Going Rogue – A Different Level Of Malware Development Package

Smartphones, especially Android have remained an appealing subject for threat actors and cybercriminals for a very long period of time. There are more than 3.5 billion active users of smartphones, out of which 3 billion smartphones are Android-based. This massive worldwide use of smartphones is what makes cybercriminals target them for malicious activities. However, the evolution of security measures in smartphone software and apps from app stores has put-up a challenge to cybercriminals to exploit and take control over a smartphone. Nowadays, a lot of hackers/attackers are being innovative and increasing their knowledge and skills to make their attacks even more efficient and unexpected, increasing the level of attacks. It’s even harder for attackers now to bypass securities of app stores to put their malicious apps online.

Researchers from Check Point have recently found a network of Android mobile malware development packages on the markets of the dark web. This package is capable of letting an attacker/hacker build modern Android malware with the capabilities to gain control over any targeted android device and extract everything or anything the bad actor wants to. Researchers traced the mastermind behind this package who was mentioned by the name Triangulum on various forums over the dark web. Researchers said, “it is hard to spot the traces of the Triangulum actor, but once you do spot him, he’s relatively easy to follow.”

Researchers revealed that this development package product has been built by Triangulum itself and the first indication of the product was given on 10 June 2017 on the dark web. The product is considered to be an Android-based malware RAT, can take control over any smartphone device, capable of removing files from the device (even complete Operating System), and extract data by transmitting it to a command-and-control server. “As Triangulum moved on to marketing his product, he looked for investors and a partner to help him create a PoC to show off the RAT’s capabilities in all its glory,” researchers said.

The malware came out for sale for the first time on 20 October 2017, but soon mysteriously disappeared from the dark web for more than a year. On 6 April 2019, Triangulum was back with a different product, remained active since then, and in a period of less than six months, he launched other 4 products for sale. Researchers when dug deeper, they discovered that Triangulum worked with a partner mentioned as HexaGoN Dev. Researchers described “This cooperation seems to have risen from previous deals between the two, as in the past Triangulum purchased several projects created by HeXaGoN Dev, who specialized in developing Android OS malware products, RATs in particular. Combining the programming skills of HeXaGon Dev together with the social marketing skills of Triangulum, these 2 actors posed a legitimate threat. Working together, Triangulum and HeXaGoN Dev produced and distributed multiple malwares for Android, including crypto miners, keyloggers, and sophisticated P2P (Phone to Phone) MRATs.”

This rogue malware works by adding a keylogger to the targeted device that allows an attacker to gain the knowledge of websites and apps accessed by the user, and at times gain login credentials and confidential data. It also tricks Google’s Firebase service to believe the malware as a genuine app and hide malicious activities like monitoring locations, data extraction, etc. Researchers said that it isn’t a new family of malware but is a combined version of malware families called Cosmos and Hawkshaw. In addition to this fact, it is being believed that this rogue malware is the latest and updated version of another malware called the Dark shades. Triangulum bought Dark shades in April 2019 and may be added or changed features in it to build a better or worse malware.

Researchers concluded by saying “The Rogue malware and the story behind it is the perfect example of how mobile devices are exploited. Just like with Rogue malware, other threat actors are practicing and learning, sometimes for years, till they are ready to apply their knowledge as effectively as they can, in either malware development or malware sales. Triangulum shows would-be threat actors that you don’t have to invent new malware every time you want to offer a new product for sale. Instead, you can apply your soft skills in marketing to build up and maintain a sales reputation, and create catchy advertisements and different names for a product that appears to be another version of what already exists. A lesson to draw here is that threat actors have created a reality in which we cannot be complacent. We must stay constantly vigilant for threats that are lurking around the corner and understand how to protect ourselves from them.”

If you like this article, follow us on Twitter, Facebook, Instagram, and Linkedin.