New Android malware framework, Triout turns legitimate programs into powerful spyware

by ·

Security company Bitdefender recently monitored an Android malware called TRIOUT that is infecting a large number of legitimate applications for espionage.

The hacker group develops TRIOUT mainly to facilitate the spread of malware. It only needs to be packaged and distributed for distribution with legitimate applications.

As early as 2016, TRIOUT appeared in the Google App Store, and now the malware is mainly distributed through unofficial channels other than Google.

Comes with compelling monitoring features:

The monitoring software included with this malware is compelling. After being successfully installed by the user, the Trojan is released to monitor the device and collect the data upload server.

TRIOUT will automatically record all the call records of the infected device and name it the corresponding number communication record to upload to the server controlled by the hacker group.

At the same time, TRIOUT will also automatically package all the SMS content of the target device, and will also be automatically uploaded to the server when the user actively opens the camera to take a photo.

TRIOUT does not actively request front and rear camera or microphone permissions to avoid being discovered, but it is fully logged as long as the user has device activity.

Packaged with legitimate programs to induce user installation:

It is worth noting that TRIOUT is mainly combined with the legal program so that the user can use the corresponding program after installation without any abnormality.

At the same time, it is puzzling that TRIOUT will also use the Google Debug Certificate to sign, in this way bypass the routine detection of the system and security software.

The malicious behaviour is very subtle. It is still impossible to determine which hacking group TRIOUT is associated with the tracking of BitDefender.

This also highlights the ability of the hacker group behind the development of the TRIOUT framework to be very high, otherwise, it is impossible to control the Trojan at any time without being tracked by security personnel.

Of course, TRIOUT also uses some custom routines:

Like most malware, TRIOUT also makes fake software on the spread and naming this phony software for pornography or temptation.

This can attract the attention of some male compatriots and expand the scope of TRIOUT to collect more information. This is a familiar routine.

Tags: