Researchers have identified a new strain of Android malware that discreetly records phone calls and GPS locations.
The Android malware dubbed as Triout is reportedly capable of logging text messages and recording phone calls without the knowledge or permission of the mobile phone owner.
According to security experts, the recorded phone interactions are then transmitted to an unknown command and control center.
The intrusive malware was discovered by cybersecurity analysts from Bitdefender a month ago. However, the researchers said that some signs of its activities date back as far as mid-May when it was initially uploaded on the website VirusTotal in Russia. Other samples were said to be uploaded from an Israeli IP.
Bitdefender said that the samples they found were posing as clones of legitimate applications. But, the firm was not able to identify where the malicious app was being distributed from. At the moment, the researchers’ best guess was via app-sharing forum sites or a third-party Android application store, both of which are popular in some parts of the world.
As per Bitdefender’s investigation, some of Triout’s capabilities include:
- Recording every phone call (literally the conversation as a media file), then sends it together with the caller id to the C&C (incall3.php and outcall3.php)
- Logging every incoming SMS message (SMS body and SMS sender) to C&C (script3.php)
- Has the capability to hide self
- Can send all call logs (“content://call_log/calls”, info: callname, callnum, calldate, calltype, callduration) to C&C (calllog.php)
- Whenever the user snaps a picture, either with the front or rear camera, it gets sent to the C&C (uppc.php, fi npic.php orreqpic.php)
- Can send GPS coordinates to C&C (gps3.php)
Triout can also hide itself. However, Bitdefender notes that the tainted code which comes in a package known as 208822308.apk is readable, an apparent suggestion that it is potentially an experimental version.
“What’s striking about the sample is that it’s completely unobfuscated, meaning that simply by unpacking the .apk file, full access to the source code becomes available. This could suggest the framework may be a work-in-progress, with developers testing features and compatibility with devices,” Bitdefender wrote.