There are over 3,5 billion smartphone users worldwide, and it is estimated that over 85% of those devices – around three billion – run the Android OS. So it’s no surprise that criminals and threat actors are actively targeting this vast user base for their own malicious purposes, from trying to steal users’ data and credentials, to planting money-making malware, spyware,  ransomware, and more.

Check Point Research (CPR) recently encountered a mastermind’s network of Android mobile malware development on the dark net. This discovery piqued our interest as it was extraordinary, even by dark net standards. CPR researchers decided to dig deeper to learn more about the threat actor behind the network, his products and the business model behind malicious targeting of Android mobile devices.

A journey into the dark net

We tracked the activity of the threat actor, who goes by the nickname “Triangulum”, in several dark net forums. “Triangulum” in Latin means “triangle” — and the term is commonly used in relation to the Triangulum galaxy, nearly three million light years from Earth. Just as it is hard to find the Triangulum galaxy in the night sky, it’s hard to find traces of the Triangulum actor’s work. However, we soon discovered that once you do spot him, he is relatively easy to follow.

Over the past two years, Triangulum has demonstrated an impressive learning curve. He has evaluated the needs of the market, developed a network of partnerships, made investments and distributed malware to potential buyers. Triangulum started his journey at the beginning of 2017 by joining hack forums on the dark net. Initially, Triangulum exhibited some technical skills by reverse engineering malware, but closer analysis of these initial efforts revealed him to be an amateur developer.

Debut product “launch”

On June 10 2017, Triangulum provided us with the first glimpse of a product he developed a mobile RAT (remote access trojan), targeting Android devices and capable of exfiltration of sensitive data from a C&C (command and control) server, destroying local data – even deleting the entire OS, at times.

Four months later, Triangulum offered his first malware for sale. He then vanished for approximately a year and a half, with no evident signs of activity on the dark net, only to re-surface on April 6 2019 with another product for sale. From this point on, he has been very active, advertising different products over a six-month span. It appeared that Triangulum created a high-functioning production line for the development and distribution of malware during his time away from the dark net.

Partners in (mobile) crime

Further investigation found evidence that Triangulum was collaborating with another threat actor named “HexaGoN Dev”, who specialised in the development of Android OS malware products – in particular RATs.

In the past, Triangulum had purchased several projects created by HeXaGoN Dev. The combination of HeXaGon Dev’s programming skills and Triangulum’s social marketing skills clearly posed a legitimate threat. Triangulum and HeXaGoN Dev produced and distributed multiple malware variants for Android, including crypto miners, keyloggers and sophisticated P2P (phone to phone) MRATs.

Introducing a brand new malware – “Rogue”

Triangulum and HeXaGoN Dev then collaborated to create and introduce the Rogue malware to the dark net. Rogue is part of the MRAT family (Mobile Remote Access Trojan). This type of malware can gain control over the host device and exfiltrate any kind of data, such as photos, location, contacts and messages, to modify the files on the device and download additional malicious payloads.

When Rogue successfully gains all of the required permissions on the targeted device, it hides its icon from the device’s user to ensure it will not be easy to get rid of it. If all of the required permissions are not granted, it will repeatedly ask the user to grant them.

The malware then registers as a device administrator. If the user tries to revoke the admin permission, an onscreen message designed to strike terror in the heart of the user appears: “Are you sure to wipe all the data?”

Rogue adopts the services of the Firebase platform, a Google service for apps, to disguise its malicious intentions and masquerade as a legitimate Google service. It uses Firebase’s services as a C&C server, so that all of the commands that control the malware and all of the information stolen by the malware are delivered using Firebase’s infrastructure. Google Firebase incorporates dozens of services to help developers create mobile and web applications.

The Rogue malware uses the following:

• “Cloud Messaging” to receive commands from the C&C
• “Realtime Database” to upload data from the device
• “Cloud Firestore” to upload files.

Conclusion

In this research, CPR uncovered a fully active market that sells malicious mobile malware, living and flourishing on the dark net and other related web forums. The story of the Rogue malware is an example of how mobile devices can be exploited. Similar to Triangulum, other threat actors are perfecting their craft and selling mobile malware across the dark web – so we need to stay vigilant for new threats that are lurking around the corner and understand how to protect ourselves from them.