The paper was published by a group of security researchers working for Bitdefender. They identified a robust new strain of malware called “Triout.”
According to the report, although they just discovered the malware a month ago, there are indications that it has been in use since at least mid-May of this year.
Among other things, it can:
- Steal call log data
- Collect and steal SMS messages
- Record every call taking place on the phone
- Upload recordings of those calls to a remote server
- Send the phone’s GPS coordinates to a remote server
- Upload a copy of every picture taken with the phone’s camera to a remote server
- Hide from the user’s view
These are robust, highly advanced features that require extensive, detailed knowledge of the Android OS. Typically, malware of this type is used by nation-state hackers with deep pockets, or by well-heeled networks of cybercriminals. At this point, there’s no clear indication which category Triout’s creators fall into.
The malware strain has been found masquerading as a legitimate app, but the team has been unable to trace it back to its source of origin. At this point, there’s no clear indication where it’s coming from. The first sample was uploaded to VirusTotal from Russia, but subsequent samples were uploaded from an Israeli IP address.
The researchers note that despite its advanced feature set, the group responsible appears to have made a mistake:
“What is striking…is that it’s completely unobfuscated, meaning that simply by unpacking the cloned app’s .apk file, full access to the source code becomes available….this could suggest that the Triout framework may be a work-in-progress, with developers testing features and compatibility with devices.”