⚠️ Overview

Triout is an Android-based remote access trojan (RAT) and spyware first identified in June 2018 by researchers at Bitdefender. It is believed to be operated by an unknown threat actor, potentially linked to a commercial spyware vendor, as it was found bundled within non‑malicious applications in the Google Play Store. Triout primarily targets Android devices for covert surveillance, falling under the categories of spyware and RAT.

🔧 Technical Capabilities

Triout achieves persistence by registering as a device administrator and hiding its icon after installation. It communicates over HTTPS to its command‑and‑control (C2) server, exfiltrating stolen data in JSON format. The malware can record audio via the microphone, capture photos using the camera, log keystrokes, and steal SMS messages, call logs, and contact lists. It also possesses the ability to upload files from the device and execute arbitrary commands sent from the C2 server. Triout does not self‑propagate; instead, it relies on distribution through repackaged legitimate apps or malicious apps hosted on third‑party markets.

📜 History & Notable Incidents

First detected by Bitdefender in June 2018, Triout was notably found embedded in a fake “Sex Game” app and a “porn” app that were available on the official Google Play Store before being removed. No specific high‑profile victims or CVEs have been publicly attributed to Triout, and no law enforcement actions directly targeting the group have been reported. The malware has not been linked to major campaigns beyond its initial discovery.

🔍 Detection Indicators

Known indicators include the package names “com.video.player.sexgame” and “com.porn.play”. Triout exhibits behavioral signatures such as requesting excessive permissions (e.g., RECORD_AUDIO, CAMERA, READ_SMS, GET_ACCOUNTS) and registering as a device administrator. Network IOCs include HTTPS POST requests to C2 domains that were part of the “gabbora.com” and “zarintol.com” infrastructure, as identified in Bitdefender’s report. No specific file hashes or mutex names have been widely published.

☠️ Risk & Impact

Triout poses severe privacy risks by enabling full‑device surveillance: it can record private conversations, capture sensitive photos, and steal SMS‑based two‑factor authentication codes. The malware primarily targets individual Android users, particularly those who download adult‑themed or gaming apps from unofficial sources. No financial losses or sector‑specific impacts have been documented; the damage is largely reputational and privacy‑related for affected individuals.

🛡️ Mitigation

To defend against Triout, users should avoid sideloading apps from untrusted sources and scrutinize app permissions, especially those requesting device administrator access. Organizations can deploy mobile threat defense (MTD) solutions and enforce Google Play Protect scanning. Bitdefender’s report recommends monitoring for package names and network traffic to the known C2 domains as listed in their security advisory.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.