A new spyware known by the name “Triout” has been found to be capable of secretly recording conversations on the affected mobile phones, in addition to sending information to a remote command and control center.
Bitdefender, a distinguished cybersecurity firm, stumbled upon the Triout app through its algorithms. Upon further examination, the researchers determined that the spyware had its origins in Russia and has been around since May of this year.
On the face of it, the app looks a utilitarian one but it has been converted into to a tool to steal data without the user’s knowledge.
The spyware only targets Android devices, meaning devices running on other operating systems will not be affected.
Capabilities of Triout
Bitdefender went on to do its own bit of investigations to know how this spyware operates and the damage it causes.
Here are a few things that came out of this investigation:
- Triout makes a recording of practically each voice call, both incoming and outgoing, and saves the data in a media file format.
- The recording is then forwarded to the command center along with the caller ID (the formats are incall3.php and outcall3.php).
- Not only the calls, even the SMS messages and the sender’s details are transmitted (under the format script3.php).
- The capability extends to sending the complete call logs (content://call_log/calls) containing the call name, number, date, type and duration.
- Not just that: pictures captured, using either the selfie camera or the rear camera, are forwarded by Triout to its remote operators.
- The app can also send GPS details and coordinates.
These processes run in the background while you, the user of the phone, may not be aware that they’re going on. The app is capable of hiding its activities.
Some More Information on Triout
Bitdefender explained in its report that the Triout spyware lies hidden as malware in an app called SexGameForAdults.
As mentioned, the first appearance of the malware is reported as May 15, 2018. This is when it was first uploaded to VirusTotal, an aggregate engine that checks files and URLs for viruses that their antivirus software might have missed.
Interestingly, the scans and reports are mostly sourced from Israel despite the upload location being in Russia.
It is also reported that the app was once removed from the Google Play Store back in 2016. Possibly Google received some complaints and decided to withdraw it.
There is no explanation on how it found its way back to the store and how the spyware got injected. Obviously, the malware-laden app is not an original one and has been altered by the hackers.
Hackers Using It to Experiment?
There is also the suspicion in the perspective of the team at Bitdefender that the hacker or hacking group behind this spyware is still to fully develop the malware and it could be testing it out as a trial.
The reason for this is that there is no attempt at obfuscation, which such malware invariably attempts to do. The team found that when the related file is unpacked, its source code becomes visible.
However, the user will not be able to easily distinguish between the original app and the altered one.
Guesses on Who the Culprit Is
The next logical step would be to find out who could be behind this espionage activity and is managing the command and control center, wherever it is.
One assessment points to the suspicion that a powerful group is behind the malware, since the infrastructure required to decipher the different languages being spoken and messages being written would be quite huge. Of course, a real motive has to be established as well.
Whatever the background and motive behind Triout, you can escape its attack by protecting your device at all times and avoiding downloading suspicious apps.