A powerful form of Android malware with spy capabilities has re-emerged with new tactics — this time masquerading as a popular online privacy application to trick users into downloading it.
First uncovered in August last year, Triout malware collects vast amounts of information about victims by recording phone calls, monitoring text communications, stealing photos, taking photos, and even collecting GPS information from the device, allowing the user's location to be tracked.
The campaign has been active since May last year, with users previously duped into downloading the malware with a fake version of an adult app — but now those behind Triout have altered their tactics, distributing the malware with a re-purposed version of a legitimate privacy tool that has been ripped from the Google Play store.
This new means of distributing Triout has been detailed by researchers at security company Bitdefender, who were also responsible for first uncovering the malware last year.
Now Triout is being hidden in a phony version of Psiphon, a privacy tool that is designed to help users bypass censorship on the internet. Psiphon is particularly focused towards aiding users living under repressive regimes and its services have been downloaded millions of times — the version available in the official Google Play store boasts over 10 million installations.
The tool can also be downloaded from third-party sites, especially in places that don't have access to Google Play, and it's this, combined with the function and popularity of Psiphon, which is likely to have made it an appealing lure for the hacking operation behind Triout.
Those behind Triout have been careful to make sure the phony version of Psiphone looks and acts in the same way as the real thing, so they can conduct the campaign without raising the suspicion of victims.
The malicious version of the app (left) compared with the real version (right).