Android 'Triout' spyware with extensive surveillance capabilities unearthed by Bitdefender

Spyware lurking in adulterated sex games app may still be in development

Security researchers have identified a new strain of Android spyware in the wild that's capable of recording most interactions on an infected phone and sending them to a command and control centre.

The researchers at security vendor Bitdefender say the malware, dubbed Triout, was first reported to the VirusTotal site on May 15 apparently by somebody located in Russia, and that subsequent reports and scans appear to come mostly from Israel. The command and control (C&C) servers to which the malware sends information also seem to have been operational since May.

The malware comes bundled with an adulterated version of Android app called SexGameForAdults. The original version of this app was available in Google Play until 2016 after which it was removed.

"It's unclear how the tainted sample is disseminated," notes Bitdefender in a blog post. "Third-party marketplaces or some other attacker-controlled domains are likely used to host the sample."

The spyware features extensive surveillance capabilities. For example, it automatically sends the following information from the victim's device to the C&C:

• Phone calls together with the caller's ID;
• Incoming SMS messages;
• Call logs;
• Photographs taken with front and rear cameras;
• GPS coordinates.

The malware also has the ability to hide itself. However, at present the tainted code, which comes in comes in a package called 208822308.apk, is readable, Bitdefender notes, suggesting that it may be an experimental version.

"What's striking about sample is that it's completely unobfuscated, meaning that simply by unpacking the .apk file, full access to the source code becomes available. This could suggest the framework may be a work-in-progress, with developers testing features and compatibility with devices," the company says.

With the exception of the malicious payload, the tainted version of the app is indistinguishable from the real thing, both in terms of the code and the functionality "potentially so as not to arouse any suspicion from its victim".

Earlier this year security vendor Kaspersky claimed it had uncovered "the world's most powerful Android spyware" which it traced back to an Italian vendor called Negg.