Android App with Over 10 Million Downloads Has Nasty Spyware

In a bit of cruel irony, the Psiphon anti-censorship app for Android has been corrupted with a particularly nasty bit of spyware.

Credit: Marcos__Silva/Shutterstock

(Image credit: Marcos__Silva/Shutterstock)

Bitdefender researchers noted earlier this week that Triout spyware, which once embedded itself in porn apps, now comes hidden in versions of Psiphon available for download outside the official Google Play store.

As Psiphon is meant to be used by people in repressive countries who may not have full access to Google Play (such as China), it's essential that it be available in off-road app stores. You can also download it directly from the Psiphon website.

Fortunately, the hacked version of Psiphon is stuck for now at version number 91, while the legitimate app is up to version 241. Make sure your version matches or is close to that version number, and run and install Android antivirus software.

MORE: Best Privacy and Security Apps

The corrupted version of the Psiphon app looks and acts exactly like the real thing, however. Its abilities to evade blocks on internet access through encrypted communications and proxy servers seem to work just as well as the uncorrupted version.

Psiphon was created in 2006 by the University of Toronto's Citizen Lab as a tool to evade internet censorship. It routes internet traffic through its own proxy servers using virtual-private-network (VPN) and encryption software.

However, the Psiphon website notes that "Psiphon does not increase your online privacy, and should not be considered or used as an online security tool."

Triout, first detected last May, reads text messages, takes screenshots, copies photos and records phone calls, videos and GPS location from infected phones. It's not clear where Triout comes from, but most of its earliest victims were in Israel, while the latest batch are in South Korea and Germany.

Nor is it clear what exactly the people running Triout want. Spyware apps with such powerful capabilities are often part of state-sponsored espionage campaigns, but they usually target specific victims with malicious emails or by infecting websites known to be of interest to particular groups.

Triout's infection methods seem to be more scattershot. If you're targeting specific victims, you don't want to be drowned in useless information collected from thousands of unintended infections, so perhaps Triout is now being run by a criminal group just out to make money. The command-and-control servers receiving the information stolen by Triout have also changed, perhaps indicating that a new group has taken over.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.