CATEGORIES
home News

Insidious Android Malware With Russian Ties Eavesdrops On Your Audio, Location And More

by Nathan OrdSunday, April 03, 2022, 12:15 PM EDT
russian android spyware discovered stealing data
On April 1st, security researchers discovered a new Android-based spyware contacting infrastructure owned by a Russian-based threat group called Turla. Once installed, this malware can lurk on a device, collecting information and audio recordings while making money for Turla in a rather peculiar way.

The malware, sneakily called “Process Manager” on Android devices, appears as a gear-shaped icon not dissimilar to the settings icon in default flavors of Android. Then, a warning about app permissions is displayed to the user when the app is run, outlining screen lock permissions, storage encryption, and disabling of cameras. After the user accepts these, the icon is hidden, and the app runs in the background. However, this “warning” does not give the full extent of permissions that the app receives, which you can see below.

permissions russian android spyware discovered stealing data

In any event, the Lab52 researchers found that the malicious app first creates a notification channel for “Battery Level Services,” followed by an intent to configure the device with administration permissions. Once the application is configured, functions of the app named after the alphabet are executed to steal information from the device and add it to a JSON file. This data collection includes phone calls, contacts, all device files, location, audio recordings, text messages and other items which, once collected, are shipped off to the command-and-control server identified as being owned by Turla.

sneaky russian android spyware discovered stealing data

Beyond this, the application also tried to download an application called Roz Dhan using a Google-shortened link. While the legitimacy of this app is questionable, it seems that malware abuses it to make money as it has a referral system that likely works when someone downloads the app using a special referral link.

rozdhan russian android spyware discovered stealing data

All told, this is an interesting development, but it is not particularly surprising considering Turla is known for using homemade malware for its operations, as reported by MITRE in our research. However, the Lab52 team does not seem to think that attribution to Turla is possible “given its threat capabilities,” though underestimating threat actors is a dangerous game. Either way, this is a rather interesting piece of malware, so let us know what you think in the comments below.

(App and permissions photos courtesy of Lab52)
Tags:  Android, Malware, security, Russia, cybersecurity
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

HotTech

Reprints/Permissions

MORE

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2023 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment