Android malware vendor teams with marketer to promote new malware

Rogue malware can take over devices and exfiltrate data, warns researchers

Red skull and crossbones atop binary code

Security researchers have uncovered a scheme by a malware author to team up with a developer and marketer to promote a new type of Android malware called Rogue. 

According to a blog post by Check Point Research, Rogue can perform device takeover and data exfiltration,  and it’s for sale on the dark net. Triangulum, a dark net vendor, teamed up with HeXaGoN Dev to introduce the new malware.

Researchers said the first sign of Triangulum came in 2017, when it launched a mobile RAT capable of data exfiltration from C&C servers and deleting local data and, in some cases, entire operating systems. Four months later, Triangulum offered its first Android malware for sale.

Triangulum then disappeared for nearly 18 months and showed no signs of activity on the dark net. It then resurfaced on April 6, 2019 with a new product for sale. Researchers said that from this point on, Triangulum has been very active, advertising a number of products over the next six months.

Researchers speculate that during Triangulum’s hiatus from the dark net, it collaborated with another threat actor, HexaGoN Dev, to create a high-functioning production line for developing and distributing Android malware.

Rogue is part of the MRAT family (Mobile Remote Access Trojan), which gains control of the host device and exfiltrates any kind of data, modifies files on an Android device, and downloads additional malicious payloads. 

When Rogue successfully gains all the required permissions on the targeted device, it hides its icon from the device’s user to ensure it won’t be easy to get rid of it. If the user doesn’t grant all the required permissions, it’ll repeatedly ask.

HexaGoN Dev, which specializes in developing Android OS malware products, particularly RATs, partnered with Triangulum to help it sell its malware, which it’s struggled to do on its own. HexaGoN Dev helped Triangulum create different brandings for exactly the same product

“In the past, Triangulum had purchased several projects created by HeXaGoN Dev. The combination of HeXaGon Dev’s programming skills and Triangulum’s social marketing skills clearly posed a legitimate threat,” said researchers.

Yaniv Balmas, head of cyber research at Check Point, said research showed how difficult it is to track, classify, and protect against new malware in an effective way, because it’s easy for malware authors to create fake products, which may confuse security vendors.

“While we have ways of detecting such things in the real-world, the underground market is still like the wild west, which makes it very hard to quickly establish what is a real and dangerous threat and what isn’t,” he said.

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

How to unroot Android
Google Android

How to unroot Android

27 Jul 2021
What is Maze Ransomware?
ransomware

What is Maze Ransomware?

22 Jul 2021
CISA warns of disguised malware on hacked Pulse Secure devices
malware

CISA warns of disguised malware on hacked Pulse Secure devices

22 Jul 2021
The five essentials from your endpoint security partner
Whitepaper

The five essentials from your endpoint security partner

22 Jul 2021

Most Popular

The benefits of workload optimisation
Sponsored

The benefits of workload optimisation

16 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021