ViceLeaker is Android spyware.

During the attacks, attackers distribute powerful Triout malware, capable of stealing virtually all information on a mobile device. Triout can be used as a framework to inject malicious code into legitimate applications.

ViceLeaker specifically targeting the Android users with sophisticated backdoor capabilities to Hijack camera, delete files, record audio and more.

This means it was a customized spyware program developed to extract sensitive data.

Apart from all the data that the ViceLeaker malware is capable of siphoning to the attackers’ server, it also can serve as a backdoor through which the cybercriminals can plant more malware on the corrupted device.

Kaspersky is comparing its structure to other malware that was being investigated by another antimalware vendor, Bitdefender named Triout.

According to a new report from Kaspersky Lab, ViceLeaker operators use the Baksmali an open-source tool to embed their code in official Android applications (a technique known as Smali injection).

According to experts, the main distribution of malicious applications is via the Telegram and WhatsApp messengers.

Based on the research done by Kaspersky Labs, the following commands are embedded in the “mutant” apk file that carries ViceLeaker espionage malware:

  • Send specified SMS message
  • Exfiltrate device info, such as phone model and OS version
  • Exfiltrate a list of all installed applications
  • Exfiltrate default browser history (limited to a given date)
  • Exfiltrate Chrome browser history (limited to a given date)
  • Exfiltrate memory card file structure
  • Record surrounding sound for 80 seconds
  • Exfiltrate all call logs
  • Exfiltrate all SMS messages
  • Upload a specific file from the device to the C2
  • Download file from specified URL and save on the device
  • Delete specified file
  • Commands not yet implemented
  • Take a photo (muted audio) with rear camera, send to C2
  • Take a photo (muted audio) with the front camera, send to C2

Kaspersky researchers hint that the attackers behind the ViceLeaker campaign plan to come up with new tools to disseminate the payload.

“The operation of ViceLeaker is still ongoing, as is our research. The attackers have taken down their communication channels and are probably looking for ways to assemble their tools in a different manner,” wrote the researchers. It is also believed that ViceLeaker creators are part of a worldwide web-oriented attack campaign.