Security researchers at Bitdefender have discovered a new type of Android malware framework. Dubbed ‘Triout’, it is being used by cybercriminals to spy on users through bundling with seemingly benign applications. With no real origin or distribution channels found it remains unsure exactly who is behind it.

 

More and more Android-specific malware is coming out of the woodwork and this is no exception. Bitdefender released a whitepaper detailing a newly-found Android malware framework. Dubbed Triout’, when bundled with a legitimate Android application it gains spyware capabilities: Recording phone calls, stealing pictures, reading text messages, and so on.

 

Triout hiding in plain sight

In the whitepaper Bitdefender revealed Triout samples were hidden within a clone of a legitimate application, among others. However, this wasn’t the case for all of them, with one found within the humorously named app ‘Sex Game’. While the researchers were unable to determine the exact origin of the samples the first submissions to malware-detection service Virustotal originated in Russia and Israel.

The malware itself has some stealth capabilites as it doesn’t change the appearence or functionality of the original app at all. This is most likely done not to cause any suspicion from the end-user. But, even through the stealth and advanced capabilities Bitdefender revealed a slip-up:

“What’s striking … is that it’s completely unobfuscated, meaning that simply by unpacking the .apk file, full access to the source code becomes available … This could suggest the [Triout] framework may be a work-in-progress, with developers testing features and compatibility with devices”

While the slip-up allowed for easier analysis it still isn’t clear just how the application ended up on victim’s devices, although third-party app stores or forums seem likely. Bitdefender has also been unable to shut down the Command & Control center used by the malware, which has been active since May and is still collecting data.

 

How to protect yourself

To protect yourself be wary of apps from non-trusted sources. Similarly, do not approve app permissions much higher than they need be; Your calculator does not need to access your photos. For other Android-related news see our article regarding the rapidly spreading crypto-mining Android malware ADB.Worm.