Check Point researchers have discovered a new Rogue malware for Android remote access.
They noticed that a malware developer known as Triangulum has teamed up with one HeXaGoN Dev to release Rogue.
This malware is capable of intercepting control of victims’ devices and stealing data, including photos, geolocation data, contacts and messages. An expert’s report states that Triangulum first appeared on the darknet in early 2017. Its first product was a remote access mobile Trojan to steal data and destroy information on an infected device, including the operating system.
Four months later, Triangulum began selling the first Android malware. After that, Triangulum disappeared from the darknet for almost a year and a half, reappearing on April 6, 2019 with a new product ready for sale. At that time Triangulum resumed its activity: in the next six months it actively advertised several its “products” at once.
“During the absence of Triangulum, we managed to recreate a whole network for the production and distribution of malware”, – suggests the researchers.
Upon further investigation, the research team was able to establish that Triangulum worked with another attacker known as HexaGoN Dev, who specialized in developing Android malware, mainly remote access Trojans.
Let me remind you about the fact that most often malware gets to Android devices via the Google Play Store.
Triangulum struggled to sell its creations on its own, but failing to succeed, was forced to partner with “marketer” HexaGoN Dev, who, for example, helped him sell the same “products” under different names.
Sometimes HeXaGoN Dev even pretended to be a potential buyer in an attempt to attract more customers. As a result, by combining programming skills with social marketing, the attackers got results. The duo has created several Android malwares, including miners, keyloggers and P2P (Phone to Phone) Trojans.
- Cosmos: the first Triangulum development. Allows viewing other people’s messages and write new ones, track the call log, access the personal data of the smartphone user and take screenshots.
- DarkShades: Has the same functionality as Cosmos, but also has the ability to record sound and take pictures using the device’s camera.
- Rogue: Has the same functionality as DarkShades and allows sending fake notifications, register as the default messaging app, and gain device administrator rights.
According to the researchers, Triangulum and HeXaGoN Dev recently joined forces to create a new Rogue malware, which is a mobile remote access Trojan. This malware allows to access and steal data from victims’ devices, including photos, geolocation information, contacts and messages, modify files, and download additional malware.
After receiving all the necessary permissions on the victim’s smartphone, Rogue hides its icon to make it more difficult for the user to remove it. If the necessary permissions have not been obtained, Rogue will repeatedly ask the user to grant them. Thus, the malware gains administrator rights. And if the user tries to revoke the rights, a frightening message appears on the screen: “Are you sure you want to erase all data?”
To hide its intentions, Rogue masks itself as an official Google app. The Firebase platform is used as the C&C server, and therefore all commands, as well as information stolen from the device, are delivered using the Firebase infrastructure.
A new combination of two old malwares is up for sale on hack forums for just $29.99 per month, or $189.99 indefinitely.
“The Check Point Research study allowed us to ‘peep’ at the work of the dark web: how malware is evolving, why it is not easy to track, classify or effectively build a defence against criminals. In addition, the connection between this crazy underground market and the real world makes it easy for attackers to distort facts and create fake products. The Darknet is still a kind of “Wild West”, where it is difficult to understand what is a threat and what is not”, — comments representative of Check Point Software Technologies.
Let me also remind you that GravityRAT malware now has versions for Android and macOS.