loader gif

Attackers repackage popular Android VPN app with Triout malware

Attackers repackage popular Android VPN app with Triout malware
  • Triout malware was first detected in August 2018 which infected Android applications and had spyware capabilities such as recording phone calls and text messages, and more.
  • Recently, the malware was distributed through a fake version of a legitimate Android VPN app. while mirroring the original app’s functionality to look legitimate on users' devices.

Triout malware which wreaked havoc on Android devices in 2018 is back again in a new avatar. This time, it comes bundled with a genuine Android app to perpetuate its spyware functionalities. The malware’s capabilities include recording phone calls, text messages, videos, pictures, as well as monitoring GPS coordinates of the users.

In its latest form, Triout hides behind a popular VPN app called Psiphon, with the package name ‘com.psiphon3’. With more than 50 million installs, the app helps users make use of VPN to bypass network restrictions like websites bans in several countries or on private networks.

The attackers have targeted the app installation file that is available on third-party sources, not the one present in Google Play. The unofficial app also comes with other adware on top of the Triout malware.

Antivirus company Bitdefender which conducted a detailed analysis regarding Triout’s development indicated that the malware impact was small region-wise, but was unable to trace it globally.

New C&C Server behind the malware

“What’s interesting about the new Triout sample is that the C&C (Command & Control) server the threat actors use to smuggle the data and control infected devices is now different. The new C&C IP address (“188.165.49.205”) is still operational at the time of writing and seems to point to a French website (“magicdeal.fr”) that displays deals and discounts for various products," highlighted the blog by Bitdefender.

"It is currently unknown whether the website is a decoy or a legitimate website that the threat actors compromised to use as a C&C server,” the researchers added.

Furthermore, the unofficial, tampered app bears a strong resemblance to the genuine app on Google Play in terms of user interface. Thus, users might believe that they have installed the official one falling prey to Triout spying their device.

loader gif