A legitimate application that’s supposed to help users access censored or blocked websites was secretly bundled with Android spyware and made available for download on third-party marketplaces 
last year.

The app, known as Psiphon and packaged as com.psiphon3, has been safely downloaded from the official Google Play Store over 50 million times. But users who attained the app through unofficial channels may have downloaded a sabotaged version that infects them with Triout, a malware framework that introduces extensive surveillance capabilities.

Last August, researchers from Bitdefender reported its initial discovery of Triout, which at the time was found bundled with an adult content app.

But this latest scheme, also disclosed by Bitdefender in a Feb. 7 blog post, instead targets Android device owners interested in unfiltered internet access. This likely includes users located in countries run by oppressive regimes that restrict the freedom of information.

From the user’s point of view, the malicious app functions just like the genuine version, reports blog post author and senior e-threat analyst Liviu Arsene. But secretly in the background, the spyware is recording phone calls, logging incoming text messages, recording videos, taking pictures and collecting GPS coordinates.

Triout then exfiltrates that content to the attackers’ command-and-control server, whose IP address was traced by Bitdefender to a French discount retail website, magicdeal.fr, which may or may not be legitimate.

The malicious actors also incorporated three adware components to generate additional revenue for themselves, the blog post continues.

According to Bitdefender, the malicious Psiphon app was detected last Oct. 11, but was active from May 2, 2018 through Dec. 7, 2018. Throughout that time period, the researchers only found seven affected devices; however, other users outside of Bitdefender’s telemetry could have been affected.

“It’s also worth considering that the low number of victims and infected devices, coupled with the fact that it packs powerful spyware capabilities, could indicate that Triout is mostly used in highly targeted espionage campaigns aimed at a few individuals,” suggested Arsene.

Malware like Triout turns ubiquitous Android devices into “perfect spies,” warns Bitdefender, noting that the discovery of new samples and compromised versions of extremely popular apps “may herald more incidents such as this in the near future.”