New Russian Android Malware Tracks GPS Location and Spies on Victims

New Russian Android Malware Tracks GPS Location and Spies on Victims

The culprit behind this malware is Turla, a Russia State-Sponsored group known for previous high-profile malware attacks against European and American targets.

Lab52 researchers have shared details of Russian malware targeting Android smartphone users. This dangerous spyware can read text messages, listen to calls, and even record your conversations by exploiting the device’s microphone. 

The computer security researchers at Lab52 reported that the new malware targets the Android OS and was developed in Russia. Researchers noted that this previously undocumented Android malware masquerades as a system application “Process Manager,” apart from collecting a trove of data. It spreads on the web via harmless-looking APK files and is hidden inside the code of Process Manager.

New Russian Android Malware Tracks GPS Location and Spies on Victims

Russian State-Sponsored Group Connection

This newly identified malware is connected to a Russian state-sponsored hacking group known as Turla. The group has a reputation for using custom malware, and its key targets are European and American devices.

The group typically engages in spying activities and was recently tied to the Sunburst backdoor used in 2020’s devastating SolarWinds attacks. Moreover, in 2017, Slovak internet security company ESET found that the Turla group was using the comment section of Britney Spears’s Instagram posts to control their malware.

In 2017, Kaspersky Labs published a report in which the cybersecurity giant accused the Russian government-backed hacking groups, precisely Turla, of hijacking vulnerable commercial satellite communications, using hidden receiving stations in Africa and the Middle East.

As for the ongoing malware campaign, According to researchers, it isn’t yet clear how cybercriminals distribute malicious APKs to users. Possibly, threat actors like Turla prefer to use phishing tactics and social engineering attacks to install malicious malware on devices.

How does it Target Users?

Once it is installed on a device, the app disguises itself into a gear-shaped icon to appear as a system component and avoid generating suspicion. Given its connection with the Process Manager, the app gets mistaken as a part of the Android ecosystem.

After its first launch, the app requests the user for 18 permissions, including access to the camera, location, SMS, call logs, and the ability to write and read to storage. Process Manager provides extensive information about the device and its owner when these permissions are granted.

In a blog post, Lab52 researchers explained that it isn’t clear whether this app exploits the Android Accessibility Service to get these permissions or tricks the user into granting them. When the malware acquires these permissions, it first removes the icon. It keeps running in the background, but, strangely, it notifies the user that the app is running, which is contrary to how spyware usually operates.

Protect Your Privacy

The malware also installs additional apps, including a popular money-earning app called Roz Dhan: Earn Wallet Cash. The malware asks for permission to access the device’s location and GPS data, Wi-Fi data, text messages and phone calls, nearby networks information, audio settings, and contact list while granting itself the permission of activating the phone’s camera and microphone without the user’s knowledge.

The data is then transmitted to a remote server in Russia. Hence, to protect your privacy, check the Permission Manager in your phone’s Settings app and revoke permissions for all those apps you don’t trust or that appear shady. Nevertheless, avoid downloading apps from third-party stores.

More Russian Cyber Attack News

  1. Top US Federal Agencies Hacked by Russian Hackers – Report
  2. DDoS Attack and Data Wiper Malware hit Computers in Ukraine
  3. Russian hackers targeted 40 agencies including US Nuclear Agency
  4. Russian hacker jailed in the US over $19M fraud, 100M users’ data theft
  5. Musk confirms Russian hacker tried hiring Tesla worker for malware attack

Related Posts