to steer clear of malware threats by keeping their Android operating system up to date and to only install apps from official sources where possible.