November 16, 2017

Tropic Trooper Goes Mobile With Titan Surveillanceware

Businessman holding phone with webcam observing him.
Platform(s) Affected
Discovered By
Entry Type
Threat Summary
Threat Type
Platform(s) Affected
Threat Summary

Lookout researchers have recently observed cybercriminals evolving the way they operate to reflect the multitude of platforms people now use to access information: you may read and triage email on a smartphone, switch to a laptop to crank out some work, then flip over to a tablet to catch up on social media or watch a video. To the attackers, it's a numbers game. The more devices they can reach, the more likely they are to compromise a target. Given the rise of mobile productivity, this means that we are seeing a growing number of attackers add mobile capabilities to their toolkits.

The latest threat to follow this trend is Titan, a family of sophisticated Android surveillanceware apps surfaced by Lookout's automated analysis that, based on command and control infrastructure, is linked to the same actors behind Operation Tropic Trooper. Tropic Trooper is a long running campaign, first reported in 2016, that executed targeted desktop attacks against enterprises and military units in Taiwan and the Philippines. All Lookout customers are protected from Titan.


Titan usually comes with busybox and various native libraries that provide a range of functionality, from automated gathering of a user's data to being able to execute attacker specified instructions as superuser. Over time, Titan has evolved considerably with a distinct trend of malicious code shifting first from Java to native libraries, then moving into second stage components. Analysis of Titan variants found that they contained the following capabilities:

  • Retrieve call history
  • Retrieve text messages
  • Retrieve contact information
  • Retrieve a list of Installed packages
  • Track device location
  • Take a photo with the device camera when a user is first present or when instructed by an attacker
  • Record all calls or only calls to attacker specified numbers
  • Block text messages to attacker specified numbers
  • Take a screenshot
  • Send a text message
  • Execute attacker specified commands as root
  • Upload specific files
  • Download attacker specified files

Titan hasn't been seen to trojanize legitimate applications and doesn't contain any legitimate functionality. The authors of Titan have instead opted to simply use the icon of a legitimate app. Application icons used included:

  • Zalo - a vietnamese Messaging Application,
  • 91 - an unofficial Chinese App Store that was bought by Baidu in 2013 for 1.9 billion,
  • YY - a popular Chinese social network,
  • Renren - formerly Xiaonei Network, this is a social network primarily used by Chinese college students,
  • 58 - an online Chinese marketplace,
  • WeChat - a popular Chinese messaging app, and
  • FloatingMenu - an application for handling shortcuts and gestures.


Several domains and IP addresses associated to this family are no longer live however further research is being conducted into which, at the time of writing, is live, running PHP, and exposing information that may provide additional leads. Some Titan variants have been seen to iterate through a list of possible command and control servers when beaconing out. Domains and IPs that Titan has, or is currently, using are listed below.

Domain / IP


3350 or 3351

3350 or 3351

3350 or 3351






As a family that is actively being improved, and given its links to targeted attacks against enterprises and defense institutions, Lookout is continuing to track Titan variants, associated server infrastructure, and geographical regions where they're being deployed.



Want to learn more about threats like Titan and our Threat Advisory services? Contact Lookout today.

Colleagues standing in an open meeting area and sharing a humorous moment

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

Other Related Threats


September 19, 2023


Google released a patch for a new zero-day vulnerability in Chrome tracked as CVE-2023-4863, which CISA also listed in their database.

September 18, 2023

ASPL 2023-09-01 / CVE-2023-35674

September 20, 2023

Deblind Analyzed: Lookout Identifies and Dissects Android App Used by Russian Sandworm APT's Infamous Chisel Spyware Tooling