A previously unknown Android malware has been linked to the Russian hacker group Turla after it was discovered that the application used the infrastructure previously attributed to that group.
Who is Turla?
Turla is a state-backed Russian hacker group known for using custom malware to target European and American systems, primarily espionage. Turla was recently linked to Sunburst backdoor malware, used in an attack on the SolarWinds supply chain in December 2020.
Experts from Lab52, the intelligence threat department of the international cyber security company S2 Grupo, have identified a malicious application called Process Manager that acts as spy software for Android and transmits information to hackers. Although it is not clear how spyware is distributed, once it is installed, Process Manager tries to hide it on the Android device using a gear icon, pretending to be a component of the operating system.
After the first launch, the application asks the user to allow him to use the following 18 permissions:
– Access to the location
– Access to the precise location
– Access network status
– WiFi access
– Change the audio settings
– Read the call log
– Read contacts
– Read external memory
– External memory
– Read phone status
– Read SMS messages
– Receive Boot Completed – a signal sent to applications during the boot process, indicating that the system has indeed rebooted
– Sound recording
– Sending SMS messages
– Awakening diary
After obtaining permission, the icon disappears
It is not clear whether the malicious software is abusing the Android accessibility service to give itself permission or cheating the user to approve the request himself. After obtaining permissions, spyware removes its icon and runs in the background with only a permanent notification indicating its presence.
This aspect is rather strange for spyware, which should usually try to stay hidden from the victim, especially if it is the work of a sophisticated group for advanced persistent threats (APT).
The information collected by the device, including lists, records, SMS, recordings, and event notifications, is sent in JSON format to the command and control server on
82.146.35 [.] 240.
The method of distribution of the application itself is unknown, but if it is really Turley, they usually use social engineering, phishing, and other attacks, so it can be any method of distribution.
These permissions pose a serious privacy risk, as they allow the said malware to download the location of the device, send and read texts, access the repository, take photos with the camera and record the sound.
Researching the application, the Lab52 team also discovered that it was downloading additional payloads to the device and found a case of an application downloaded directly from the Google Play Store.
NAME OF THE APP
The app is called “Roz Dhan: Make Money in Your Wallet” and is very popular, with 10,000,000 downloads, and contains a system of recommendations for generating money.
Spyware allegedly downloads an Android package (APK) through an application referral system, probably to earn a commission, which is a bit strange considering that the hacker group is focused on cyber espionage. But such tactics can help cover up and confuse analysts.
- Samsung will solve a significant problem with the new chip in their foldable phones?
- How to restore the display of dislikes on YouTube?
- What is the best-selling phone in 2021?