In a classic case of cruel irony, the Psiphon anti-censorship app for Android has been corrupted with a notorious spyware according to Bitdefender researchers. The Triout spyware, which once embedded itself in porn apps, now comes concealed in various versions of Psiphon available for download outside the Google Play store.
With over 10 Million downloads on the Play Store, Psiphon is mostly used by people in countries such as China where full access to Google Play is restricted. The worrying part is that the corrupted version of the Psiphon app looks and works exactly like the real thing.
Moreover, its ability to bypass blocks on internet access through proxy servers and encrypted communication methods seem to work similarly as the uncorrupted version.
Created in 2006 by the University of Toronto’s Citizen Lab to bypass internet censorship, Psiphon routes internet traffic via its own proxy servers using a VPN (Virtual Private Network) and encryption software.
Albeit, the Psiphon website mentions that “Psiphon does not enhance your online privacy, and should not be used or considered as an online security tool.”
The notorious Triout spyware can take screenshots, read text messages, copy photos, phone calls, videos and GPS location on infected phones. However, it’s not clear where Triout originates from although most of its latest victims are in South Korea and Germany.
Speculation is rife that apps with such powerful capabilities are usually part of rival state-sponsored espionage campaigns that target specific group of users or websites with malicious emails.
As of now, it is still unclear as to why Triout’s infection methods seem to be more scattershot where they target specific victims and access “useless information” collected from thousands of unintended infections.
Incidentally, evidence suggests that perhaps the Triout spyware is now being run by a criminal group just to make money since the command-and-control servers receiving the information stolen by Triout have changed.