Experts Sound Alarm On New Android Malware Sold On Hacking Forums

Cybersecurity researchers have uncovered the operation of an Android malware vendor that collaborates with a second threat actor to market and sell a remote access Trojan (RAT) capable of taking over and extracting photos, locations, contacts and messages from popular apps such as Facebook, Instagram, WhatsApp , Skype, Telegram, Kik, Line, and Google Messages.

The vendor, who goes by the name “Triangulum” on a number of darknet forums, is thought to be a 25-year-old man from India, with the individual who opened a shop to sell malware three years ago on June 10. , 2017, according to an analysis published by Check Point Research today.

“The product is a mobile RAT, targets Android devices and is capable of extracting sensitive data from C&C servers, destroying local data — even wiping the entire OS, at any given time,” the researchers said.

Active Underground Market for Mobile Malware
Putting together traces of Triangulum’s activity, the cybersecurity firm said malware developers — in addition to gathering publicity for RAT — were also looking for potential investors and partners in September 2017 to showcase the tool’s features before offering the tools for sale.
Triangulum, furthermore, is believed to have been off the network for about a year and a half, with no signs of activity on the darknet, only resurfacing on April 6, 2019, with another product called “Rogue,” this time working with another enemy called “HeXaGoN.” Dev, “which specializes in Android-based RAT development.
Noting that Triangulum has previously purchased several malware products offered by HeXaGoN Dev, Check Point said Triangulum advertises its products on various darknet forums with well-designed infographics which include the full features of the RAT. Furthermore, HeXaGoN Dev acts as a potential buyer in an effort to attract more customers.

While the 2017 product sells for a fixed price of $ 60 as a lifetime subscription, vendors are switching to a more financially viable model in 2020 by billing customers between $ 30 (1 month) and $ 190 (permanent access) for Rogue malware.

Interestingly, Triangulum’s efforts to expand into the Russian darknet market met with failure following the actor’s refusal to share a demo video in a forum post advertising the product.
from Cosmos to Dark Shades to Rogue
Rogue (v6.2) — which appears to be the latest iteration of a malware called Dark Shades (v6.0) originally sold by HeXaGoN Dev before being bought by Triangulum in August 2019 — also comes with features taken from a second malware family called Hawkshaw, which its source code went public in 2017.

“Triangulum did not develop this creation from scratch, it took what was available from both the open-source and darknet worlds, and put these components together,” the researchers said.
Dark Shades, it turns out, is the “superior successor” to Cosmos, a separate RAT sold by actor HeXaGoN Dev, thus making sales of Cosmos redundant.

Rogue marketed as a RAT “is made to execute commands with extraordinary features without the need for a computer,” with the added ability to remotely control infected clients using a control panel or smartphone.

Indeed, RAT offers a variety of features for gaining control over the host device and extracting any kind of data (such as photos, location, contacts and messages), modifying files on the device, and even downloading additional malicious payload. , while ensuring that the user grants the intrusive permission to perform its malicious activity.

It’s also engineered to thwart detection by hiding icons from users’ devices, circumventing Android security restrictions by leveraging accessibility features to log user actions, and registering its own notification service to snoop on any notifications that appear on infected phones.
What’s more, stealth is built into the tool. Rogue uses Google’s Firebase infrastructure as a command-and-control (C2) server to disguise its malicious intent, abuses the platform’s cloud messaging features to take orders from servers, and Realtime Database and Cloud Firestore to upload data and documents collected from device victims.

Rogue Suffered a Leak in April 2020
Triangulum may be currently active and expanding his clientele, but in April 2020, the malware ended up getting leaked.

ESET researcher Lukas Stefanko, in a tweet on April 20 last year, said the backend source code of the Rogue Android botnet was published in an underground forum, noting “it has lot of security issues,” and that “it is new naming for Dark Shades V6.0 (same developer). “

But despite the leakage, Check Point researchers note that the Triangulum team still receives messages on the actor’s home Darknet forum from interested customers.

“Mobile malware vendors are becoming far more resourceful on the dark net. Our research gives us a glimpse into the craziness of the dark net: how malware evolves, and how difficult it is to now track, classify and protect against them in an effective way , “Check Point’s Head of Cyber ​​Research, Yaniv Balmas, said.

“The underground market is still like the wild-west in a sense, which makes it very hard to understand what is a real threat and what isn’t.”