Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Threat Management, Threat Intelligence, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Cybercriminals secretly bundle anti-censorship app with spyware framework

A legitimate application that's supposed to help users access censored or blocked websites was secretly bundled with Android spyware and made available for download on third-party marketplaces 
last year.

The app, known as Psiphon and packaged as com.psiphon3, has been safely downloaded from the official Google Play Store over 50 million times. But users who attained the app through unofficial channels may have downloaded a sabotaged version that infects them with Triout, a malware framework that introduces extensive surveillance capabilities.

Last August, researchers from Bitdefender reported its initial discovery of Triout, which at the time was found bundled with an adult content app.

But this latest scheme, also disclosed by Bitdefender in a Feb. 7 blog post, instead targets Android device owners interested in unfiltered internet access. This likely includes users located in countries run by oppressive regimes that restrict the freedom of information.

From the user's point of view, the malicious app functions just like the genuine version, reports blog post author and senior e-threat analyst Liviu Arsene. But secretly in the background, the spyware is recording phone calls, logging incoming text messages, recording videos, taking pictures and collecting GPS coordinates.

Triout then exfiltrates that content to the attackers' command-and-control server, whose IP address was traced by Bitdefender to a French discount retail website,, which may or may not be legitimate.

The malicious actors also incorporated three adware components to generate additional revenue for themselves, the blog post continues.

According to Bitdefender, the malicious Psiphon app was detected last Oct. 11, but was active from May 2, 2018 through Dec. 7, 2018. Throughout that time period, the researchers only found seven affected devices; however, other users outside of Bitdefender's telemetry could have been affected.

"It's also worth considering that the low number of victims and infected devices, coupled with the fact that it packs powerful spyware capabilities, could indicate that Triout is mostly used in highly targeted espionage campaigns aimed at a few individuals," suggested Arsene.

Malware like Triout turns ubiquitous Android devices into "perfect spies," warns Bitdefender, noting that the discovery of new samples and compromised versions of extremely popular apps "may herald more incidents such as this in the near future."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.