Tuesday, April 16, 2024

Watch out for this malware: Russian spy app discovered that captures and sees everything

Experts have identified a malicious application called Process Manager that acts as spyware for Android and transmits information to hackers.


3 min read

A previously unknown Android malware has been linked to the Russian hacker group Turla after it was discovered that the application used the infrastructure previously attributed to that group.

Who is Turla?

Turla is a state-backed Russian hacker group known for using custom malware to target European and American systems, primarily espionage. Turla was recently linked to Sunburst backdoor malware, used in an attack on the SolarWinds supply chain in December 2020.




Experts from Lab52, the intelligence threat department of the international cyber security company S2 Grupo, have identified a malicious application called Process Manager that acts as spy software for Android and transmits information to hackers. Although it is not clear how spyware is distributed, once it is installed, Process Manager tries to hide it on the Android device using a gear icon, pretending to be a component of the operating system.

After the first launch, the application asks the user to allow him to use the following 18 permissions:

– Access to the location
– Access to the precise location
– Access network status
– WiFi access
– Camera
– Foreground
– Internet
– Change the audio settings
– Read the call log
– Read contacts
– Read external memory
– External memory
– Read phone status
– Read SMS messages
– Receive Boot Completed – a signal sent to applications during the boot process, indicating that the system has indeed rebooted
– Sound recording
– Sending SMS messages
– Awakening diary


After obtaining permission, the icon disappears
It is not clear whether the malicious software is abusing the Android accessibility service to give itself permission or cheating the user to approve the request himself. After obtaining permissions, spyware removes its icon and runs in the background with only a permanent notification indicating its presence.

This aspect is rather strange for spyware, which should usually try to stay hidden from the victim, especially if it is the work of a sophisticated group for advanced persistent threats (APT).

The information collected by the device, including lists, records, SMS, recordings, and event notifications, is sent in JSON format to the command and control server on 82.146.35 [.] 240.



The method of distribution of the application itself is unknown, but if it is really Turley, they usually use social engineering, phishing, and other attacks, so it can be any method of distribution.

These permissions pose a serious privacy risk, as they allow the said malware to download the location of the device, send and read texts, access the repository, take photos with the camera and record the sound.

Researching the application, the Lab52 team also discovered that it was downloading additional payloads to the device and found a case of an application downloaded directly from the Google Play Store.


The app is called “Roz Dhan: Make Money in Your Wallet” and is very popular, with 10,000,000 downloads, and contains a system of recommendations for generating money.

Spyware allegedly downloads an Android package (APK) through an application referral system, probably to earn a commission, which is a bit strange considering that the hacker group is focused on cyber espionage. But such tactics can help cover up and confuse analysts.








Dudescode.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com