The mobile remote access Trojan reached the gates of the Android world. Researchers have warned Android users of the risk of exfiltration of their information, such as photos, locations, contacts, and messages from popular apps such as Facebook, Instagram, WhatsApp, Skype, Telegram, Kik, Line, and Google Messages. This danger is derived from a second threat actor who uses an Android malware vendor, let the attackers take over the android device. As attackers can sell remote access Trojan devices through the dark market, it seems that earning money is their motivation for taking part in these attacks.
who has created this mobile remote access Trojan?
According to the Check Point Research today it seems that the RATs of different devices are being sold by a vendor, named “Triangulum”. A 25-year-old Indian man who started his career at Dark Web three years ago on June 10, 2017.
The exact product that is being sold by Triangulum is a mobile remote access Trojan. A dangerous RAT that is capable of exfiltration of sensitive data from a C&C server. This mobile remote access Trojan is also capable of deleting an entire operating system and local data.
Although researchers have exposed this issue recently, it seems that “Triangulum” had started showing off its product’s features to potential investors in 2017. Meanwhile presenting this RAT’s features to investors was not the only method of “Triangulum” for showing off his product, Piecing together the Triangulum trail of activities expose that he has started advertising his product clearly since 2017, and no one has recognized his potential threat during these 3 years.
It seems that investors have ignored Triangulum, just like how researchers did. Being ignored made Triangulum go off in the middle of 2018. One and half years later on April 6, 2019, a new user named “HeXaGoN Dev” who seems to specialize in the development of Android-based RATs, began selling a mobile remote access Trojan called “rouge”. Guess who was his most important colleague? Exactly, Mr. Triangulum.
HeXaGoN Dev seems to be smarter than Triangulum in planning financial strategy. The mobile remote access Trojan that was being sold only for 60$ in 2017, now costs about $ 30 a month to charge and 120$ for permanent access.
a creative vendor and his Trojan horse
Although the Triangulum initiative has been ignored by many people in various dark markets, including those active in the Russian Dark Market, today it has become a serious threat to Android users. Hacking each Android user costs only $ 30, which is a security disaster.
Why do we call this mobile remote access Trojan initiative?
The answer is simple. Creating such a mobile remote access Trojan was not complicated at all. What someone needed for creating it, was uniting public codes of the dark web with open-source data. However, this idea did not cross anyone’s mind, except Triangulum. Therefore, the fact that Triangulum didn’t develop this creation from scratch does not put his creativity under question.
This software is designed in such a way that mobile users will not be able to see its icon. Therefore, the victims will not realize that they have been attacked.
As Check Point’s Head of Cyber Research, Yaniv Balmas has stated:
“Mobile malware vendors are becoming far more resourceful on the darknet. Our research gives us a glimpse into the craziness of the darknet: how malware evolves, and how difficult it is to now track, classify, and protect against them in an effective way.
The underground market is still like the wild-west in a sense, which makes it very hard to understand what a real threat is and what isn’t. “