Research by: Aviran Hazum, Alex Shamshur, Raman Ladutska, Ohad Mana, Israel Wernik
Now more than ever, we rely on our smartphones to keep in touch with our work, our families and the world around us. There are over 3.5 billion smartphone users worldwide, and it is estimated that over 85% of those devices – around 3 billion – run the Android OS. Therefore, it is no surprise that criminals and threat actors are actively targeting this vast user base for their own malicious purposes, from trying to steal users’ data and credentials, to planting moneymaking malware, spyware or ransomware, and more. However, from the threat actors’ perspective, gaining a foothold on victims’ mobiles is an evolving challenge, because the built-in security features on some phones, and the controlled access to official app stores such as Google Play do offer a measure of protection to users. This means that would-be attackers have to develop new and innovative mobile infection vectors, and use and refine new skills and techniques to bypass security protections and place malicious apps in official app stores. Check Point Research (CPR) recently encountered a mastermind’s network of Android mobile malware development on the dark net. This discovery piqued our interest, as it was extraordinary, even by dark net standards. CPR researchers decided to dig deeper to learn more about the threat actor behind the network, his products, and the business model behind malicious targeting of Android mobile devices.
Deep dive: Journey into the Dark Web
We tracked the activity of the threat actor, who goes by the nickname Triangulum, in several Darknet forums.
“Triangulum” in Latin means “triangle” and the term is commonly used in relation to the Triangulum galaxy which is a spiral galaxy located in the Triangulum constellation.
Just like the Triangulum galaxy, it is hard to spot the traces of the Triangulum actor. But once you do spot him, he’s relatively easy to follow.
: High level of social skills combined with a math background in trigonometry, integration and differentiation
: Approximately 25 years old
- 190cm tall
- had two tortoises as home pets back in 2017
- had a girlfriend back in 2017 (current marital status is unknown)
Preferable laptop models
: Lenovo, HP, Sony, Dell
In the past few years that Triangulum has been active in the dark corners of the internet, he has shown an impressive learning curve. Over a two-year period, he dedicated most of his time to evaluating the market needs and developing a merch network from scratch by maintaining partnerships, rooting investments and distributing malware to potential buyers.
Triangulum appears to have gotten started at the very beginning of 2017, when he joined the hack forums in the Darknet.
Triangulum initially exhibited some technical skills by reverse engineering malware, but at that point in time still seemed to be an amateur developer.
Triangulum also communicated with different users, trying to estimate the market value for different kind of malware.
On June 10, 2017, Triangulum provided a first glimpse of a product he developed by himself.
Figure 1. Triangulum teaser for the 1st version of his product.
This product was a mobile RAT that targeted Android devices, and was capable of exfiltrating sensitive data to a C&C server, as well as destroying local data, even deleting the entire OS.
As Triangulum moved on to marketing his product, he looked for investors and a partner to help him create a PoC to show off the RAT’s capabilities in all its glory.
Figure 2. Message from Triangulum suggesting investment in his product.
Figure 3. Looking for a partner.
On October 20, 2017, Triangulum offered his first malware for sale. After that, Triangulum vanished from the radar for a period of a year and a half, with no evident signs of activity in the Darknet.
Triangulum surfaced again on April 6, 2019, with another product for sale. From this point on, Triangulum became very active, advertising 4 different products within half a year. It appeared that Triangulum had spent his time off creating a well-functioning production line for developing and distribution malwares.
Maintaining the production and marketing of multiple products in such a short period of time is a tall order, which raised our suspicion that there was more than one actor behind this merch-network. It appeared that someone was helping Triangulum.
And indeed, after further digging, we observed evidence that indicated Triangulum was sharing his kingdom with another actor nicknamed HexaGoN Dev.
This co-operation seems to have risen from previous deals between the two, as in the past Triangulum purchased several projects created by HeXaGoN Dev, who specialized in developing Android OS malware products, RATs in particular.
Figure 4. In the past, Triangulum purchased a few projects created by HeXaGoN Dev.
Combining the programming skills of HeXaGon Dev together with the social marketing skills of Triangulum, these 2 actors posed a legitimate threat.
Figure 5. HeXaGoN Dev responding to one of Rogue’s customers on behalf of Triangulum.
Working together, Triangulum and HeXaGoN Dev produced and distributed multiple malwares for Android, including crypto miners, key loggers, and sophisticated P2P (Phone to Phone) MRATs.
Triangulum advertised his products on different Darknet forums, even using the services of a visual illustrator to design attractive and catchy info brochures for the products. This was a major improvement over his older advertising efforts that looked pretty amateurish.
Figure 6. Advertisement of a product for sale in 2017.
Figure 7. Advertisements of products for sale in 2019 (DarkShades) and 2020 (Rogue).
Despite the fact the malware was sold at affordable prices and with different subscription plans, apparently that wasn’t enough for the Triangulum team.
We observed some dirty marketing tricks from the actors. Once, HeXaGoN Dev pretended to be a potential buyer, and commented on one of Triangulum’s posts, promoting the product and praising the development in order to attract more customers.
Figure 8. Triangulum responds to HeXaGoN Dev’s comment which was designed to whip up interest on the buyers’ side.
It is interesting to note that the team doesn’t want to show demo videos of their products in action.
Figure 9. Triangulum explains that a demo video is unnecessary.
We’ve seen indications that Triangulum is obsessed with his reputation and cares about his popularity with the same level of thoroughness as he does about maximizing his profits.
He fanatically defends his products and tries to crush anyone brave enough to raise uncomfortable questions about or discredit his work.
Figure 10. Triangulum’s arguments in an online dispute.
Triangulum’s reputation allows him to be a respected member of the hacking society; he receives a lot of positive feedback and has a high status on his home forum.
Figure 11. Triangulum’s reputation on his home forum.
Of course, this helps his sales as well: when customers see someone who is a long-term member with many products behind him, together with positive feedback from other users and confident replies by the author, this makes them more inclined to make a purchase.
Figure 12. Feedback about Triangulum’s products from users.
Customers apparently flock to Triangulum, despite the lack of demo videos, as well as evidence of dirty marketing tricks and some other warning flags.
Learning through failure
However, as Triangulum soon learned, a good reputation on his home forum does not guarantee automatic success on others.
In April 2020, Triangulum attempted to spread his sales network to the Russian segment of the Darknet. He made a post offering one of his products for sale.
Figure 13. Post offering one of Triangulum’s products for sale.
Despite his previous reputation on his home forum, he didn’t receive a warm welcome here. Users were not ready to pay for the product without a demo video, especially to a relative unknown as he was on this new site. As he did previously, Triangulum stated that he didn’t feel it necessary to provide demo videos.
Figure 14. Triangulum suggesting buying instead of trying.
After several other increasingly acrimonious posts, the topic was closed with the resolution “Topic-author could not be trusted” with a suggestion to attempt to gain users’ trust. All of this transpired within a period of just 5 days after the topic was opened.
Figure 15. Triangulum sales didn’t even get a start on the Russian Darknet forum.
What worked well in Triangulum’s home forum didn’t stand a chance in the Russian segment. Triangulum clearly took this lesson to heart, as we have not observed any activity in other Darknet segments since then. Instead of adjusting to customer demands, he stuck to his scheme of what had worked previously, and didn’t want to change it even slightly.
After years of efforts which included trying different marketing techniques that involved authentic sales manipulations, HeXaGoN and Triangulum were now ready to present their latest creation, crown jewel – Rogue.
Dissecting the impostor: Taking a peek at the Rogue malware
The Rogue malware family is an MRAT. This type of malware can gain control over the host device and exfiltrate any kind of data (photos, location, contacts, messages, etc.), modify the files on the device, download additional payloads and basically anything else that comes to mind.
Inside the Rogue package, we found two main components. One was what appeared to be DarkShades malware, and the other one was Hawkshaw. What’s so interesting here is that neither of them initially belonged to Triangulum.
DarkShades was originally sold in the Darknet by HeXaGoN in August 2019.
Figure 16. DarkShades sold by HeXaGoN.
The DarkShades project was officially sold to Triangulum 3 days after the initial sales began, and a new sales thread was created, this time by Triangulum himself.
Figure 17. DarkShades sold by Triangulum.
What Triangulum did was to embellish the advertisement (see figure 7, to the left) compared to the original one.
Figure 18. DarkShades as originally advertised by HeXaGoN.
DarkShades was not the original product developed, as indicated by the name of its main package (“com.cosmos”) which is a direct link to another product sold by HeXaGoN earlier that year: Cosmos RAT.
Figure 19. Cosmos RAT advertisement; this malware was offered for sale by HeXaGoN.
Interestingly enough, this malware was not acquired to be re-sold by Triangulum. Given the fact how methodically he re-sold other HeXaGoN products, this gap is likely due to DarkShades being a superior successor to Cosmos. Thus, re-sale of Cosmos was unnecessary.
Regarding Hawkshaw, its malware source code was leaked in 2017 and is available on the web ever since. The version that we discovered inside the Rogue package is “v.1.17”.
A summary of Rogue’s genealogic tree is shown in the diagram below:
Figure 20. Rogue malware origins.
Rogue appears to be the latest iteration in malware developed and maintained by HeXaGoN and Triangulum. However, we cannot call it an entirely new malware family. Rather, it’s the combined version of the Cosmos and Hawkshaw malware families. We also have to add that Triangulum didn’t develop his creation from scratch, but took what was available from both worlds, open-source and the Darknet, and united these components.
Let’s take a look at what the Rogue package has under the hood.
When Rogue successfully gains all of the required permissions (if all of the required permissions are not granted, it will repeatedly ask the user to grant the missing permissions), it hides its icon as a camouflage defense, making sure it will not be easy to get rid of it.
The malware then registers as a device administrator. If the user tries to revoke the admin permission, an onscreen message designed to strike terror in the heart of the user appears: “Are you sure to wipe all the data??”
In addition, by comparing specific pre-defined values to ones given by the system, Rogue can detect a virtual environment, which may lead to a delay\abort of its malicious intentions.
Figure 21. The malware hides its icon.
The Rogue malware family adopted the services of the Firebase platform to disguise its malicious intentions and masquerade as a legitimate Google service.
Rogue uses Firebase’s services as a C&C (command and control) server, which means that all of the commands that control the malware and all of the information stolen by the malware is delivered using Firebase’s infrastructure.
Google Firebase incorporates a dozen of services to help developers create mobile and web applications. The Rogue malware uses the following ones:
“Cloud Messaging” to receive commands from the C&C.
“Realtime Database” to upload data from the device.
“Cloud Firestore” to upload files.
There are multiple types of Firebase accounts hidden in the code of the Rogue malware:
In addition, depending on the value of the field “APP_VERSION” in the malware’s manifest file, Rogue can run on “MINIMUM” configuration, which as the configuration name suggest, is designed to draw the minimum amount of attention.
Below is the full list of commands and capabilities that can be executed by the Rogue malware:
Add current location and current timestamp to the Firebase Database.
SMS messages and the current timestamp are added to the Firebase Database.
Application initiates a phone call to a provided phone number. If there is no phone number provided, the call goes to “+91987654321”. The number “+91987654321” seems to be a defafult value for command, however it is not a coincidence that it begins with India’s country code (91).
Make thumbnails of an album with its name and upload thumbnails to the Firebase Cloud Store. A list of uploaded thumbnails is stored in the Firebase Database.
Removes records from the provided type of call-log.
Store a list of directories by a provided path in the Firebase Database.
Starts recording from selected cameras and for a provided duration. The video is recorded to a local file. After recording, the video-file is uploaded to the Firebase Cloud Store.
Installs an application from a provided URL.
Upload messages collected from chat programs to the Firebase Database.
Downloads a file from a provided URL to a provided local path.
Activates the device admin permission for an application.
Launches an application with a provided name.
Uploads all contacts to the Firebase Database.
Uploads call logs to the Firebase Database.
Executes a shell command. The output of the command is stored in the Firebase Database.
Takes a photo from a selected camera (back or front) and uploads the photo to the Firebase Cloud Store.
Deletes a file or directory per the provided path.
downloadFile / uploadFile
Uploads a file by a provided path to the Firebase Cloud Store.
Sends a custom SMS message to a specified number.
Records a video of the device’s screen. The video is recorded to a local file. After recording, the video-file is uploaded to the Firebase Cloud Store.
Deletes a specified contact.
Updates the local list of call blocked numbers with a list from the Firebase Database.
Takes a screenshot of the current screen. The screenshot is uploaded to the Firebase Cloud Store.
Starts recording from a microphone for a provided duration. The audio is recorded to a local file. After recording, the audio-file is uploaded to the Firebase Cloud Store.
Collects information about the device: • Phone number • Network provider • Username • List of device user accounts • SDK version • User-visible version string • Device serial number • Device name, brand, board, manufacturer • IMEI • Battery level • Network connection status • WiFi connection information, DHCP status • WiFi scan results with available Access Points • IPv4 and IPv6 addresses
The information is stored in the Firebase Database.
Cancels the execution of a scheduled pending command.
Gets statistics of the device’s applications usage.
The following fields are sent to the C&C server: • Package name • Foreground time • Timestamp of first time used • Timestamp of last time used
System applications are eliminated from the statistics.
The information is stored in the Firebase Database.
Stores the current timestamp and list of installed applications in the Firebase Database.
Deletes files from the device by a provided path.
Opens the Chrome browser and navigates to a specific URL.
Zips files in a specified path. The resulting zip-file is uploaded to the Firebase Cloud Store.
Creates a new contact.
Attempts to log back into the Firebase account with a provided email and password.
Dumps all scheduled tasks into a log and uploads it to the C&C server.
Similar to “cancelScheduledCommand” but for all pending commands.
Adds a new record to the call log with a provided number, the duration, date, and the type of the call.
Updates the token that is used for the Firebase service.
Uninstalls application by a provided package name.
Removes saved sniffed IM messages from applications in the local database. It is possible to remove all messages or only messages that belong to one of the sniffed applications (e.g. “com.whatsapp”).
Starts a scheduler for executing jobs scheduled by the “scheduleCommand” command.
Like many other malicious applications, Rogue can adapt the accessibility service to suit its own needs.
The Android accessibility service is the OS assistive service that is used to mimic the user’s screen clicks and has the ability to automate user interactions with the device.
Some malwares, Rogue among them, use the accessibility service as the Achilles Heel in Android’s defensive armor to get around OS security restrictions.
Rogue uses the accessibility service for logging and documenting the user’s actions and to upload the collected data to the cloud C&C server.
Rogue logs the following user actions:
Figure 22. Rogue uploads the documented data.
In addition, the malware registers its own notification service which is used to sniff every notification that pops up on the infected device.
Every notification that is triggered after the implantation of the service, is being saved to a local predetermined database and will later be uploaded to the Firebase Database.
The malware saves multiple types of notifications and parses them by splitting each notification into these fields:
However, notifications from the following list, which usually contain more sensitive and higher value data, are parsed separately:
Figure 23. Rogue saves the notifications.
Rogue also maintains a “Block List” for phone numbers. The malware can choose which numbers are in this list, and if it detects an incoming or an outgoing call to one of these numbers, it drops the call.
This is done by registering a call receiver called “me.hawkshaw.receiver.CallReceiver” that later uses the “CallBlock” handler to block a certain call.
Figure 24. Rogue registers the call receiver.
On the other hand, when accepting calls, Rogue can record each and every call, incoming or outgoing, and leak it to the Firebase Cloud Store.
Figure 25. Rogue listens to every call.
Current state of affairs
In April 2020, the Rogue RAT package was leaked on one of the Darknet forums.
It’s reasonable to assume that the leakage could majorly affect Triangulum’s sales. However, it turns out that the reputation forged on his home Darknet forum does speak for itself; even after the leakage, Triangulum’s team still receives messages on his home Darknet forum from interested customers.
Figure 26. Message on September 14, 2020 from an interested customer.
In fact, at the time this report was written, Triangulum is still active and expanding his customer network. Despite all the obstacles and some failures (like an unsuccessful attempt to start sales in the Russian Darknet segment) along the way, together with HeXaGoN he still distributes malware products through his home Darknet forum.
The Rogue malware and the story behind it is the perfect example of how mobile devices are exploited.
Just like with Rogue malware, other threat actors are practicing and learning, sometimes for years, till they are ready to apply their knowledge as effectively as they can, in either malware development or malware sales.
Triangulum shows would-be threat actors that you don’t have to invent new malware every time you want to offer a new product for sale. Instead, you can apply your soft skills in marketing to build up and maintain a sales reputation, and create catchy advertisement and different names for a product that appears to be another version of what already exists.
We leave it as an exercise to the reader to compare the two brochures with advertisements of DarkShades and Rogue (see figure 7), and find the differences between them.
A lesson to draw here is that threat actors have created a reality in which we cannot be complacent. We must stay constantly vigilant for threats that are lurking around the corner and understand how to protect ourselves from them.
In any case, if you’re stepping into this arena, you’d better come prepared.
In this research, CPR uncovered a fully active market that sells malicious mobile malware, living and flourishing on the dark net and other related web forums.
Similar to Triangulum, other threat actors are perfecting their craft and selling mobile malware across the dark Web – so we need to stay vigilant for new threats that are lurking around the corner and understand how to protect ourselves from them.
Stay Protected From Mobile Threats
Check Point SandBlast Mobile is the market-leading Mobile Threat Defense (MTD) solution, providing the widest range of capabilities to help you secure your mobile workforce.
SandBlast Mobile provides protection for all mobile vectors of attack, including the download of malicious applications and applications with malware embedded in them.