Android Users Watch out for Rogue Malware

Check Point Research reported today that a dark web vendor “Triangulum” has teamed up with another hacker to create a remote access Trojan (RAT) that can take over an Android device stealing photos, contacts, messages, and locations, from apps like Facebook, Instagram, WhatsApp, Skype, Telegram, Kik, Line, and Google Messages.

Rogue Malware

The man selling the RAT appears to be a 25-year-old man of Indian descent, and he opened up shop on the dark web on June 10, 2017. 

According to the researchers’ report, “The product was a mobile RAT, targeting Android devices and capable of exfiltration of sensitive data from a C&C server, destroying local data – even deleting the entire OS, at times.”

The latest version of Rogue (v6.2) stems from Dark Shades (v6.0), initially developed by HeXaGoN and purchased by Triangulum. One or both of the hackers combined Dark Shades with pieces of another malware product called Hawkshaw. Dark Shades hails from its origins malware dubbed “Cosmos.”

In their report, Check Point Research said, “Triangulum didn’t develop this creation from scratch; he took what was available from both worlds, open-source and the darknet, and united these components.”

The RAT does not need a computer to execute and, once installed, can take complete control of the mobile device. Unfortunately, this nasty piece of malware has a wide range of features. According to The Hacker News, “Indeed, the RAT boasts of a wide range of features to gain control over the host device and exfiltrate any kind of data (such as photos, location, contacts, and messages), modify the files on the device, and even download additional malicious payloads, while ensuring that the user grants intrusive permissions to carry out its nefarious activities.

It’s also engineered to thwart detection by hiding the icon from the user’s device, circumvent Android security restrictions by exploiting accessibility features to log user actions, and registers its own notification service to snoop on every notification that pops up on the infected phone.”

The product uses Google’s Firebase infrastructure to appear legitimate and operate backend commands. 

A Nefarious Partnership

Before marketing the destructive tool, Triangulum went looking for investors back in September 2017. After his initial splash online, he disappeared off the grid for about a year and a half before showing up again on April 6, 2019. When he resurfaced, he had a partner, “HeXaGoN Dev,” and they had a new offering called “Rogue.”

Triangulum’s partner is noted to be an expert in developing Android-based RATs. Triangulum advertises various malware products on forums on the dark web with impressive infographics boasting about the list of features. Rogue malware was initially offered for a one-time fee of $60, but then in 2020, the duo increased the price to $30/month or a lifetime license for $190. 

The Hacker News commented that “Interestingly, Triangulum’s attempts to expand to the Russian darknet market were met with failure following the actor’s refusal to share demo videos on the forum post advertising the product.”

Rogue is Not All It’s Cracked Up to Be

According to a tweet on April 20, 2020, Lukas Stefanko of ESET found the backend source code for Rogue and tweeted, “it has a lot of security issues,” and that “it is new naming for Dark Shades V6.0 (same developer).”

As of now, Triangulum is still selling the product on the dark web, and more customers are buying and using it. 

How Android Users Can Stay Safe

Android users should be on alert and ever watchful for this new attack medium. Some other ways to stay safe are:

• Never install apps and software from untrusted sources.

• Use strong passwords on all your accounts.

• Secure the phone with a passcode, fingerprint, and facial recognition.

• Do not click links in an email, and be careful of phishing scams.

• Install good antivirus software on the device and run scans often.

Be on the watch for any type of scam, fraud, or identity theft.