Android smartphone users have been issued a warning about a spying strain of malware discovered to have been spread via the official Google Play Store app portal.
The “extremely powerful” Triout spyware have been found on an app listed on the Google Play Store.
The Triout malware gathers records of every call a user of the Google mobile OS makes, logs of SMS messages and every picture or video a victim takes with their phone. It can also capture GPS co-ordinates of an Android user and then send these sensitive details to an attacker-controlled command-and-control server.
The nefarious software was discovered on an Android app called ‘Sex Game’ which was available in the Google Play Store in 2016.
It has since been removed from the official Android portal for apps.
Speaking to Threatpost, Bitdefender senior e-threat analyst Bogdan Botezatu said:
“I personally think [what] we are looking at is an alpha build of a bigger, more potent espionage tool.”
“While this Trojan is extremely powerful and has the ability to record and upload phone calls, as well as use cameras and make its way into the Play Store, its code was left completely unobfuscated.”
“We believe that this is a highly targeted attack against a limited set of people, most of who are in Israel.
“We also presume that this application targets several key victims for espionage or data collection purposes.
“Since the application records phone calls and exfiltrates short messages, we believe that whoever gets the information has the ability to translate and make sense of the information collected.
“Gathering such information in a variety of languages has no real commercial value, and a local team of attackers should be fluent in dozens of languages to obtain valuable information.”
In a technical analysis [PDF] of the code published Wednesday researchers noted;
“It’s interesting that Triout, which is detected by Bitdefender’s machine-learning algorithms, was first submitted from Russia, and most scans/reports came from Israel, the sample’s first appearance seems to be May 15, 2018, when it was uploaded to VirusTotal, but it’s unclear how the tainted sample is disseminated. Third-party marketplaces or some other attacker-controlled domains are likely used to host the sample.”
“The malware application is almost identical to the original app, both in code and functionality, except for the malicious payload,” according to Bitdefender. “Starting from the app’s icon to the in-app screens, the malicious version seems to keep all original functionality, potentially so as not to arouse any suspicion from its victim.”
Since the app has been removed from playstore, Botezatu says it can no longer be tracked and thinks the malware is just the beginning;
“While this Trojan is extremely powerful and has the ability to record and upload phone calls, as well as use cameras and make its way into the Play Store, its code was left completely unobfuscated,” said Botezatu. “I personally think we are looking at is an alpha build of a bigger, more potent espionage tool.”
Last month some 150 APK files were discovered to have been contaminated with codes designed to run on Windows OS. The apps have since been removed from the Playstore.