Now more than ever, we rely on our smartphones to keep in touch with our work, our families and the world around us. There are over 3.5 billion smartphone users worldwide, and it is estimated that over 85% of those devices – around 3 billion – run the Android OS. So it’s no surprise that criminals and threat actors are actively targeting this vast user base for their own malicious purposes, from trying to steal users’ data and credentials, to planting money-making malware, spyware or ransomware, and more.
However, from the threat actors’ perspective, gaining a foothold on victims’ mobiles is an evolving challenge, because the built-in security features on some phones, and the controlled access to official app stores such as Google Play do offer a measure of protection to users. This means that would-be attackers have to develop new and innovative mobile infection vectors, and use and refine new skills and techniques to bypass security protections and place malicious apps in official app stores.
Check Point Research (CPR) recently encountered a mastermind’s network of Android mobile malware development on the darknet. This discovery piqued our interest, as it was extraordinary, even by dark net standards. CPR researchers decided to dig deeper to learn more about the threat actor behind the network, his products, and the business model behind malicious targeting of Android mobile devices.
A Journey into the Dark net
We tracked the activity of the threat actor, who goes by the nickname “Triangulum”, in several darknet forums. “Triangulum” in Latin means “triangle” — and the term is commonly used in relation to the Triangulum galaxy, nearly 3 million light-years from Earth. Just as it is hard to find the Triangulum galaxy in the night sky, it’s hard to find traces of the Triangulum actor’s work. However, we soon discovered that once you do spot him, he is relatively easy to follow.
Over the past two years, Triangulum has demonstrated an impressive learning curve. He has evaluated the needs of the market, developed a network of partnerships, made investments and distributed malware to potential buyers. Triangulum started his journey at the beginning of 2017 by joining hack forums in the darknet. Initially, Triangulum exhibited some technical skills by reverse engineering malware, but closer analysis of these initial efforts revealed him an amateur developer.
Debut Product “Launch”
On June 10, 2017, Triangulum provided us the first glimpse of a product he developed.
The product was a mobile RAT (remote access trojan), targeting Android devices and capable of exfiltration of sensitive data from a C&C server, destroying local data – even deleting the entire OS, at times.
Four months later, Triangulum offered his first malware for sale. He then vanished for approximately a year and a half, with no evident signs of activity on the dark net, only to re-surface on April 6, 2019 with another product for sale. From this point on, he has been very active, advertising different products over a six-month span. It appeared that Triangulum created a high-functioning production line for the development and distribution of malware during his time away from the darknet.
Partners in (Mobile) Crime
Further investigation found evidence that Triangulum was collaborating with another threat actor named “HexaGoN Dev”, who specialized in the development of Android OS malware products – in particular, RATs.
In the past, Triangulum had purchased several projects created by HeXaGoN Dev. The combination of HeXaGon Dev’s programming skills and Triangulum’s social marketing skills clearly posed a legitimate threat. Triangulum and HeXaGoN Dev produced and distributed multiple malware variants for Android, including cryptominers, keyloggers, and sophisticated P2P (Phone to Phone) MRATs.
Introducing a Brand new Malware – “Rogue”
Triangulum and HeXaGoN Dev then collaborated to create and introduce the Rogue malware to the darknet. Rogue is part of the MRAT family (Mobile Remote Access Trojan). This type of malware can gain control over the host device and exfiltrate any kind of data, such as photos, location, contacts, and messages, to modify the files on the device and download additional malicious payloads.
When Rogue successfully gains all of the required permissions on the targeted device, it hides its icon from the device’s user to ensure it will not be easy to get rid of it. If all of the required permissions are not granted, it will repeatedly ask the user to grant them.
The malware then registers as a device administrator. If the user tries to revoke the admin permission, an onscreen message designed to strike terror in the heart of the user appears: “Are you sure to wipe all the data?”
Rogue adopts the services of the Firebase platform, a Google service for apps, to disguise its malicious intentions and masquerade as a legitimate Google service. It uses Firebase’s services as a C&C (command and control) server, so that all of the commands that control the malware and all of the information stolen by the malware are delivered using Firebase’s infrastructure. Google Firebase incorporates dozens of services to help developers create mobile and web applications.
The Rogue malware uses the following:
- “Cloud Messaging” to receive commands from the C&C.
- “Realtime Database” to upload data from the device.
- “Cloud Firestore” to upload files.
In this research, CPR uncovered a fully active market that sells malicious mobile malware, living and flourishing on the dark net and other related web forums. The story of the Rogue malware is an example of how mobile devices can be exploited. Similar to Triangulum, other threat actors are perfecting their craft and selling mobile malware across the dark Web – so we need to stay vigilant for new threats that are lurking around the corner and understand how to protect ourselves from them.
Tips to Remain Protected Against Mobile Malware
Cybercriminals are well aware of the vital role that mobile devices play in people’s lives, and of the value of the personal and corporate data and credentials that are stored on those devices. The mobile threat landscape is evolving rapidly, and mobile malware is a significant threat to both personal and enterprise security.
Mobile devices present a different threat surface than traditional endpoints. Securing these devices requires following mobile device-specific security best practices:
- Regular OS updates are essential. Mobile devices should always be updated to the latest version of the OS to protect against the exploitation of privilege escalation vulnerabilities.
- Only install apps from official app stores. Installing apps only from official app stores reduces the probability of an unintentional installation of mobile malware or a malicious application.
- Enable ‘remote wipe’ capability on all mobile devices. All devices should have remote wipe enabled to minimize the probability of loss of sensitive data.
- Do not trust public Wi-Fi networks. Public Wi-Fi networks can give an attacker a bridge onto a device, making it easier to perform man-in-the-middle (MitM) and other attacks. Limiting mobile devices to trusted Wi-Fi and mobile networks reduces their exposure to cyber threats.
For the full technical details of this research visit: https://research.checkpoint.com/