Bitdefender’s security experts have identified a new type of spyware on the Android operating system, a computer threat featuring extensive surveillance capabilities and easy to integrate into seemingly harmless applications. The virus was present in some apps on Google Play that suggests erotic activities to couples.
Once masked in repackaged applications, the spyware called Triout can hide its presence on the device, record phone calls, intercept text messages, capture video, take photos, collect GPS coordinates, and send them all to the server command and control of the attacker.
Triout originally appeared on May 15, included in a legitimate GooglePlay application that suggests erotic activities to couples. In the meantime, the app can no longer be accessed from Google Play, but the spyware control and control center continues to be functional today. This means that the attackers continually test new functionalities and compatibility with various devices, so they are still working on the final version of this threat, which can be re-emerged at any time in another legitimate application.
Here’s the complete list of Triout features:
- Fully records every received or received phone call and sends it to the attacker.
- Monitor all incoming SMS messages, both the content of the message and the sender’s message.
- Has the ability to hide on the device.
- Send all details about calls, such as caller name and number, day, duration, and call type.
- Forward each shot taken with both the front and the main camera.
- Deliver real-time GPS coordinates to the attacker.
The application infected with this type of malware was originally loaded from Russia, and reports of the most infected victims come from Israel. This is almost identical to the original one, both in terms of code and functionality, except for the infected component. Both the application icon and its interface apparently preserve all original functionality so as not to arouse suspicion of the infected victim.
The original app has been available in the Play store since 2016. While it is still unclear how it is disseminated, unofficial stores or attack-controlled domains could still host it.